I Need A Tunnel ASAFP

You need a tunnel, not my life story.

You need a tunnel

This is the quick as possible guide to get you up and running a socks proxy (forward tunnel + socks server) on a target so you can do whatever weird thing you're doing. From start to finish, it should take about 5-10 minutes. I am assuming you already have a domain and a valid SSL certificate. There are 6 steps:

Assumptions:

  • Docker is installed

  • You already have SSL certificates

Steps:

  1. Install and start gserver

  2. Build a gclient

  3. Build or download the gtuncli

  4. Register the client with the server

  5. Start client on the remote host

  6. Add the tunnel and socks server

Installing and start gserver

First pull down the latest gtunnel server image. Make sure port 443 is open on your host:

apt install redis
docker pull hotnops/gtunnel-server:latest
mkdir logs
mkdir tls

If you have certificates from letsencrypt or something, just make sure to put them in the tls folder that gets mounted and name the key and certificate: "key" and "cert", respectively.

mv myletsencryptkey.key tls/key
mv myletsencryptcert.cert tls/cert

OR If you don't have a certificate, run this command:

cd tls
openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out cert -keyout key

Next, start the image from the directory that contains the tls and logs directories.

docker run --net host -v $PWD/logs:/logs -v $PWD/tls:/tls --name gtun-server hotnops/gtunnel-server

Build a client

If you haven't already, download the source from github

git clone https://github.com/hotnops/gtunnel.git gtunnel
cd gtunnel

Run the build client script, the first time might take a minute since it needs to build the docker image.

./build_client.sh -arch x64 -bintype exe -ip <public ip of gserver> -name asafp -outputfile asafp.exe -platform win

There should now be an executable named asafp.exe in the build directory. This is the binary that gets deployed to the remote host.

Build or download the gtuncli

You have two options to obtain the gtuncli: You can build it or download it.

To build it, run

 ./build_gtuncli.sh

And the gtuncli binary will be in the build/ folder. You can also download the gtuncli artifact from the most recent Github Action located here:

https://github.com/hotnops/gtunnel/actions

Register the client with the server

The gserver instance you stood up in step 1 needs to be aware of the client you built in step 2. If you want an explanation why this step is separate, go to the actual instructions, I'm just trying to get you up and running. For the clientregister command, the only parameter that is required is the token parameter, which is used for keying. Every other parameter is for readability.

export GTUNNEL_HOST=<IP OF GSERVER>
export GTUNNEL_PORT=1337 // You can change this, but it's 1337 by default
./gtuncli clientregister -arch x64 -bintype exe -host <ip or hostname of gserver> -name asafp -platform win -token <token output from client build step>

Start the client on the remote host

It is now time to run the client on the remote host. Once connected, you should see a relevant message in the logs. If the client executable is just an exe, start it however you would start any other exe. If it's a DLL, the exported function to start gserver is "ExportedMain".

Add the tunnel and socks server

Last step. You now need to tell the client that you want to setup a forward tunnel and a socks server. First, you need the client instance ID. You can get that by listing out all the connected clients

./gtuncli clientlist

Using the unique id in the output, we can add a tunnel to that instance

./gtuncli tunnelcreate -clientid <id from previous step> -destinationip 127.0.0.1 -destinationport 4444 -listenip 127.0.0.1 -listenport 5555

This will forward all traffic from localhost port 5555 to the target on localhost 4444. Lastly, start a socks server on the remote host and have it listen on port 4444.

./gtuncli socksstart -clientid <id from previous step> -port 4444

Obviously, you should change port numbers to fit your environment. You now have a forward tunnel / socks proxy. At this point, you would configure your web browser or proxychains to use localhost 5555 and browse away.

Last updated