Home

Awesome

Secure Socket Funneling

Secure Socket Funneling (SSF) is a network tool and toolkit.

It provides simple and efficient ways to forward data from multiple sockets (TCP or UDP) through a single secure TLS tunnel to a remote computer.

SSF is cross platform (Windows, Linux, OSX) and comes as standalone executables.

Features:

Download prebuilt binaries

Documentation

Build on Windows

Build on Unix/Linux

Cross compiling SSF (e.g. Raspberry Pi)

How to use

Command line

Client

Usage: ssf[.exe] [options] server_address

Options:

Services options:

Server

Usage: ssfd[.exe] [options]

Options:

Copy

The copy feature must be enabled on both client and server configuration file:

{
  "ssf": {
    "services": {
      "copy": { "enable": true }
    }
  }
}

Usage: ssfcp[.exe] [options] [host@]/absolute/path/file [[host@]/absolute/path/file]

Options:

Examples

Client

The client will run a SOCKS proxy on port 9000 and transfer connection requests to the server 192.168.0.1:8000

ssf -D 9000 -c config.json -p 8000 192.168.0.1

Server

The server will be bound to port 8011 on all the network interfaces

ssfd

The server will be bound to 192.168.0.1:9000

ssfd -p 9000 -l 192.168.0.1

Copy local file to remote filesystem

ssfcp [-c config_file] [-p port] path/to/file host@absolute/path/directory_destination
ssfcp [-c config_file] [-p port] path/to/file* host@absolute/path/directory_destination
ssfcp [-c config_file] [-p port] -r path/to/dir host@absolute/path/directory_destination

Pipe file from standard input to remote filesystem

data_in_stdin | ssfcp [-c config_file] [-p port] -t host@path/to/destination/file_destination

Copy remote files to local filesystem :

ssfcp [-c config_file] [-p port] remote_host@path/to/file absolute/path/directory_destination
ssfcp [-c config_file] [-p port] remote_host@path/to/file* absolute/path/directory_destination
ssfcp [-c config_file] [-p port] -r remote_host@path/to/dir absolute/path/directory_destination

Configuration file

{
  "ssf": {
    "arguments": "",
    "circuit": [],
    "http_proxy": {
      "host": "",
      "port": "",
      "user_agent": "",
      "credentials": {
        "username": "",
        "password": "",
        "domain": "",
        "reuse_ntlm": true,
        "reuse_nego": true
      }
    },
    "socks_proxy": {
      "version": 5,
      "host": "",
      "port": "1080"
    },
    "tls" : {
      "ca_cert_path": "./certs/trusted/ca.crt",
      "cert_path": "./certs/certificate.crt",
      "key_path": "./certs/private.key",
      "key_password": "",
      "dh_path": "./certs/dh4096.pem",
      "cipher_alg": "DHE-RSA-AES256-GCM-SHA384"
    },
    "services": {
      "datagram_forwarder": { "enable": true },
      "datagram_listener": {
        "enable": true,
        "gateway_ports": false
      },
      "stream_forwarder": { "enable": true },
      "stream_listener": {
        "enable": true,
        "gateway_ports": false
      },
      "copy": { "enable": false },
      "shell": {
        "enable": false,
        "path": "/bin/bash|C:\\windows\\system32\\cmd.exe",
        "args": ""
      },
      "socks": { "enable": true }
    }
  }
}

Arguments

Configuration keyDescription
argumentsuse configuration arguments instead of given CLI arguments (except -c)

The arguments key lets the user customize the command line arguments in the configuration file. This feature is a convenient way to save different client connection profiles.

Given the following configuration file conf.json:

{
  "ssf": {
    "arguments": "10.0.0.1 -p 443 -D 9000 -L 11000:localhost:12000 -v debug"
  }
}

SSF will extract the given arguments and use them as a replacement of the initial arguments (except -c).

For example, ssf -c conf.json will be equivalent to ssf 10.0.0.1 -p 443 -D 9000 -L 11000:localhost:12000 -v debug:

Circuit

Configuration keyDescription
circuitrelay chain servers used to establish the connection to the remote server

The circuit is a JSON array containing the bounce servers and ports which will be used to establish the connection. They are listed as follow:

{
  "ssf": {
    "circuit": [
      {"host": "SERVER1", "port":"PORT1"},
      {"host": "SERVER2", "port":"PORT2"},
      {"host": "SERVER3", "port":"PORT3"}
    ]
  }
}

This configuration will create the following connection chain:

CLIENT -> SERVER1:PORT1 -> SERVER2:PORT2 -> SERVER3:PORT3 -> TARGET

Proxy

SSF supports connection through:

HTTP proxy
Configuration keyDescription
http_proxy.hostHTTP proxy host
http_proxy.portHTTP proxy port
http_proxy.user_agentUser-Agent header value in HTTP CONNECT request
http_proxy.credentials.usernameproxy username credentials (all platform: Basic or Digest, Windows: NTLM and Negotiate if reuse = false)
http_proxy.credentials.passwordproxy password credentials (all platform: Basic or Digest, Windows: NTLM and Negotiate if reuse = false)
http_proxy.credentials.domainuser domain (NTLM and Negotiate auth on Windows only)
http_proxy.credentials.reuse_ntlmreuse current computer user credentials to authenticate with proxy NTLM auth (SSO)
http_proxy.credentials.reuse_kerbreuse current computer user credentials (Kerberos ticket) to authenticate with proxy Negotiate auth (SSO)

Supported authentication schemes:

SOCKS proxy
Configuration keyDescription
socks_proxy.versionSOCKS version (4 or 5)
socks_proxy.hostSOCKS proxy host
socks_proxy.portSOCKS proxy port

No authentication scheme supported.

TLS

Using external files
Configuration keyDescription
tls.ca_cert_pathrelative or absolute filepath to the CA certificate file
tls.cert_pathrelative or absolute filepath to the instance certificate file
tls.key_pathrelative or absolute filepath to the private key file
tls.key_passwordkey password
tls.dh_pathrelative or absolute filepath to the Diffie-Hellman file (server only)
tls.cipher_algcipher algorithm

With default options, the following files and folders should be in the working directory of the client or the server:

Where:

If you want those files at different paths, it is possible to customize them thanks to the TLS path keys:

{
  "ssf": {
    "tls" : {
      "ca_cert_path": "./certs/trusted/ca.crt",
      "cert_path": "./certs/certificate.crt",
      "key_path": "./certs/private.key",
      "key_password": "",
      "dh_path": "./certs/dh4096.pem",
      "cipher_alg": "DHE-RSA-AES256-GCM-SHA384"
    }
  }
}
Using configuration file only
Configuration keyDescription
tls.ca_cert_bufferCA certificate file content in PEM format (:warning: \n between data and PEM header/footer)
tls.cert_bufferinstance certificate file content in PEM format (:warning: \n between data and PEM header/footer)
tls.key_bufferprivate key file content in PEM format (:warning: \n between data and PEM header/footer)
tls.key_passwordkey password
tls.dh_bufferDiffie-Hellman parameters file content in PEM format (:warning: \n between data and PEM header/footer, server only)
tls.cipher_algcipher algorithm

You can integrate the TLS parameters directly into the configuration file by using the tls.ca_cert_buffer, tls.cert_buffer, tls.key_buffer and tls.dh_buffer keys.

{
  "ssf": {
    "tls" : {
      "ca_cert_buffer":"-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
      "cert_buffer":"-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
      "key_buffer":"-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----",
      "key_password": "",
      "dh_buffer":"-----BEGIN DH PARAMETERS-----\n...\n-----END DH PARAMETERS-----",
      "cipher_alg": "DHE-RSA-AES256-GCM-SHA384"
    }
  }
}

Certificates, private keys and DH parameters must be in PEM format. :warning: \n between data and PEM header/footer are mandatory.

Microservices

Configuration keyDescription
services.*.enableenable/disable microservice
services.*.gateway_portsenable/disable gateway ports
services.shell.pathbinary path used for shell creation
services.shell.argsbinary arguments used for shell creation

SSF's features are built using microservices (TCP forwarding, remote SOCKS, ...)

There are 7 microservices:

Each feature is the combination of at least one client side microservice and one server side microservice.

This table sums up how each feature is assembled:

ssf featuremicroservice client sidemicroservice server side
-L: TCP forwardingstream_listenerstream_forwarder
-R: remote TCP forwardingstream_forwarderstream_listener
-U: UDP forwardingdatagram_listenerdatagram_forwarder
-V: remote UDP forwardingdatagram_forwarderdatagram_listener
-D: SOCKSstream_listenersocks
-F: remote SOCKSsocksstream_listener
-X: shellstream_listenershell
-Y: remote shellshellstream_listener

This architecture makes it easier to build remote features: they use the same microservices but on the opposite side.

ssf and ssfd come with pre-enabled microservices. Here is the default microservices configuration:

{
  "ssf": {
    "services": {
      "datagram_forwarder": { "enable": true },
      "datagram_listener": { "enable": true },
      "stream_forwarder": { "enable": true },
      "stream_listener": { "enable": true },
      "socks": { "enable": true },
      "copy": { "enable": false },
      "shell": { "enable": false }
    }
  }
}

To enable or disable a microservice, set the enable key to true or false.

Trying to use a feature requiring a disabled microservice will result in an error message.

How to generate certificates for TLS connections

Manually

Generating Diffie-Hellman parameters

openssl dhparam 4096 -outform PEM -out dh4096.pem

Generating a self-signed Certification Authority (CA)

First of all, create a file named extfile.txt containing the following lines:

[ v3_req_p ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

Then, generate a self-signed certificate (the CA) ca.crt and its private key ca.key:

openssl req -x509 -nodes -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3650

Generating a private key and a certificate (signed with the CA)

Generate a private key private.key and a certificate signing request certificate.csr:

openssl req -newkey rsa:4096 -nodes -keyout private.key -out certificate.csr

Generate the certificate (certificate.pem) by signing the CSR with the CA (ca.crt, ca.key):

openssl x509 -extfile extfile.txt -extensions v3_req_p -req -sha1 -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -in certificate.csr -out certificate.pem