
Stowaway is a Multi-hop proxy tool for security researchers and pentesters
Users can easily proxy their network traffic to intranet nodes (multi-layer),break the restrction and manipulate all the nodes that under your control XD
PS: Thanks for everyone's star, i'm just an amateur, and the code still need be optimized,so if you find anything wrong or bugs, feel free to tell me, prs and issues are welcome :kissing_heart:.
PPS: Please read the usage method and the precautions at the end of the article before use!
This tool is limited to security research and teaching, and the user bears all legal and related responsibilities caused by the use of this tool! The author does not assume any legal and related responsibilities!
make to directly compile complete multi-platform programs, or check the Makefile to compile specific type of programStowaway has two kinds of characters:
- admin The master used by the penetration tester
- agent The slave deployed by the penetration tester
parameter:
-l Listening address in passive mode [ip]:<port>
-s node communication encryption key, all nodes (admin&&agent) must be consistent
-c target node address under active mode
--socks5-proxy socks5 proxy server address
--socks5-proxyu socks5 proxy server username (optional)
--socks5-proxyp socks5 proxy server password (optional)
--http-proxy http proxy server address
--down downstream protocol type, default is bare TCP traffic, optional HTTP
parameter:
-l Listening address in passive mode [ip]:<port>
-s node communication encryption key
-c target node address under active mode
--socks5-proxy socks5 proxy server address
--socks5-proxyu socks5 proxy server username (optional)
--socks5-proxyp socks5 proxy server password (optional)
--http-proxy http proxy server address
--reconnect reconnect time interval
--rehost the IP address to be reused
--report the Port number to be reused
--up upstream protocol type, default is bare TCP traffic, optional HTTP
--down downstream protocol type, default is bare TCP traffic, optional HTTP
--cs platform's console encoding type,default is utf-8,optional gbk
This parameter can be used on admin&&agent, only can be used in passive mode
If you do not specify an IP address, the default monitoring IP address will be 0.0.0.0
admin: ./stowaway_admin -l 9999 or ./stowaway_admin -l 127.0.0.1:9999
agent: ./stowaway_agent -l 9999 or ./stowaway_agent -l 127.0.0.1:9999
This parameter can be used on admin&&agent, can be used in both active && passive mode
This parameter is optional, if it is not set, it means that the communication is not encrypted, otherwise, the communication is encrypted based on the key given by the user
admin: ./stowaway_admin -l 9999 -s 123
agent: ./stowaway_agent -l 9999 -s 123
This parameter can be used on admin&&agent, only can be used under active mode
Declaring the address of the node you want to connect to
admin: ./stowaway_admin -c 127.0.0.1:9999
agent: ./stowaway_agent -c 127.0.0.1:9999
These four parameters can be used on admin&&agent , only can be used under active mode
--socks5-proxy represents the address of the socks5 proxy server, --socks5-proxyu and --socks5-proxyp are optional
--http-proxy represents the address of the http proxy server, the usage is as same as socks5
No username and password:
admin: ./stowaway_admin -c 127.0.0.1:9999 --socks5-proxy xxx.xxx.xxx.xxx
agent: ./stowaway_agent -c 127.0.0.1:9999 --socks5-proxy xxx.xxx.xxx.xxx
Username and password:
admin: ./stowaway_admin -c 127.0.0.1:9999 --socks5-proxy xxx.xxx.xxx.xxx --socks5-proxyu xxx --socks5-proxyp xxx
agent: ./stowaway_agent -c 127.0.0.1:9999 --socks5-proxy xxx.xxx.xxx.xxx --socks5-proxyu xxx --socks5-proxyp xxx
These two parameter can be used on admin&&agent, can be used both under active && passive mode
But note that there is no --up parameter on admin
These two parameters are optional. If they are not set, it means that the upstream/downstream traffic is bare TCP traffic.
If you want the upstream/downstream traffic to be HTTP traffic, just set these two parameters
admin: ./stowaway_admin -c 127.0.0.1:9999 --down http
agent: ./stowaway_agent -c 127.0.0.1:9999 --up http or ./stowaway_agent -c 127.0.0.1:9999 --up http --down http
**Note that when you set the upstream/downstream of a node to TCP/HTTP traffic, the downstream/upstream traffic of it's parent/child node must be set to be consistent! ! ! **
Like this:
admin: ./stowaway_admin -c 127.0.0.1:9999 --down http
agent: ./stowaway_agent -l 9999 --up http
In the above case, the agent must set --up to http, otherwise it will cause network errors
The rules between admin--agent is as same as agent--agent
We can just assume agent-1 is waiting for the connection of the child node on the port 127.0.0.1:10000, and --down http is set
Then, agent-2 must also set --up to http, otherwise it will cause network errors
./stowaway_agent -c 127.0.0.1:10000 --up httpThis parameter can be used on agent , only can be used under active mode
The parameter is optional. If not set, it means that the node will not actively reconnect after the network connection is disconnected.Otherwise, it means that the node will try to reconnect to the parent node every x (the number of seconds you set) seconds.
admin: ./stowaway_admin -l 9999
agent: ./stowaway_agent -c 127.0.0.1:9999 --reconnect 10
In the above case, it means that if the connection between the agent and the admin is disconnected, the agent will try to reconnect back to the admin every ten seconds.
The rules between admin--agent is as same as agent--agent
And --reconnect parameter can be used together with --socks5-proxy/--socks5-proxyu/--socks5-proxy/--http-proxy. The agent will base on its own settings at startup and try to reconnect through the proxy when the parent node disconnected
These two parameters are quite special and can be only used on the agent side. For details, please check the port reuse mechanism below
This parameter can be used on agent, can be used both under active && passive mode
This parameter is aim to solve the problem of garbled characters between different platforms. When the user runs the agent on a platform whose console is encoded as gbk (such as Windows in general) and meanwhile the admin is running on a platform whose console is encoded as utf-8 , please be sure to set this parameter as 'gbk'
- Windows: ./stowaway_agent -c 127.0.0.1:9999 -s 123 --cs gbk
Now Stowaway provide two port reuse functions:One is based on SO_REUSEPORT/SO_REUSEADDR features and the other is base on IPTABLES features
Assuming that the agent side is using the port reuse mechanism to reuse port 80
In order to do this, the agent must set the --rehost&&--report&&-s parameter at startup
--rehost represents the IP address that you want to reuse, it cannot be 0.0.0.0, it should generally be the external address of the network card
--reportrepresents the port that you want to reuse
-s represents communication key
This mode mainly supports windows and mac, linux is also possible, but there are more restrictions
./stowaway_admin -c 192.168.0.105:80 -s 123agent: ./stowaway_agent --report 80 --rehost 192.168.0.105 -s 123
IPTABLES
Assuming that the agent side is using port reuse mechanism to reuse port 22
In order to do this, the agent must set the -l&&--report&&-s parameter at startup
-l represents the port that cannot be accessed normally, in other words, it's the port you really want the agent to listen to and accept connections
--report represents the port that you want to reuse
-s represents communication key
This method only support linux, agent will manipulate IPTABLES automatically,root permission is required
agent: ./stowaway_agent --report 22 -l 10000 -s 123
After the agent is started like above, please use reuse.py in the script directory first
Set the value of SECRET (the value of SECRET is the communication key, aka -s option)
Then execute:python reuse.py --start --rhost xxx.xxx.xxx.xxx --rport 22
--rhost represents the address of the agent
--rport represents the port to be reused, in this case it should be 22
At this time, the admin can connect this agent:./stowaway_admin -c xxx.xxx.xxx.xxx:22 -s 123
The above situation only lists the connection between the admin and the agent, the connection between the agents is also the same, completely no difference
If node is killed by ctrl-c or command kill,it will clean up the iptables rules automatically,but if it is killed by command kill -9,then it can't do that and it will lead to the service originally run on the reusing port cannot be reached,so in order to avoid this situation ,the reuse.py provide the function that can stop the "port reusing" function.
If you want to stop "port reusing",just run reuse.py like this: python reuse.py --stop --rhost 192.168.0.105 --rport 22
And then the "port reusing" will be closed,and the service originally run on the reusing port can be reached again
0.0.0.0, and you cannot specify ip+port by the -loptionAs you can see from the above example, only admin and one agent are present
But the multi-level network is the core of stowaway
In stowaway, the formation of a multi-level network requires the help of listen, connect, sshtunnel commands in admin
Here is a simple example
./stowaway_admin -l 9999 -s 123 At this time agent-1 has connected to admin
./stowaway_agent -c 127.0.0.1:9999 -s 123If the user also wants to add agent-2 as follows
./stowaway_agent -l 10000 -s 123Then, at this time, the user can enter use 0 -> connect agent-2's IP:10000 through admin to add agent-2 to the network and become a child node of agent-1
After that,If the user wants to add another node agent-3 too, but cannot access agent-3 through agent-1
Then,in order to solve this problem, the user can enter use 0 -> listen through admin -> select 1.Normal Passive -> enter 10001 So that agent-1will listen on port 10001 and waiting for the connection of child node
After the admin operation is completed, agent-3 can be started as follows
./stowaway_agent -c 127.0.0.1:10001 -s 123Then agent-3 can be added to the network as another child node of agent-1
For a detailed introduction of listen and sshtunnel, please check the command analysis below
Stowaway currently supports multiple ways of reconnection, briefly summarized as follows
First of all, when the parent node goes offline, only one kind of node will voluntarily exit: The node under active mode and has no reconnection settings at startup.
If reconnection setting is set, the node will try to reconnect in the specified time i
$ claude mcp add Stowaway \
-- python -m otcore.mcp_server <graph>