MCPcopy
hub / github.com/ph4ntonn/Stowaway

github.com/ph4ntonn/Stowaway @v2.2 sqlite

repository ↗ · DeepWiki ↗ · release v2.2 ↗
527 symbols 1,500 edges 64 files 33 documented · 6%
README

stowaway.png

Stowaway

GitHub issues GitHub forks GitHub stars GitHub license

Stowaway is a Multi-hop proxy tool for security researchers and pentesters

Users can easily proxy their network traffic to intranet nodes (multi-layer),break the restrction and manipulate all the nodes that under your control XD

PS: Thanks for everyone's star, i'm just an amateur, and the code still need be optimized,so if you find anything wrong or bugs, feel free to tell me, prs and issues are welcome :kissing_heart:.

PPS: Please read the usage method and the precautions at the end of the article before use!

This tool is limited to security research and teaching, and the user bears all legal and related responsibilities caused by the use of this tool! The author does not assume any legal and related responsibilities!

Features

  • More user-friendly interaction, support command auto-completion/search history
  • Obvious node topology
  • Clear information display of nodes
  • Active/Passive connection between nodes
  • Support reconnection between nodes
  • Nodes can be connected through socks5/http proxy
  • Nodes can be connected through ssh tunnel
  • TCP/HTTP can be selected for inter-node traffic
  • Multi-hop socks5 traffic proxy forwarding, support UDP/TCP, IPV4/IPV6
  • Nodes can access arbitrary host via ssh
  • Remote shell
  • Upload/download files
  • Port local/remote mapping
  • Port Reuse
  • Open/Close all the services arbitrarily
  • Authenicate each other between nodes
  • Traffic encryption with AES-256-GCM
  • Compared with v1.0, the file size is reduced by 25%
  • Multiple platforms support(Linux/Mac/Windows/MIPS/ARM)

Build and Demo

  • Use make to directly compile complete multi-platform programs, or check the Makefile to compile specific type of program
  • Check the release to get one
  • Demo video: Youtube

Usage

Character

Stowaway has two kinds of characters: - admin The master used by the penetration tester - agent The slave deployed by the penetration tester

Noun definition

  • Node: refers to admin || agent
  • Active mode: Refers to the currently operating node actively connecting to another node
  • Passive mode: Refers to the currently operating node listening to a port and waiting for another node to connect
  • Upstream: Refers to the traffic between the currently operating node and its parent node
  • Downstream: Refers to the traffic between the currently operating node and **all ** child nodes

Parameter analysis

  • admin
parameter:
-l Listening address in passive mode [ip]:<port>
-s node communication encryption key, all nodes (admin&&agent) must be consistent
-c target node address under active mode
--socks5-proxy socks5 proxy server address
--socks5-proxyu socks5 proxy server username (optional)
--socks5-proxyp socks5 proxy server password (optional)
--http-proxy http proxy server address
--down downstream protocol type, default is bare TCP traffic, optional HTTP
  • agent
parameter:
-l Listening address in passive mode [ip]:<port>
-s node communication encryption key
-c target node address under active mode
--socks5-proxy socks5 proxy server address
--socks5-proxyu socks5 proxy server username (optional)
--socks5-proxyp socks5 proxy server password (optional)
--http-proxy http proxy server address
--reconnect reconnect time interval
--rehost the IP address to be reused
--report the Port number to be reused
--up upstream protocol type, default is bare TCP traffic, optional HTTP
--down downstream protocol type, default is bare TCP traffic, optional HTTP
--cs platform's console encoding type,default is utf-8,optional gbk

Parameter usage

-l

This parameter can be used on admin&&agent, only can be used in passive mode

If you do not specify an IP address, the default monitoring IP address will be 0.0.0.0

  • admin: ./stowaway_admin -l 9999 or ./stowaway_admin -l 127.0.0.1:9999

  • agent: ./stowaway_agent -l 9999 or ./stowaway_agent -l 127.0.0.1:9999

-s

This parameter can be used on admin&&agent, can be used in both active && passive mode

This parameter is optional, if it is not set, it means that the communication is not encrypted, otherwise, the communication is encrypted based on the key given by the user

  • admin: ./stowaway_admin -l 9999 -s 123

  • agent: ./stowaway_agent -l 9999 -s 123

-c

This parameter can be used on admin&&agent, only can be used under active mode

Declaring the address of the node you want to connect to

  • admin: ./stowaway_admin -c 127.0.0.1:9999

  • agent: ./stowaway_agent -c 127.0.0.1:9999

--socks5-proxy/--socks5-proxyu/--socks5-proxyp/--http-proxy

These four parameters can be used on admin&&agent , only can be used under active mode

--socks5-proxy represents the address of the socks5 proxy server, --socks5-proxyu and --socks5-proxyp are optional

--http-proxy represents the address of the http proxy server, the usage is as same as socks5

No username and password:

  • admin: ./stowaway_admin -c 127.0.0.1:9999 --socks5-proxy xxx.xxx.xxx.xxx

  • agent: ./stowaway_agent -c 127.0.0.1:9999 --socks5-proxy xxx.xxx.xxx.xxx

Username and password:

  • admin: ./stowaway_admin -c 127.0.0.1:9999 --socks5-proxy xxx.xxx.xxx.xxx --socks5-proxyu xxx --socks5-proxyp xxx

  • agent: ./stowaway_agent -c 127.0.0.1:9999 --socks5-proxy xxx.xxx.xxx.xxx --socks5-proxyu xxx --socks5-proxyp xxx

--up/--down

These two parameter can be used on admin&&agent, can be used both under active && passive mode

But note that there is no --up parameter on admin

These two parameters are optional. If they are not set, it means that the upstream/downstream traffic is bare TCP traffic.

If you want the upstream/downstream traffic to be HTTP traffic, just set these two parameters

  • admin: ./stowaway_admin -c 127.0.0.1:9999 --down http

  • agent: ./stowaway_agent -c 127.0.0.1:9999 --up http or ./stowaway_agent -c 127.0.0.1:9999 --up http --down http

**Note that when you set the upstream/downstream of a node to TCP/HTTP traffic, the downstream/upstream traffic of it's parent/child node must be set to be consistent! ! ! **

Like this:

  • admin: ./stowaway_admin -c 127.0.0.1:9999 --down http

  • agent: ./stowaway_agent -l 9999 --up http

In the above case, the agent must set --up to http, otherwise it will cause network errors

The rules between admin--agent is as same as agent--agent

We can just assume agent-1 is waiting for the connection of the child node on the port 127.0.0.1:10000, and --down http is set

Then, agent-2 must also set --up to http, otherwise it will cause network errors

  • agent-2: ./stowaway_agent -c 127.0.0.1:10000 --up http

--reconnect

This parameter can be used on agent , only can be used under active mode

The parameter is optional. If not set, it means that the node will not actively reconnect after the network connection is disconnected.Otherwise, it means that the node will try to reconnect to the parent node every x (the number of seconds you set) seconds.

  • admin: ./stowaway_admin -l 9999

  • agent: ./stowaway_agent -c 127.0.0.1:9999 --reconnect 10

In the above case, it means that if the connection between the agent and the admin is disconnected, the agent will try to reconnect back to the admin every ten seconds.

The rules between admin--agent is as same as agent--agent

And --reconnect parameter can be used together with --socks5-proxy/--socks5-proxyu/--socks5-proxy/--http-proxy. The agent will base on its own settings at startup and try to reconnect through the proxy when the parent node disconnected

--rehost/--report

These two parameters are quite special and can be only used on the agent side. For details, please check the port reuse mechanism below

--cs

This parameter can be used on agent, can be used both under active && passive mode This parameter is aim to solve the problem of garbled characters between different platforms. When the user runs the agent on a platform whose console is encoded as gbk (such as Windows in general) and meanwhile the admin is running on a platform whose console is encoded as utf-8 , please be sure to set this parameter as 'gbk' - Windows: ./stowaway_agent -c 127.0.0.1:9999 -s 123 --cs gbk

Port reuse

Now Stowaway provide two port reuse functions:One is based on SO_REUSEPORT/SO_REUSEADDR features and the other is base on IPTABLES features

  • In Linux environment, stowaway can reuse most ports
  • In Windows environment,it cannot reuse service port like IIS,RDP, but can reuse Mysql,Apache and so on

复用方式

  • SO_REUSEPORT/SO_REUSEADDR

Assuming that the agent side is using the port reuse mechanism to reuse port 80

In order to do this, the agent must set the --rehost&&--report&&-s parameter at startup

  • --rehost represents the IP address that you want to reuse, it cannot be 0.0.0.0, it should generally be the external address of the network card

  • --reportrepresents the port that you want to reuse

  • -s represents communication key

This mode mainly supports windows and mac, linux is also possible, but there are more restrictions

  • admin:./stowaway_admin -c 192.168.0.105:80 -s 123
  • agent: ./stowaway_agent --report 80 --rehost 192.168.0.105 -s 123

  • IPTABLES

Assuming that the agent side is using port reuse mechanism to reuse port 22

In order to do this, the agent must set the -l&&--report&&-s parameter at startup

  • -l represents the port that cannot be accessed normally, in other words, it's the port you really want the agent to listen to and accept connections

  • --report represents the port that you want to reuse

  • -s represents communication key

This method only support linux, agent will manipulate IPTABLES automatically,root permission is required

  • agent: ./stowaway_agent --report 22 -l 10000 -s 123

    After the agent is started like above, please use reuse.py in the script directory first

    Set the value of SECRET (the value of SECRET is the communication key, aka -s option)

    Then execute:python reuse.py --start --rhost xxx.xxx.xxx.xxx --rport 22

    • --rhost represents the address of the agent

    • --rport represents the port to be reused, in this case it should be 22

  • At this time, the admin can connect this agent:./stowaway_admin -c xxx.xxx.xxx.xxx:22 -s 123

Notice

  • The above situation only lists the connection between the admin and the agent, the connection between the agents is also the same, completely no difference

  • If node is killed by ctrl-c or command kill,it will clean up the iptables rules automatically,but if it is killed by command kill -9,then it can't do that and it will lead to the service originally run on the reusing port cannot be reached,so in order to avoid this situation ,the reuse.py provide the function that can stop the "port reusing" function.

If you want to stop "port reusing",just run reuse.py like this: python reuse.py --stop --rhost 192.168.0.105 --rport 22

And then the "port reusing" will be closed,and the service originally run on the reusing port can be reached again

  • If you use the port reusing mode via IPTABLES , the agent will be forced to monitor on 0.0.0.0, and you cannot specify ip+port by the -loption

How to build a multi-level network?

As you can see from the above example, only admin and one agent are present

But the multi-level network is the core of stowaway

In stowaway, the formation of a multi-level network requires the help of listen, connect, sshtunnel commands in admin

Here is a simple example

  • admin: ./stowaway_admin -l 9999 -s 123

At this time agent-1 has connected to admin

  • agent-1: ./stowaway_agent -c 127.0.0.1:9999 -s 123

If the user also wants to add agent-2 as follows

  • agent-2: ./stowaway_agent -l 10000 -s 123

Then, at this time, the user can enter use 0 -> connect agent-2's IP:10000 through admin to add agent-2 to the network and become a child node of agent-1

After that,If the user wants to add another node agent-3 too, but cannot access agent-3 through agent-1

Then,in order to solve this problem, the user can enter use 0 -> listen through admin -> select 1.Normal Passive -> enter 10001 So that agent-1will listen on port 10001 and waiting for the connection of child node

After the admin operation is completed, agent-3 can be started as follows

  • agent-3: ./stowaway_agent -c 127.0.0.1:10001 -s 123

Then agent-3 can be added to the network as another child node of agent-1

For a detailed introduction of listen and sshtunnel, please check the command analysis below

How to reconnect?

Stowaway currently supports multiple ways of reconnection, briefly summarized as follows

First of all, when the parent node goes offline, only one kind of node will voluntarily exit: The node under active mode and has no reconnection settings at startup.

If reconnection setting is set, the node will try to reconnect in the specified time i

Extension points exported contracts — how you extend this code

Proxy (Interface)
(no doc) [2 implementers]
share/proxy.go
Message (Interface)
(no doc) [1 implementers]
protocol/protocol.go

Core symbols most depended-on inside this repo

SendMessage
called by 128
protocol/protocol.go
ConstructMessage
called by 128
protocol/protocol.go
PrepareAndDecideWhichSProtoToUpper
called by 37
protocol/protocol.go
PrepareAndDecideWhichSProtoToLower
called by 37
protocol/protocol.go
expectParams
called by 23
admin/cli/interactive_win.go
expectParams
called by 23
admin/cli/interactive.go
pretreatInput
called by 21
admin/cli/interactive_win.go
pretreatInput
called by 21
admin/cli/interactive.go

Shape

Function 188
Method 183
Struct 154
Interface 2

Languages

Go100%

Modules by API surface

protocol/protocol.go70 symbols
admin/topology/topology.go22 symbols
admin/manager/socks.go22 symbols
admin/manager/backward.go20 symbols
agent/handler/socks.go18 symbols
admin/manager/others.go18 symbols
admin/manager/forward.go18 symbols
agent/manager/socks.go17 symbols
utils/utils.go16 symbols
agent/manager/backward.go16 symbols
agent/manager/others.go14 symbols
admin/cli/interactive_win.go12 symbols

Dependencies from manifests, versioned

github.com/cheggaaa/pbv2.0.7+incompatible · 1×
github.com/davecgh/go-spewv1.1.1 · 1×
github.com/eiannone/keyboardv0.0.0-2020050800015 · 1×
github.com/gofrs/uuidv4.0.0+incompatible · 1×
github.com/libp2p/go-reuseportv0.0.2 · 1×
github.com/nsf/termbox-gov1.1.0 · 1×
golang.org/x/cryptov0.0.0-2020101217370 · 1×
golang.org/x/sysv0.0.0-2021010420473 · 1×
golang.org/x/textv0.3.0 · 1×
gopkg.in/VividCortex/ewma.v1v1.1.1 · 1×
gopkg.in/cheggaaa/pb.v2v2.0.7 · 1×

For agents

$ claude mcp add Stowaway \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact