a reverse TCP tunnel let you access target behind NAT or firewall
Switch branches/tags
Nothing to show
Clone or download



shootback is a reverse TCP tunnel let you access target behind NAT or firewall
反向TCP隧道, 使得NAT或防火墙后的内网机器可以被外网访问.
Consumes less than 1% CPU and 8MB memory under 800 concurrency.
slaver is single file and only depends on python(2.7/3.4+) standard library.

How it works

How shoot back works

Typical Scene

  1. Access company/school computer(no internet IP) from home
  2. Make private network/site public.
  3. Help private network penetration.
  4. Help CTF offline competitions.
    辅助CTF线下赛, 使场外选手也获得比赛网络环境
  5. Connect to device with dynamic IP, such as ADSL
    连接动态IP的设备, 如ADSL

Getting started

  1. requirement:

    • Master: Python3.4+, OS independent
    • Slaver: Python2.7/3.4+, OS independent
    • no external dependencies, only python std lib
  2. download git clone https://github.com/aploium/shootback

  3. (optional) if you need a single-file slaver.py, run python3 build_singlefile_slaver.py

  4. run these command

    # master listen :10000 for slaver, :10080 for you
    python3 master.py -m -c
    # slaver connect to master, and use example.com as tunnel target
    # ps: you can use python2 in slaver, not only py3
    python3 slaver.py -m -t example.com:80
    # doing request to master
    curl -v -H "host: example.com"
    # -- some HTML content from example.com --
    # -- some HTML content from example.com --
    # -- some HTML content from example.com --
  5. a more reality example:
    assume your master is (just like the graph above)

    # slaver_local_ssh <---> slaver <--> master( <--> You
    # ---- master ----
    python3 master.py -m -c
    # ---- slaver ----
    python(or python3) slaver.py -m -t
    # ---- YOU ----
    ssh -p 10022
  6. for more help, please see python3 master.py --help and python3 slaver.py --help


  1. run in daemon:
    nohup python(or python3) slaver.py -m host:port -t host:port -q &

    # screen is a linux command
    python(or python3) slaver.py -m host:port -t host:port
    # press  ctrl-a d  to detach screen
    # and if necessary, use "screen -r" to reattach
  2. ANY service using TCP is shootback-able. HTTP/FTP/Proxy/SSH/VNC/...

  3. shootback itself just do the transmission job, do not handle encrypt or proxy.
    however you can use a 3rd party proxy (eg: shadowsocks) as slaver target.
    for example:


  1. in windows, due to the limit of CPython select.select(), shootback can NOT handle more than 512 concurrency, you may meet
    ValueError: too many file descriptors in select()
    If you have to handle such high concurrency in windows, Anaconda-Python3 is recommend, it's limit in windows is 2048


  1. in my laptop of intel I7-4710MQ, win10 x64:
    • 1.6Gbits/s of loopback transfer (using iperf), with about 5% CPU occupation.
    • 800 thread ApacheBench, with less than 1% CPU and 8MB memory consume