Skip to content
Switch branches/tags
Go to file


Failed to load latest commit information.
Latest commit message
Commit time


shootback is a reverse TCP tunnel let you access target behind NAT or firewall
反向TCP隧道, 使得NAT或防火墙后的内网机器可以被外网访问.
Consumes less than 1% CPU and 8MB memory under 800 concurrency.
slaver is single file and only depends on python(2.7/3.4+) standard library.

How it works

How shoot back works

Typical Scene

  1. Access company/school computer(no internet IP) from home
  2. Make private network/site public.
  3. Help private network penetration.
  4. Help CTF offline competitions.
    辅助CTF线下赛, 使场外选手也获得比赛网络环境
  5. Connect to device with dynamic IP, such as ADSL
    连接动态IP的设备, 如ADSL
  6. SSL encryption between slaver and master

Getting started

  1. requirement:

    • Master: Python3.4+, OS independent
    • Slaver: Python2.7/3.4+, OS independent
    • no external dependencies, only python std lib
  2. download git clone

  3. (optional) if you need a single-file, run python3

  4. run these command

    # master listen :10000 for slaver, :10080 for you
    python3 -m -c
    # slaver connect to master, and use as tunnel target
    # ps: you can use python2 in slaver, not only py3
    python3 -m -t
    # doing request to master
    curl -v -H "host:"
    # -- some HTML content from --
    # -- some HTML content from --
    # -- some HTML content from --
  5. a more reality example (with ssl):
    assume your master is (just like the graph above)

    # slaver_local_ssh <---> slaver <--[SSL]--> master( <--> You
    # ---- master ----
    python3 -m -c --ssl
    # ---- slaver ----
    # ps: the `--ssl` option is for slaver-master encryption, not for SSH
    python(or python3) -m -t --ssl
    # ---- YOU ----
    ssh -p 10022
  6. for more help, please see python3 --help and python3 --help


  1. run in daemon:
    nohup python(or python3) -m host:port -t host:port -q &

    # screen is a linux command
    python(or python3) -m host:port -t host:port
    # press  ctrl-a d  to detach screen
    # and if necessary, use "screen -r" to reattach
  2. ANY service using TCP is shootback-able. HTTP/FTP/Proxy/SSH/VNC/...

  3. shootback itself just do the transmission job, do not handle encrypt or proxy.
    however you can use a 3rd party proxy (eg: shadowsocks) as slaver target.
    for example:


  1. in windows, due to the limit of CPython, shootback can NOT handle more than 512 concurrency, you may meet
    ValueError: too many file descriptors in select()
    If you have to handle such high concurrency in windows, Anaconda-Python3 is recommend, it's limit in windows is 2048


  1. in my laptop of intel I7-4710MQ, win10 x64:
    • 1.6Gbits/s of loopback transfer (using iperf), with about 5% CPU occupation.
    • 800 thread ApacheBench, with less than 1% CPU and 8MB memory consume