Rosie the Privoter is a prototype general purpose secure network pivoting tool. Rosie uses mutual TLS for all connections between the client, server, and pivot. All certificates are signed and managed automatically for you with a per-instance certificate authority. Certificates are generated on the fly and embedded within each client and pivot binary, which are dynamically compiled by the server.
WARNING: This is still a prototype, expect bugs and unstable connections!
Rosie has the following design goals:
- Cross Platform - All Rosie components should support as many platforms as possible.
- Secure by Default - Rosie's default behavoir should be secure, including transport layer security. It should be difficult to misconfigure the application to be insecure.
- Zero Runtime Dependancies - No dynamically linked libraries; pivots, clients, and servers should run on any supported platform without the need to install any external libraries or programs.
- N to N - All components should support multiplexing multiple clients/connections/etc.
To start the server:
$ ./rosie-server
[*] First time setup, unpacking assets please wait ...
[*] Client binary written to: /Users/moloch/go/src/rosie/rosie
[*] Starting listeners ...
The first time you run the server as a user it will unpack various assets into ~/.rosie
and generate a client binary in the current working directory that can be used to interact with the server.
The client will already have the proper certificates embedded within the binary. As such, client binaries can only be used to interact with the server they were generated by.
You can generate pivot binaries for any supported platform by using the pivot
client command, for example:
$ ./rosie pivot -os windows -output pivot.exe
[*] Generating new pivot binary ...
[*] Compiler target windows/amd64
[*] New pivot (windows/amd64): pivot.exe
$ file pivot.exe
pivot.exe: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Valid compiler targets are:
darwin/386
darwin/amd64
dragonfly/amd64
freebsd/386
freebsd/amd64
freebsd/arm
linux/386
linux/amd64
linux/arm
linux/arm64
linux/ppc64
linux/ppc64le
linux/mips
linux/mipsle
linux/mips64
linux/mips64le
linux/s390x
netbsd/386
netbsd/amd64
netbsd/arm
openbsd/386
openbsd/amd64
openbsd/arm
plan9/386
plan9/amd64
plan9/arm
solaris/amd64
windows/386
windows/amd64
Rosie has three primary components a client, server, and a pivot.
attacker <-TCP-> client <-protobuf/mTLS-> rosie-server <-protobuf/mTLS-> pivot <-TCP-> target
attacker <-TCP-> client <-protobuf/mTLS-> <-protobuf/mTLS-> pivot <-TCP-> target
You'll want to compile from a MacOS or Linux machine, compiling from Windows should work but none of the scripts are designed to run on Windows (you can compile the Windows binaries from MacOS or Linux).
Requirements:
- Go v1.11 or later
- Make, sed, tar, wget, zip
Build thin server (for developement)
$ ./deps.sh
$ ./go-assets.sh
$ make
Statically compile and bundle server with all dependencies and assets:
$ make static-macos
$ make static-linux
$ make static-windows
Planned features:
- SOCKS v5
- Layer 2 TUN/TAP