Rosie the Privoter is a prototype general purpose secure network pivoting tool. Rosie uses mutual TLS for all connections between the client, server, and pivot. All certificates are signed and managed automatically for you with a per-instance certificate authority. Certificates are generated on the fly and embedded within each client and pivot binary, which are dynamically compiled by the server.
WARNING: This is still a prototype, expect bugs and unstable connections!
Rosie has the following design goals:
- Cross Platform - All Rosie components should support as many platforms as possible.
- Secure by Default - Rosie's default behavoir should be secure, including transport layer security. It should be difficult to misconfigure the application to be insecure.
- Zero Runtime Dependancies - No dynamically linked libraries; pivots, clients, and servers should run on any supported platform without the need to install any external libraries or programs.
- N to N - All components should support multiplexing multiple clients/connections/etc.
To start the server:
$ ./rosie-server
[*] First time setup, unpacking assets please wait ...
[*] Client binary written to: /Users/moloch/go/src/rosie/rosie
[*] Starting listeners ...
The first time you run the server as a user it will unpack various assets into ~/.rosie and generate a client binary in the current working directory that can be used to interact with the server.
The client will already have the proper certificates embedded within the binary. As such, client binaries can only be used to interact with the server they were generated by.
You can generate pivot binaries for any supported platform by using the pivot client command, for example:
$ ./rosie pivot -os windows -output pivot.exe
[*] Generating new pivot binary ...
[*] Compiler target windows/amd64
[*] New pivot (windows/amd64): pivot.exe
$ file pivot.exe
pivot.exe: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Valid compiler targets are:
darwin/386darwin/amd64dragonfly/amd64freebsd/386freebsd/amd64freebsd/armlinux/386linux/amd64linux/armlinux/arm64linux/ppc64linux/ppc64lelinux/mipslinux/mipslelinux/mips64linux/mips64lelinux/s390xnetbsd/386netbsd/amd64netbsd/armopenbsd/386openbsd/amd64openbsd/armplan9/386plan9/amd64plan9/armsolaris/amd64windows/386windows/amd64
Rosie has three primary components a client, server, and a pivot.
attacker <-TCP-> client <-protobuf/mTLS-> rosie-server <-protobuf/mTLS-> pivot <-TCP-> target
attacker <-TCP-> client <-protobuf/mTLS-> <-protobuf/mTLS-> pivot <-TCP-> target
You'll want to compile from a MacOS or Linux machine, compiling from Windows should work but none of the scripts are designed to run on Windows (you can compile the Windows binaries from MacOS or Linux).
Requirements:
- Go v1.11 or later
- Make, sed, tar, wget, zip
Build thin server (for developement)
$ ./deps.sh
$ ./go-assets.sh
$ make
Statically compile and bundle server with all dependencies and assets:
$ make static-macos
$ make static-linux
$ make static-windows
Planned features:
- SOCKS v5
- Layer 2 TUN/TAP