shootback: a reverse TCP tunnel let you access target behind NAT or firewall


is a reverse TCP tunnel let you access target behind NAT or firewall. Consumes less than 1% CPU and 8MB memory under 800 concurrency. slaver is single file and only depends on python(2.7/3.4+) standard library.

How it works

Typical Scene

  1. Access company/school computer(no internet IP) from home
  2. Make a private network/site public.
  3. Help private network penetration.
  4. Help CTF offline competitions.
  5. Connect to a device with dynamic IP, such as ADSL

Getting started

  1. requirement:
    • Master: Python3.4+, OS independent
    • Slaver: Python2.7/3.4+, OS independent
    • no external dependencies, only python std lib
  2. download
    git clone
  3. (optional) if you need a single-file, run python3
  4. run these command
    # master listen :10000 for slaver, :10080 for you
    python3 -m -c

    # slaver connect to master, and use as tunnel target
    # ps: you can use python2 in slaver, not only py3
    python3 -m -t

    # doing request to master
    curl -v -H "host:"
    # -- some HTML content from --
    # -- some HTML content from --
    # -- some HTML content from --


  5. a more realistic example:
    assume your master is (just like the graph above)
    # slaver_local_ssh <---> slaver <--> master( <--> You

    # ---- master ----
    python3 -m -c

    # ---- slaver ----
    python(or python3) -m -t

    # ---- YOU ----
    ssh -p 10022
  6. for more help, please see python3 –help and python3 –help


  1. run in daemon:
    nohup python(or python3) -m host:port -t host:port -q &
    # screen is a linux command
    python(or python3) -m host:port -t host:port
    # press ctrl-a d to detach screen
    # and if necessary, use "screen -r" to reattach
  2. ANY service using TCP is shootback-able. HTTP/FTP/Proxy/SSH/VNC/…
  3. shootback itself just do the transmission job, do not handle encrypt or proxy. However, you can use a 3rd party proxy (eg: shadowsocks) as slaver target.
    for example: