Tunna is a set of tools which will wrap and tunnel any TCP communication over HTTP. It can be used to bypass network restrictions in fully firewalled environments.


  • In a fully firewalled (inbound and outbound connections restricted – except the webserver port)
  • The webshell can be used to connect to any service on the remote host. This would be a local connection on a local port at the remote host and should be allowed by the firewall.
  • The webshell will read data from the service port wrap them over HTTP and send it as an HTTP response to the local proxy.
  • The local proxy will unwrap and write the data to it’s local port where the client program would be connected.
  • When the local proxy receives data on the local port, it will send them over to the webshell as an HTTP Post.
  • The webshell will read the data from the HTTP Post and put them on the service port
    and repeat –^
  • Only the webserver port needs to be open (typically 80/443) The whole communication (Externally) is done over the HTTP protocol



No SOCKS Options

Options are ignored if SOCKS proxy is used

Upstream Proxy Options

Tunnel connection through a local Proxy

Advanced Options

See limitations

example usage: python proxy.py -u -l 8000 -v




Technical Details

Architecture descisions


  • 1st packet initiates a session with the webshell – gets a cookie back eg: http://webserver/conn.ext?proxy
  • 2nd packet sends connection configuration options to the webshell eg: http://webserver/conn.ext?proxy&port=4444&ip=


A local socket is going to get created where the client program is going to connect to Once the client is connected the pinging thread is initiated and execution starts. Any data on the socket (from the client) get read and get sent as a HTTP Post request Any data on the webshell socket get sent as a response to the POST request


Because HTTP responses cannot be asynchronous. This thread will do HTTP Get requests on the webshell based on an interval (default 0.5 sec) If the webshell has data to send, it will (also) send it as a reply to this request Otherwise it sends an empty response

In general

Data from the local proxy get send with HTTP Post There are Get requests every 0.5 sec to query the webshell for data If there is data on the webshell side get send over as a response to one of these requests


The webshell connects to a socket on the local or a remote host. Any data written on the socket get sent back to the proxy as a reply to a request (POST/GET) Any data received with a post get written to the socket.


All requests need to have the URL parameter “proxy” set to be handled by the webshell (http://webserver/conn.ext?proxy)


Kills all threads and closes local socket Sends proxy close to webshell: Kills remote threads and closes socket


The SOCKS support is an addon module for Tunna. Locally is a seperate thread that handles the connection requests and traffic adds a header that specifies the port and the size of the packet and forwards it to Tunna.

Tunna sends it over to the remote web server, removes the HTTP headers and forwards the packet to the remote SOCKS proxy.

The remote SOCKS proxy initiates the connection and mapps the received port to the local port.

If the remote SOCKS proxy receives data from the service, it looks at the mapping table and finds the port it needs to respond to, adds the port as a header so the local SOCKS proxy will know where to forward the data.

Any traffic from the received port will be forwarded to the local port and vice versa.

Download Tunna