pwnat
Overview
Seção intitulada “Overview”pwnat (Peer-to-Peer With NAT) is a cross-platform peer-to-peer network tunneling utility that enables direct communication between clients and servers behind NAT devices without requiring port forwarding, UPnP, or external relay servers. It uses creative packet spoofing and asymmetric routing techniques to establish bidirectional tunnels through restrictive firewalls.
Key Features
Seção intitulada “Key Features”- NAT Traversal: Establishes peer-to-peer connections across NAT boundaries
- No Port Forwarding Required: Works without manual router configuration
- Cross-Platform: Supports Linux, macOS, Windows, and BSD
- Bidirectional Communication: Enables full-duplex tunneling between peers
- Packet Spoofing: Uses ICMP and UDP techniques for traversal
- Low Overhead: Minimal bandwidth consumption for tunnel establishment
- Raw Socket Access: Requires elevated privileges for some operations
Installation
Seção intitulada “Installation”| Platform | Method | Command |
|---|---|---|
| Linux (Debian/Ubuntu) | apt-get | sudo apt-get install pwnat |
| Linux (Fedora/RHEL) | dnf | sudo dnf install pwnat |
| macOS | Homebrew | brew install pwnat |
| Windows | Binary | Download from GitHub releases |
| Source Build | Git | git clone https://github.com/samyk/pwnat && cd pwnat && make |
Basic Usage
Seção intitulada “Basic Usage”Server Mode (Initiator)
Seção intitulada “Server Mode (Initiator)”Listen for incoming peer connections and establish tunnel:
# Start server listening on port 8000
sudo pwnat -s -p 8000
# Listen with verbose output
sudo pwnat -s -p 8000 -v
# Specify bind address
sudo pwnat -s -p 8000 -l 192.168.1.100Client Mode (Peer)
Seção intitulada “Client Mode (Peer)”Connect to server peer through NAT:
# Connect to server behind NAT
sudo pwnat -c -s <SERVER_IP> -p 8000
# With local bind address
sudo pwnat -c -s <SERVER_IP> -p 8000 -l 192.168.1.50
# Verbose mode for debugging
sudo pwnat -c -s <SERVER_IP> -p 8000 -vCommand Reference
Seção intitulada “Command Reference”| Command | Description | Example |
|---|---|---|
-s | Start in server mode | pwnat -s |
-c | Start in client mode | pwnat -c -s 203.0.113.5 |
-p PORT | Specify port number | pwnat -s -p 9000 |
-l ADDRESS | Bind to local address | pwnat -s -l 192.168.1.100 |
-v | Verbose output | pwnat -s -v |
-h | Display help | pwnat -h |
-e PROG | Execute program | pwnat -c -s 203.0.113.5 -e /bin/bash |
Advanced Configuration
Seção intitulada “Advanced Configuration”Establishing Tunnels with Program Execution
Seção intitulada “Establishing Tunnels with Program Execution”# Server mode: execute shell on successful connection
sudo pwnat -s -p 8000 -e '/bin/bash -i'
# Client mode: establish tunnel and execute local program
sudo pwnat -c -s 203.0.113.5 -p 8000 -e 'nc localhost 22'Using with SSH Tunneling
Seção intitulada “Using with SSH Tunneling”# Server: Listen and execute SSH shell
sudo pwnat -s -p 8000 -e '/bin/bash'
# Client: Connect through pwnat tunnel
sudo pwnat -c -s <SERVER_IP> -p 8000
# From another terminal, connect to local tunnel
ssh user@127.0.0.1UDP-Based Tunneling
Seção intitulada “UDP-Based Tunneling”# Server with UDP mode
sudo pwnat -s -p 8000 -u
# Client connecting via UDP
sudo pwnat -c -s 203.0.113.5 -p 8000 -uTechnical Details
Seção intitulada “Technical Details”How pwnat Works
Seção intitulada “How pwnat Works”- Endpoint Discovery: Client and server exchange packets with external relay
- Asymmetric Routing: Leverages different return paths for outbound/inbound traffic
- Packet Spoofing: Uses ICMP echo replies and UDP packets
- Tunnel Establishment: Creates bidirectional communication channel
- Data Forwarding: Routes traffic between local and remote endpoints
Network Architecture
Seção intitulada “Network Architecture”┌─────────────────────────────────────────┐
│ Internet / WAN │
├──────────────────────────────────────────┤
│ Relay/Intermediate Router (Optional) │
├──────────────────────────────────────────┤
│ NAT Device │
│ ┌────────────────┐ ┌────────────┐ │
│ │ Server/Peer1 │◄────►│ Client/Peer2 │ │
│ └────────────────┘ └────────────┘ │
└──────────────────────────────────────────┘Practical Examples
Seção intitulada “Practical Examples”Example 1: Simple Server-Client Tunnel
Seção intitulada “Example 1: Simple Server-Client Tunnel”# Terminal 1 - Server behind NAT
sudo pwnat -s -p 5555 -v
# Terminal 2 - Client (different network)
sudo pwnat -c -s 203.0.113.10 -p 5555 -v
# Terminal 3 - Verify tunnel (after establishment)
netstat -tuln | grep 5555Example 2: Remote Shell Access
Seção intitulada “Example 2: Remote Shell Access”# Server side - bind shell
sudo pwnat -s -p 9000 -e 'nc -l -p 4444'
# Client side - establish tunnel
sudo pwnat -c -s <SERVER_EXTERNAL_IP> -p 9000
# Connect to remote shell
nc localhost 4444Example 3: File Transfer Service
Seção intitulada “Example 3: File Transfer Service”# Server - setup HTTP file server through pwnat
sudo pwnat -s -p 8888 -e 'python3 -m http.server 7777'
# Client - access server's file share
sudo pwnat -c -s 203.0.113.5 -p 8888
# Download files
curl http://localhost:7777/Troubleshooting
Seção intitulada “Troubleshooting”Connection Fails with “Permission Denied"
Seção intitulada “Connection Fails with “Permission Denied"”# pwnat requires root/sudo for raw socket access
sudo pwnat -s -p 8000
# Verify sudoers (Linux)
sudo visudo
# Ensure user can run pwnat without password if needed"Unable to Establish Tunnel”
Seção intitulada “"Unable to Establish Tunnel””# Check network connectivity
ping <SERVER_IP>
# Verify firewall doesn't block ICMP
sudo ufw allow icmp
# Run with verbose debugging
sudo pwnat -c -s 203.0.113.5 -p 8000 -v -vHigh Latency or Packet Loss
Seção intitulada “High Latency or Packet Loss”# Monitor tunnel quality with verbose output
sudo pwnat -c -s 203.0.113.5 -p 8000 -v
# Check MTU size (may need adjustment)
ip link show | grep mtu
# Set MTU for tunnel interface
sudo ip link set mtu 1400Port Already in Use
Seção intitulada “Port Already in Use”# Check what's using the port
sudo netstat -tlnp | grep :8000
sudo lsof -i :8000
# Use different port
sudo pwnat -s -p 8001Security Considerations
Seção intitulada “Security Considerations”- Elevation Required: pwnat needs root/administrator access for packet operations
- Firewall Rules: Verify firewall allows necessary ICMP and UDP traffic
- Encryption: pwnat creates tunnel but doesn’t encrypt traffic—use SSL/TLS over it
- Authentication: Implement additional authentication for production use
- Logging: Monitor tunnel establishment for unauthorized access attempts
- Network Topology: Test before deployment to ensure asymmetric routing works in your environment
Performance Optimization
Seção intitulada “Performance Optimization”Tuning for High Throughput
Seção intitulada “Tuning for High Throughput”# Server with optimizations
sudo pwnat -s -p 8000 -b 65536
# Monitor performance
iftop -i eth0
nethogsReducing Latency
Seção intitulada “Reducing Latency”# Check current latency
ping -c 5 <REMOTE_IP>
# Adjust buffer sizes if needed
sysctl -w net.core.rmem_max=134217728
sysctl -w net.core.wmem_max=134217728Common Use Cases
Seção intitulada “Common Use Cases”| Use Case | Configuration | Command |
|---|---|---|
| Remote Access | Server listens, client initiates | pwnat -s -p 8000 / pwnat -c -s IP -p 8000 |
| File Transfer | With SCP/rsync | pwnat -s -p 2222 -e /usr/lib/openssh/sftp-server |
| Service Tunneling | Any TCP service | pwnat -s -p 8000 -e 'nc localhost 3000' |
| Mesh Networking | Multiple peer tunnels | Run multiple pwnat instances |
| Game Server | Peer-to-peer gaming | pwnat -s -p 9000 on both sides |
Comparison with Alternatives
Seção intitulada “Comparison with Alternatives”| Tool | NAT Traversal | Relay Required | Encryption | Use Case |
|---|---|---|---|---|
| pwnat | Yes (asymmetric) | No | No | P2P tunneling |
| ngrok | Yes | Cloud relay | Yes | Quick tunneling |
| Tailscale | Yes | Cloud coordination | Yes | VPN mesh |
| SSH | Limited | Manual ports | Yes | Remote access |
| UPnP | Yes | Router support | No | Automatic forwarding |
Scripting Examples
Seção intitulada “Scripting Examples”Automated Tunnel Monitor
Seção intitulada “Automated Tunnel Monitor”#!/bin/bash
REMOTE_IP="203.0.113.10"
REMOTE_PORT="8000"
INTERVAL=30
while true; do
if sudo pwnat -c -s $REMOTE_IP -p $REMOTE_PORT -v 2>&1 | grep -q "Established"; then
echo "[$(date)] Tunnel established successfully"
else
echo "[$(date)] Tunnel establishment failed"
fi
sleep $INTERVAL
doneBatch Tunnel Creation
Seção intitulada “Batch Tunnel Creation”#!/bin/bash
PEERS=("203.0.113.5" "203.0.113.6" "203.0.113.7")
BASE_PORT=8000
for i in "${!PEERS[@]}"; do
PORT=$((BASE_PORT + i))
sudo pwnat -c -s ${PEERS[$i]} -p $PORT &
echo "Started tunnel to ${PEERS[$i]} on port $PORT"
done
waitResources and Documentation
Seção intitulada “Resources and Documentation”- GitHub Repository: https://github.com/samyk/pwnat
- Author: Samy Kamkar
- License: GPL-3.0
- Documentation: See README and inline comments in source code
- Community: GitHub issues for bug reports and feature requests
Version History
Seção intitulada “Version History”| Version | Release Date | Key Features |
|---|---|---|
| 0.7.2 | 2013 | UDP support, verbose logging |
| 0.7.1 | 2013 | Bug fixes, IPv4 support |
| 0.7 | 2012 | Initial stable release |
Legal and Ethical Use
Seção intitulada “Legal and Ethical Use”pwnat is a legitimate tool for authorized network testing and research. Ensure you have proper authorization before establishing tunnels or bypassing network restrictions. Use responsibly for:
- Testing NAT traversal implementations
- Network research and education
- Authorized penetration testing
- Internal network connectivity
- Peer-to-peer application development
Unauthorized network access is illegal in most jurisdictions.