{
	"id": "f2152576-0382-477f-95a9-37160739e85f",
	"created_at": "2026-04-06T00:17:53.122988Z",
	"updated_at": "2026-04-10T13:12:48.747225Z",
	"deleted_at": null,
	"sha1_hash": "4b9f0a9af015707af1a56f76267d1cf2cc8710ec",
	"title": "GitHub - securesocketfunneling/ssf: Secure Socket Funneling - Network tool and toolkit - TCP and UDP port forwarding, SOCKS proxy, remote shell, standalone and cross platform",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 135869,
	"plain_text": "GitHub - securesocketfunneling/ssf: Secure Socket Funneling -\r\nNetwork tool and toolkit - TCP and UDP port forwarding, SOCKS\r\nproxy, remote shell, standalone and cross platform\r\nBy olachere\r\nArchived: 2026-04-05 14:06:01 UTC\r\nSecure Socket Funneling (SSF) is a network tool and toolkit.\r\nIt provides simple and efficient ways to forward data from multiple sockets (TCP or UDP) through a single secure\r\nTLS tunnel to a remote computer.\r\nSSF is cross platform (Windows, Linux, OSX) and comes as standalone executables.\r\nFeatures:\r\nLocal and remote TCP port forwarding\r\nLocal and remote UDP port forwarding\r\nLocal and remote SOCKS server\r\nLocal and remote shell through sockets\r\nFile copy\r\nNative relay protocol\r\nTLS connection with the strongest cipher-suites\r\nDownload prebuilt binaries\r\nDocumentation\r\nBuild on Windows\r\nBuild on Unix/Linux\r\nCross compiling SSF (e.g. Raspberry Pi)\r\nHow to use\r\nCommand line\r\nClient\r\nUsage: ssf[.exe] [options] server_address\r\nOptions:\r\nhttps://github.com/securesocketfunneling/ssf\r\nPage 1 of 12\n\n-v verbose_level : Verbosity: critical|error|warning|info|debug|trace (default: info)\r\n-q : Quiet mode. Do not print logs\r\n-p port : Remote port (default: 8011)\r\n-c config_file_path : Specify configuration file. If not set, 'config.json' is loaded from the current\r\nworking directory\r\n-m attempts : Max unsuccessful connection attempts before stopping (default: 1)\r\n-t delay : Time to wait before attempting to reconnect in seconds (default: 60)\r\n-n : Do not try to reconnect client if connection is interrupted\r\n-g : Allow gateway ports. Allow client to bind local sockets for a service to a specific address rather than\r\n\"localhost\"\r\n-S : Display microservices status (on/off)\r\nServices options:\r\n-D [[bind_address]:]port : Run a SOCKS proxy on the server accessible on [[bind_address]:]port\r\non the local side\r\n-F [[bind_address]:]port : Run a SOCKS proxy on the local host accessible from the server on\r\n[[bind_address]:]port\r\n-X [[bind_address]:]port : Forward server shell I/O to the specified port on the local side. Each\r\nconnection creates a new shell process\r\n-Y [[bind_address]:]port : Forward local shell I/O to the specified port on the server\r\n-L [[bind_address]:]port:host:hostport : Forward TCP connections to [[bind_address]:]port on\r\nthe local host to host:hostport on the server\r\n-R [[bind_address]:]port:host:hostport : Forward TCP connections to [[bind_address]:]port on\r\nthe server to host:hostport on the local side\r\n-U [[bind_address]:]port:host:hostport : Forward local UDP traffic on [[bind_address]:]port to\r\nhost:hostport on the server\r\n-V [[bind_address]:]port:host:hostport : Forward UDP traffic on [[bind_address]:]port on the\r\nserver to host:hostport on the local side\r\nServer\r\nUsage: ssfd[.exe] [options]\r\nhttps://github.com/securesocketfunneling/ssf\r\nPage 2 of 12\n\nOptions:\r\n-v verbose_level : Verbosity: critical|error|warning|info|debug|trace (default: info)\r\n-q : Quiet mode. Do not print logs\r\n-c config_file_path : Specify configuration file. If not set, 'config.json' is loaded from the current\r\nworking directory\r\n-p port : Local port (default: 8011)\r\n-R : The server will only relay connections\r\n-l host : Set server bind address\r\n-g : Allow gateway ports. Allow client to bind local sockets for a service to a specific address rather than\r\n\"localhost\"\r\n-S : Display microservices status (on/off)\r\nCopy\r\nThe copy feature must be enabled on both client and server configuration file:\r\n{\r\n \"ssf\": {\r\n \"services\": {\r\n \"copy\": { \"enable\": true }\r\n }\r\n }\r\n}\r\nUsage: ssfcp[.exe] [options] [host@]/absolute/path/file [[host@]/absolute/path/file]\r\nOptions:\r\n-v verbose_level : Verbosity: critical|error|warning|info|debug|trace (default: info)\r\n-q : Quiet mode. Do not print logs\r\n-c config_file_path : Specify configuration file. If not set, 'config.json' is loaded from the current\r\nworking directory\r\n-p port : Remote port (default: 8011)\r\n-t : Use stdin as input\r\n--resume : Attempt to resume file transfer if the destination file exists\r\nhttps://github.com/securesocketfunneling/ssf\r\nPage 3 of 12\n\n--check-integrity : Check file integrity at the end of the transfer\r\n-r : Copy files recursively\r\n--max-transfers arg : Max transfers in parallel (default: 1)\r\nExamples\r\nClient\r\nThe client will run a SOCKS proxy on port 9000 and transfer connection requests to the server 192.168.0.1:8000\r\nssf -D 9000 -c config.json -p 8000 192.168.0.1\r\nServer\r\nThe server will be bound to port 8011 on all the network interfaces\r\nThe server will be bound to 192.168.0.1:9000\r\nssfd -p 9000 -l 192.168.0.1\r\nCopy local file to remote filesystem\r\nssfcp [-c config_file] [-p port] path/to/file host@absolute/path/directory_destination\r\nssfcp [-c config_file] [-p port] path/to/file* host@absolute/path/directory_destination\r\nssfcp [-c config_file] [-p port] -r path/to/dir host@absolute/path/directory_destination\r\nPipe file from standard input to remote filesystem\r\ndata_in_stdin | ssfcp [-c config_file] [-p port] -t host@path/to/destination/file_destination\r\nCopy remote files to local filesystem :\r\nssfcp [-c config_file] [-p port] remote_host@path/to/file absolute/path/directory_destination\r\nssfcp [-c config_file] [-p port] remote_host@path/to/file* absolute/path/directory_destination\r\nhttps://github.com/securesocketfunneling/ssf\r\nPage 4 of 12\n\nssfcp [-c config_file] [-p port] -r remote_host@path/to/dir absolute/path/directory_destination\r\nConfiguration file\r\n{\r\n \"ssf\": {\r\n \"arguments\": \"\",\r\n \"circuit\": [],\r\n \"http_proxy\": {\r\n \"host\": \"\",\r\n \"port\": \"\",\r\n \"user_agent\": \"\",\r\n \"credentials\": {\r\n \"username\": \"\",\r\n \"password\": \"\",\r\n \"domain\": \"\",\r\n \"reuse_ntlm\": true,\r\n \"reuse_nego\": true\r\n }\r\n },\r\n \"socks_proxy\": {\r\n \"version\": 5,\r\n \"host\": \"\",\r\n \"port\": \"1080\"\r\n },\r\n \"tls\" : {\r\n \"ca_cert_path\": \"./certs/trusted/ca.crt\",\r\n \"cert_path\": \"./certs/certificate.crt\",\r\n \"key_path\": \"./certs/private.key\",\r\n \"key_password\": \"\",\r\n \"dh_path\": \"./certs/dh4096.pem\",\r\n \"cipher_alg\": \"DHE-RSA-AES256-GCM-SHA384\"\r\n },\r\n \"services\": {\r\n \"datagram_forwarder\": { \"enable\": true },\r\n \"datagram_listener\": {\r\n \"enable\": true,\r\n \"gateway_ports\": false\r\n },\r\n \"stream_forwarder\": { \"enable\": true },\r\n \"stream_listener\": {\r\n \"enable\": true,\r\n \"gateway_ports\": false\r\n },\r\n \"copy\": { \"enable\": false },\r\nhttps://github.com/securesocketfunneling/ssf\r\nPage 5 of 12\n\n\"shell\": {\r\n \"enable\": false,\r\n \"path\": \"/bin/bash|C:\\\\windows\\\\system32\\\\cmd.exe\",\r\n \"args\": \"\"\r\n },\r\n \"socks\": { \"enable\": true }\r\n }\r\n }\r\n}\r\nArguments\r\nConfiguration key Description\r\narguments use configuration arguments instead of given CLI arguments (except -c )\r\nThe arguments key lets the user customize the command line arguments in the configuration file. This feature is\r\na convenient way to save different client connection profiles.\r\nGiven the following configuration file conf.json :\r\n{\r\n \"ssf\": {\r\n \"arguments\": \"10.0.0.1 -p 443 -D 9000 -L 11000:localhost:12000 -v debug\"\r\n }\r\n}\r\nSSF will extract the given arguments and use them as a replacement of the initial arguments (except -c ).\r\nFor example, ssf -c conf.json will be equivalent to ssf 10.0.0.1 -p 443 -D 9000 -L\r\n11000:localhost:12000 -v debug :\r\nconnect to 10.0.0.1:443 ( 10.0.0.1 -p 443 )\r\nstart the SOCKS service ( -D 9000 )\r\nstart the TCP port forwarding service ( -L 11000:localhost:12000 )\r\nset verbosity level to debug ( -v debug )\r\nCircuit\r\nConfiguration key Description\r\ncircuit relay chain servers used to establish the connection to the remote server\r\nThe circuit is a JSON array containing the bounce servers and ports which will be used to establish the\r\nconnection. They are listed as follow:\r\nhttps://github.com/securesocketfunneling/ssf\r\nPage 6 of 12\n\n{\r\n \"ssf\": {\r\n \"circuit\": [\r\n {\"host\": \"SERVER1\", \"port\":\"PORT1\"},\r\n {\"host\": \"SERVER2\", \"port\":\"PORT2\"},\r\n {\"host\": \"SERVER3\", \"port\":\"PORT3\"}\r\n ]\r\n }\r\n}\r\nThis configuration will create the following connection chain:\r\nCLIENT -\u003e SERVER1:PORT1 -\u003e SERVER2:PORT2 -\u003e SERVER3:PORT3 -\u003e TARGET\r\nProxy\r\nSSF supports connection through:\r\nHTTP proxy by using the CONNECT HTTP method\r\nSOCKS proxy (v4 or v5)\r\nHTTP proxy\r\nConfiguration key Description\r\nhttp_proxy.host HTTP proxy host\r\nhttp_proxy.port HTTP proxy port\r\nhttp_proxy.user_agent User-Agent header value in HTTP CONNECT request\r\nhttp_proxy.credentials.username\r\nproxy username credentials (all platform: Basic or Digest, Windows:\r\nNTLM and Negotiate if reuse = false)\r\nhttp_proxy.credentials.password\r\nproxy password credentials (all platform: Basic or Digest, Windows:\r\nNTLM and Negotiate if reuse = false)\r\nhttp_proxy.credentials.domain user domain (NTLM and Negotiate auth on Windows only)\r\nhttp_proxy.credentials.reuse_ntlm\r\nreuse current computer user credentials to authenticate with proxy\r\nNTLM auth (SSO)\r\nhttp_proxy.credentials.reuse_kerb\r\nreuse current computer user credentials (Kerberos ticket) to authenticate\r\nwith proxy Negotiate auth (SSO)\r\nSupported authentication schemes:\r\nhttps://github.com/securesocketfunneling/ssf\r\nPage 7 of 12\n\nBasic\r\nDigest\r\nNTLM (Windows only)\r\nNegotiate with Kerberos (reuse computer user credentials)\r\nSOCKS proxy\r\nConfiguration key Description\r\nsocks_proxy.version SOCKS version (4 or 5)\r\nsocks_proxy.host SOCKS proxy host\r\nsocks_proxy.port SOCKS proxy port\r\nNo authentication scheme supported.\r\nTLS\r\nUsing external files\r\nConfiguration key Description\r\ntls.ca_cert_path relative or absolute filepath to the CA certificate file\r\ntls.cert_path relative or absolute filepath to the instance certificate file\r\ntls.key_path relative or absolute filepath to the private key file\r\ntls.key_password key password\r\ntls.dh_path relative or absolute filepath to the Diffie-Hellman file (server only)\r\ntls.cipher_alg cipher algorithm\r\nWith default options, the following files and folders should be in the working directory of the client or the server:\r\n./certs/dh4096.pem\r\n./certs/certificate.crt\r\n./certs/private.key\r\n./certs/trusted/ca.crt\r\nWhere:\r\ndh4096.pem contains the Diffie-Hellman parameters (generate DH parameters)\r\ncertificate.crt and private.key are the certificate and the private key of the SSF server or client (generate\r\ncertificate)\r\nca.crt is the concatenated list of certificates trusted by the SSF server or client (generate CA)\r\nhttps://github.com/securesocketfunneling/ssf\r\nPage 8 of 12\n\nIf you want those files at different paths, it is possible to customize them thanks to the TLS path keys:\r\n{\r\n \"ssf\": {\r\n \"tls\" : {\r\n \"ca_cert_path\": \"./certs/trusted/ca.crt\",\r\n \"cert_path\": \"./certs/certificate.crt\",\r\n \"key_path\": \"./certs/private.key\",\r\n \"key_password\": \"\",\r\n \"dh_path\": \"./certs/dh4096.pem\",\r\n \"cipher_alg\": \"DHE-RSA-AES256-GCM-SHA384\"\r\n }\r\n }\r\n}\r\nUsing configuration file only\r\nConfiguration\r\nkey\r\nDescription\r\ntls.ca_cert_buffer\r\nCA certificate file content in PEM format (:warning: \\n between data and PEM\r\nheader/footer)\r\ntls.cert_buffer\r\ninstance certificate file content in PEM format (:warning: \\n between data and PEM\r\nheader/footer)\r\ntls.key_buffer\r\nprivate key file content in PEM format (:warning: \\n between data and PEM\r\nheader/footer)\r\ntls.key_password key password\r\ntls.dh_buffer\r\nDiffie-Hellman parameters file content in PEM format (:warning: \\n between data\r\nand PEM header/footer, server only)\r\ntls.cipher_alg cipher algorithm\r\nYou can integrate the TLS parameters directly into the configuration file by using the tls.ca_cert_buffer ,\r\ntls.cert_buffer , tls.key_buffer and tls.dh_buffer keys.\r\n{\r\n \"ssf\": {\r\n \"tls\" : {\r\n \"ca_cert_buffer\":\"-----BEGIN CERTIFICATE-----\\n...\\n-----END CERTIFICATE-----\",\r\n \"cert_buffer\":\"-----BEGIN CERTIFICATE-----\\n...\\n-----END CERTIFICATE-----\",\r\n \"key_buffer\":\"-----BEGIN RSA PRIVATE KEY-----\\n...\\n-----END RSA PRIVATE KEY-----\",\r\n \"key_password\": \"\",\r\nhttps://github.com/securesocketfunneling/ssf\r\nPage 9 of 12\n\n\"dh_buffer\":\"-----BEGIN DH PARAMETERS-----\\n...\\n-----END DH PARAMETERS-----\",\r\n \"cipher_alg\": \"DHE-RSA-AES256-GCM-SHA384\"\r\n }\r\n }\r\n}\r\nCertificates, private keys and DH parameters must be in PEM format. ⚠️ \\n between data and PEM\r\nheader/footer are mandatory.\r\nMicroservices\r\nConfiguration key Description\r\nservices.*.enable enable/disable microservice\r\nservices.*.gateway_ports enable/disable gateway ports\r\nservices.shell.path binary path used for shell creation\r\nservices.shell.args binary arguments used for shell creation\r\nSSF's features are built using microservices (TCP forwarding, remote SOCKS, ...)\r\nThere are 7 microservices:\r\nstream_forwarder\r\nstream_listener\r\ndatagram_forwarder\r\ndatagram_listener\r\ncopy\r\nsocks\r\nshell\r\nEach feature is the combination of at least one client side microservice and one server side microservice.\r\nThis table sums up how each feature is assembled:\r\nssf feature microservice client side microservice server side\r\n-L : TCP forwarding stream_listener stream_forwarder\r\n-R : remote TCP forwarding stream_forwarder stream_listener\r\n-U : UDP forwarding datagram_listener datagram_forwarder\r\n-V : remote UDP forwarding datagram_forwarder datagram_listener\r\n-D : SOCKS stream_listener socks\r\nhttps://github.com/securesocketfunneling/ssf\r\nPage 10 of 12\n\nssf feature microservice client side microservice server side\r\n-F : remote SOCKS socks stream_listener\r\n-X : shell stream_listener shell\r\n-Y : remote shell shell stream_listener\r\nThis architecture makes it easier to build remote features: they use the same microservices but on the opposite\r\nside.\r\nssf and ssfd come with pre-enabled microservices. Here is the default microservices configuration:\r\n{\r\n \"ssf\": {\r\n \"services\": {\r\n \"datagram_forwarder\": { \"enable\": true },\r\n \"datagram_listener\": { \"enable\": true },\r\n \"stream_forwarder\": { \"enable\": true },\r\n \"stream_listener\": { \"enable\": true },\r\n \"socks\": { \"enable\": true },\r\n \"copy\": { \"enable\": false },\r\n \"shell\": { \"enable\": false }\r\n }\r\n }\r\n}\r\nTo enable or disable a microservice, set the enable key to true or false .\r\nTrying to use a feature requiring a disabled microservice will result in an error message.\r\nHow to generate certificates for TLS connections\r\nManually\r\nGenerating Diffie-Hellman parameters\r\nopenssl dhparam 4096 -outform PEM -out dh4096.pem\r\nGenerating a self-signed Certification Authority (CA)\r\nFirst of all, create a file named extfile.txt containing the following lines:\r\n[ v3_req_p ]\r\nbasicConstraints = CA:FALSE\r\nhttps://github.com/securesocketfunneling/ssf\r\nPage 11 of 12\n\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment\r\nThen, generate a self-signed certificate (the CA) ca.crt and its private key ca.key:\r\nopenssl req -x509 -nodes -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3650\r\nGenerating a private key and a certificate (signed with the CA)\r\nGenerate a private key private.key and a certificate signing request certificate.csr:\r\nopenssl req -newkey rsa:4096 -nodes -keyout private.key -out certificate.csr\r\nGenerate the certificate (certificate.pem) by signing the CSR with the CA (ca.crt, ca.key):\r\nopenssl x509 -extfile extfile.txt -extensions v3_req_p -req -sha1 -days 3650 -CA ca.crt -CAkey ca.key\r\nSource: https://github.com/securesocketfunneling/ssf\r\nhttps://github.com/securesocketfunneling/ssf\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/securesocketfunneling/ssf"
	],
	"report_names": [
		"ssf"
	],
	"threat_actors": [],
	"ts_created_at": 1775434673,
	"ts_updated_at": 1775826768,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4b9f0a9af015707af1a56f76267d1cf2cc8710ec.pdf",
		"text": "https://archive.orkl.eu/4b9f0a9af015707af1a56f76267d1cf2cc8710ec.txt",
		"img": "https://archive.orkl.eu/4b9f0a9af015707af1a56f76267d1cf2cc8710ec.jpg"
	}
}