ENNAENNA

pwnat

GPL-3.0

๐ŸŒ Network Recon ยท C

pwnat (pronounced 'poe-nat') enables connections between two hosts both behind separate NATs without requiring either side to configure port forwarding. It exploits a quirk in how NAT implementations handle ICMP time-exceeded messages to establish bidirectional communication channels. One side runs as a server and the other as a client; the tool handles NAT traversal automatically. This makes it useful for penetration testing scenarios where direct connectivity is blocked by network address translation, enabling reverse shells and tunnel establishment through otherwise impassable network boundaries.

3.9kstars
511forks
21issues
Updated 4mo ago
+I use this
View on GitHubOfficial Website

Installation

$ git clone https://github.com/samyk/pwnat.git && cd pwnat && make

Use Cases

  • Establishing connections through double-NAT scenarios
  • Penetration testing when direct connectivity is blocked
  • Creating tunnels without port forwarding configuration
  • Research into NAT traversal techniques

Tags

nat-traversalfirewall-bypasstunnelingicmpnetworking

Details

Category
๐ŸŒ Network Recon
Language
C
Repository
samyk/pwnat
License
GPL-3.0
Platforms
๐Ÿงlinux๐ŸŽmacos

Links

GitHub Repository

github.com/samyk/pwnat

Official Website

samy.pl/pwnat

Releases

github.com/samyk/pwnat/releases

Issues

github.com/samyk/pwnat/issues

Sponsored

Your ad here

Reach security professionals and developers - ads@en-na.com

Community Reviews

Alternatives & Comparisons

Ligolo-ng

Go

Advanced tunneling/pivoting tool. Creates a TUN interface for transparent proxying through compromised hosts.

Compare pwnat vs Ligolo-ng

Chisel

Go

Fast TCP/UDP tunnel over HTTP secured via SSH. Single binary, works behind firewalls and NAT.

Compare pwnat vs Chisel

Socat

C

Multipurpose relay tool. Bidirectional data transfer between two data channels - sockets, files, pipes, devices.

Compare pwnat vs Socat

ngrok

Go

Expose local servers to the internet via secure tunnels. Instant public URLs for localhost services.

Compare pwnat vs ngrok

More in Network Recon

Nmap

C/C++

The gold standard network scanner. Host discovery, port scanning, service/version detection, OS fingerprinting.

port-scanservice-detectionos-fingerprint

Masscan

C

Internet-scale port scanner. Transmits 10 million packets per second. Asynchronous, stateless scanning.

port-scanhigh-speedinternet-scale

RustScan

Rust

Blazing fast port scanner that pipes into Nmap. Scans all 65k ports in 3 seconds flat.

port-scanfastnmap-integration

Shodan CLI

Python

Command-line interface for Shodan, the search engine for internet-connected devices.

iotsearch-engineinternet-scan

Wireshark

C/C++

The world's foremost network protocol analyzer. Deep packet inspection for hundreds of protocols.

packet-captureprotocol-analysisgui

Responder

Python

LLMNR/NBT-NS/mDNS poisoner and rogue authentication server. Captures NTLMv1/v2 hashes on the network.

ntlmpoisoncredential-capture