SIMple connection MUltipleXer
Usage: simmux [OPTIONS]
Options:
-i, --ip <IP> IP address to bind to [default: 0.0.0.0]
-p, --port <PORT> Port number to bind to [default: 80]
-d, --duration <DURATION> Maximum duration in seconds to read initial data for display from connections [default: 0.5]
-b, --bytes <BYTES> Maximum number of bytes to read from initial data for display from connections [default: 128]
-h, --help Print help
simmux is a quick-and-dirty interactive TCP connection proxy with manual routing decisions.
When a connection comes in, simmux:
- Accepts the connection
- Reads and displays the first chunk of data (hex + ASCII dump)
- Pauses and asks you where the connection should be forwarded to
- Pipes traffic bidirectionally once a target is chosen
It is intentionally simple, terminal-driven, and optimized for offensive security workflows.
Primary use cases:
- CTF challenges
- Hack The Box / lab environments
- Protocol fingerprinting
- Quick routing decisions when more complex tooling is overkill
- Interactive routing per connection
- First-packet data dump before forwarding
- No config files
- Single binary
- Minimal dependencies
- Designed for speed, not polish
Situation: The target machine has a command injection vulnerability, but outbound connections are restricted to port 80 only. You run three services locally:
Port 80 → simmux (interactive proxy)
Port 4444 → Python HTTP server (serving socat)
Port 5555 → socat listener (reverse shell)
You inject a command that downloads socat and runs a reverse shell.
[i] Listening on 0.0.0.0:80
[+] New connection from 127.0.0.1:40552
00000000 47 45 54 20 2f 73 6f 63 61 74 20 48 54 54 50 2f |GET /socat HTTP/|
00000010 31 2e 31 0d 0a 48 6f 73 74 3a 20 31 32 37 2e 30 |1.1..Host: 127.0|
00000020 2e 30 2e 31 0d 0a 55 73 65 72 2d 41 67 65 6e 74 |.0.1..User-Agent|
00000030 3a 20 57 67 65 74 2f 31 2e 32 35 2e 30 0d 0a 41 |: Wget/1.25.0..A|
00000040 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 41 63 63 65 |ccept: */*..Acce|
00000050 70 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 69 64 65 |pt-Encoding: ide|
00000060 6e 74 69 74 79 0d 0a 43 6f 6e 6e 65 63 74 69 6f |ntity..Connectio|
00000070 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 0d |n: Keep-Alive...|
[?] Enter target: (IP:Port, Port, or "N" to ignore): 4444
[+] New connection from 127.0.0.1:59628
00000000 1b 5b 3f 32 30 30 34 68 1b 5d 30 3b 61 6c 65 78 |.[?2004h.]0;alex|
00000010 40 61 6c 65 78 3a 20 7e 2f 44 65 73 6b 74 6f 70 |@alex: ~/Desktop|
00000020 2f 73 69 6d 6d 75 78 07 1b 5b 3b 33 32 6d e2 94 |/simmux..[;32m..|
00000030 8c e2 94 80 e2 94 80 28 1b 5b 31 3b 33 34 6d 61 |.......(.[1;34ma|
00000040 6c 65 78 e3 89 bf 61 6c 65 78 1b 5b 3b 33 32 6d |lex...alex.[;32m|
00000050 29 2d 5b 1b 5b 30 3b 31 6d 7e 2f 44 65 73 6b 74 |)-[.[0;1m~/Deskt|
00000060 6f 70 2f 73 69 6d 6d 75 78 1b 5b 3b 33 32 6d 5d |op/simmux.[;32m]|
00000070 0d 0d 0a 1b 5b 3b 33 32 6d e2 94 94 e2 94 80 1b |....[;32m.......|
[?] Enter target: (IP:Port, Port, or "N" to ignore): 5555
At this point, the shell is set up, and you can close simmux to free up port 80.
Prebuilt Linux binaries are available on the GitHub Releases page:
- Dynamic (glibc)
- Static (musl, fully portable)
- x86_64 and x86 (32-bit)
- Rust
- Cargo
Install Rust:
curl https://sh.rustup.rs -sSf | shgit clone https://github.com/Bobface/simmux.git
cd simmux
cargo build --releaseThe binary will be located at:
target/release/simmux
This tool is intended for educational, research, and authorized security testing only. Do not use it on systems or networks without explicit permission. Misuse may violate laws or terms of service.