Feature Request: Optional Lightweight TCP Redirector for Multi/Handler

[ekinsipahi]

Summary

Proposal to add an optional lightweight TCP redirector that allows local traffic multiplexing to a Metasploit handler.

Motivation

In enterprise-scale lab environments or multi-client testing scenarios, a single Metasploit handler can become overloaded if exposed directly to many simultaneous connections.
A local TCP proxy can accept multiple connections and forward them to the handler on a loopback interface, reducing stress on the listener and simplifying session management.

Example Implementation

A small Python TCP proxy can listen on a user-specified port, accept multiple local connections, and forward them to the Metasploit multi/handler:

python
import asyncio

MSF_HOST = "127.0.0.1"  # Metasploit listener
MSF_PORT = 5555
LISTEN_HOST = "0.0.0.0"
LISTEN_PORT = 4444

async def handle_client(reader, writer):
    try:
        msf_reader, msf_writer = await asyncio.open_connection(MSF_HOST, MSF_PORT)
    except Exception as e:
        print(f"[!] Failed to connect to MSF: {e}")
        writer.close()
        return

    async def pipe(src, dst):
        try:
            while True:
                data = await src.read(4096)
                if not data:
                    break
                dst.write(data)
                await dst.drain()
        except:
            pass
        finally:
            dst.close()

    asyncio.create_task(pipe(reader, msf_writer))
    asyncio.create_task(pipe(msf_reader, writer))

async def main():
    server = await asyncio.start_server(handle_client, LISTEN_HOST, LISTEN_PORT)
    print(f"[+] Proxy listening on {LISTEN_HOST}:{LISTEN_PORT} → MSF {MSF_HOST}:{MSF_PORT}")
    async with server:
        await server.serve_forever()

asyncio.run(main())

[smcintyre-r7]

I'm not sure I understand. If the intention is to improve performance, this Python script would result in the same number of connections to Metasploit if I'm not mistaken. Do you have any benchmarking data to show how this improves performance? For example, how many connections did you establish directly to Metasploit and what metric did you use to measure performance, ie CPU/Memory etc. With this proxy in place, how did that improve?

If the intention is to simply allow for redirection, could you use an existing off-the-shelf solution like ncat or ngrok?

[ekinsipahi]

You're correct that raw benchmark differences were small, since the proxy ultimately forwards the same number of connections upstream. However, after examining the handler’s implementation in Metasploit, the issue isn’t raw CPU load — it’s architectural.

The current handler pipeline (as implemented in Msf::Handler and the related session registration logic):

processes each inbound socket synchronously,

has no real async IO,

uses Ruby’s blocking socket model,

lacks any connection queueing or backpressure,

and performs full session bootstrap/DB/event operations on each connection inline.

This means that when multiple payloads connect simultaneously (e.g., burst scenarios, lab-scale RCE testing, mass reconnection events), multi/handler can become unstable or choke—not due to CPU limits, but because the entire session creation pipeline is sequential and non‑multiplexed.

The goal of a lightweight local redirector is not to reduce CPU usage, but to handle:

connection smoothing

queueing

backpressure

burst‑protection

optional aggregation

— capabilities that tools like ncat or ngrok do not provide and that Metasploit currently lacks inside the handler itself.

So even if raw performance metrics don’t show a large gain, the need for a more scalable multiplexing‑aware handler architecture remains valid for high‑volume or enterprise-scale testing environments.