reDuh
- Authors: Haroon Meer, Marco Slaviero, Glenn Wilkonson (reDuhClient && JSP), Gert Burger (PHP), Ian de Villiers (ASPX)
- Cost: Free
- Source Code: GitHub
- Version : 0.3
- License : GPL
- Release Date : 2008/07/29
- Recent Changes : Fixed issues with PHP version and older versions of PHP
reDuh was released as part of SensePost's BlackHat USA 2008 talk on tunnelling data in and out of networks.
reDuh is actually a tool that can be used to create a TCP circuit through validly formed HTTP requests. Essentially this means that if we can upload a JSP/PHP/ASP page on a server, we can connect to hosts behind that server trivially.
Example scenario
While the original documentation made heavy use of bad ASCII art we had to have prettier pics for the .ppt so here you go:
- Glenn has the ability to upload/create a JSP page on the remote server.
- Glenn wishes to make an RDP connection to the server
term-serv.victim.com
(visible to the web-server behind the firewall). - The firewall permits HTTP traffic to the web server but denies everything else.
- Glenn uploads
reDuh.jsp
tohttp://ubuntoo.victim.com/uploads/reDuh.jsp
. - Glenn runs
reDuhClient
on his machine and points it to the page:$ java reDuhClient ubuntoo.victim.com 80 /uploads/reDuh.jsp
- Glenn administers
reDuhClient
by connecting to its management port (1010 by default). - Once connected, Glenn types:
[createTunnel]1234:term-serv.victim.com:3389
- Now Glenn launches his RDP client and aims it at
localhost:1234
reDuhClient
andreDuh.jsp
will happily shunt TCP until they are killed.
The system can handle multiple connections, so while RDP is running, we can use the management connection (on port 1010) again, and request [createTunnel]5555:sshd.victim.com:22
. Glenn can now ssh to localhost
on port 5555 to access the sshd on sshd.victim.com
(while still running his RDP session).
- Behind the scenes,
reDuhClient
starts listening on 1234 and sends an HTTP message to/uploads/reDuh.jsp
which opens a socket toterm-serv.victim.com:3389
. - Any traffic sent to the local socket on 1234 is encoded, and wrapped in HTTP requests and is sent to
/uploads/reDuh.jsp
. - Any traffic from
term-serv.victim.com:3389
to the JSP is placed in a queue and sent back toreDuhClient
when it requests it.
Disclaimer: The JSP version of reDuh is the most deployed/used/tested version. ASPX and PHP ports were done for completeness (but not extensively tested). Please let us know if you have any bug reports on any of these tools.
国外大牛的作品,偶顺手写了个使用说明。E文好的看原文 http://www.sensepost.com/research/reDuh/
这个工具可以把内网服务器的端口通过http/https隧道转发到本机,形成一个连通回路。用于目标服务器在内网或做了端口策略的情况下连接目标服务器内部开放端口。
本机-------客户端---------(http隧道)-----------服务端------------------内网服务器
服务端是个webshell(针对不同服务器有aspx,php,jsp三个版本),客户端是java写的,本机执行最好装上JDK。
把客户端文件解包,这里我把它放到E盘的TEST文件夹
把服务端的webshell上传到目标服务器。
目标服务器在内网,开了终端服务。
命令行下用客户端连接服务端
E:\test>java reDuhClient 目标服务器域名 http 80 /WEBSHELL路径/reDuh.aspx
新开一个命令行,用NC连接本机1010端口。
H:\>nc -vv localhost 1010
连接成功会有欢迎提示,之后输入命令
>>[createTunnel]1234:127.0.0.1:3389
前面的1234是本机连接用的端口,中间的ip地址是目标服务器的(可以是webshell所在服务器也可以是和它同内网的服务器),后面的3389是欲连接目标服务器的端口。
成功后两个命令行窗口都会有成功提示。
这时通道已经建立,你连接本机的1234端口就相当于连接到目标服务器的3389端口了。
数据的传递过程
需要注意的是用此工具转发数据速度很慢,连接的时候应尽量把mstsc的颜色设置调低些。
reDuh客户端下载 reduhclient-0.3.zip http://www.sensepost.com/research/reDuh/reDuhClient-0.3.zip
reDuh服务端下载 reduh-server-all.gz http://www.sensepost.com/research/reDuh/reDuh-server-all.tgz