Skip to content
Create a TCP circuit through validly formed HTTP requests
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
reDuhClient First commit Feb 10, 2012
reDuhServers First commit Feb 10, 2012
README.markdown First commit Feb 10, 2012


#1. Name ReDuh #2. Authors Glenn
Ian de Villiers < ian(at)sensepost(dot)com >
Gert Burger < gert(at)sensepost(dot)com >
#3. License, version & release date License : GPL
Version : v.0.3
Release Date : 2008/07/29 #4. Description ReDuh was released as part of SensePost's BlackHat USA 2008 talk on tunnelling data in and out of networks. ReDuh is a tool that can be used to create a TCP circuit through validly formed HTTP requests. Essentially this means that if we can upload a JSP/PHP/ASP page on a server, we can connect to hosts behind that server trivially. #5. Usage ##5.1 Basic Overview

  1. Glenn has the ability to upload / create a JSP page on the remote server
  2. Glenn wishes to make an RDP connection to the server (visible to the web-server behind the firewall)
  3. The firewall permits HTTP traffic to the webserver but denies everything else
  4. Glenn uploads reDuh.jsp to
  5. Glenn runs reDuhClient on his machine and points it to the page: $ java -jar reDuhClient.jar (http or https)
  6. Glenn administers reDuhClient by connecting to its management port (1010 by default)
  7. Once connected, Glenn types: [createTunnel]
  8. Now Glenn launches his RDP client and aims it at localhost:1234

The system can handle multiple connections, so while RDP is running, we can use the management connection (on port 1010) again, and request [createTunnel]
Glenn can now ssh to localhost on port 5555 to access the sshd on (while still running his RDP session)
##5.2 Un-needed technical details

  1. Behind the scenes, reDuhClient starts listening on 1234 and sends an HTTP message to /uploads/reDuh.jsp which opens a socket to
  2. Any traffic sent to the local socket on 1234 is encoded, and wrapped in HTTP requests and is sent to the /uploads/reDuh.jsp
  3. Any traffic from to the jsp is placed in a queue and sent back to reDuhClient when it requests it

#6. Requirements ability to upload / create a JSP page on the remote server ##6.1 Disclaimer The JSP version of reDuh is the most deployed/used/tested version. ASPX & PHP ports were done for completeness (but not extensively tested). Please let us know if you have any bug reports on any of these tools #7. Additional Resources Blackhat USA 2008 slides:

You can’t perform that action at this time.