Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Latest commit 500f33f SensePost Pty Ltd First commit
Failed to load latest commit information.
reDuhClient First commit
reDuhServers First commit
README.markdown First commit


1. Name


2. Authors

Ian de Villiers < ian(at)sensepost(dot)com >
Gert Burger < gert(at)sensepost(dot)com >

3. License, version & release date

License : GPL
Version : v.0.3
Release Date : 2008/07/29

4. Description

ReDuh was released as part of SensePost's BlackHat USA 2008 talk on tunnelling data in and out of networks. ReDuh is a tool that can be used to create a TCP circuit through validly formed HTTP requests. Essentially this means that if we can upload a JSP/PHP/ASP page on a server, we can connect to hosts behind that server trivially.

5. Usage

5.1 Basic Overview

  1. Glenn has the ability to upload / create a JSP page on the remote server
  2. Glenn wishes to make an RDP connection to the server (visible to the web-server behind the firewall)
  3. The firewall permits HTTP traffic to the webserver but denies everything else
  4. Glenn uploads reDuh.jsp to
  5. Glenn runs reDuhClient on his machine and points it to the page: $ java -jar reDuhClient.jar (http or https)
  6. Glenn administers reDuhClient by connecting to its management port (1010 by default)
  7. Once connected, Glenn types: [createTunnel]
  8. Now Glenn launches his RDP client and aims it at localhost:1234

The system can handle multiple connections, so while RDP is running, we can use the management connection (on port 1010) again, and request [createTunnel]
Glenn can now ssh to localhost on port 5555 to access the sshd on (while still running his RDP session)

5.2 Un-needed technical details

  1. Behind the scenes, reDuhClient starts listening on 1234 and sends an HTTP message to /uploads/reDuh.jsp which opens a socket to
  2. Any traffic sent to the local socket on 1234 is encoded, and wrapped in HTTP requests and is sent to the /uploads/reDuh.jsp
  3. Any traffic from to the jsp is placed in a queue and sent back to reDuhClient when it requests it

6. Requirements

ability to upload / create a JSP page on the remote server

6.1 Disclaimer

The JSP version of reDuh is the most deployed/used/tested version. ASPX & PHP ports were done for completeness (but not extensively tested). Please let us know if you have any bug reports on any of these tools

7. Additional Resources

Blackhat USA 2008 slides:

Something went wrong with that request. Please try again.