Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
branch: master
README.markdown

1. Name

ReDuh

2. Authors

Glenn
Ian de Villiers < ian(at)sensepost(dot)com >
Gert Burger < gert(at)sensepost(dot)com >

3. License, version & release date

License : GPL
Version : v.0.3
Release Date : 2008/07/29

4. Description

ReDuh was released as part of SensePost's BlackHat USA 2008 talk on tunnelling data in and out of networks. ReDuh is a tool that can be used to create a TCP circuit through validly formed HTTP requests. Essentially this means that if we can upload a JSP/PHP/ASP page on a server, we can connect to hosts behind that server trivially.

5. Usage

5.1 Basic Overview

  1. Glenn has the ability to upload / create a JSP page on the remote server
  2. Glenn wishes to make an RDP connection to the server term-serv.victim.com (visible to the web-server behind the firewall)
  3. The firewall permits HTTP traffic to the webserver but denies everything else
  4. Glenn uploads reDuh.jsp to http://ubuntoo.victim.com/uploads/reDuh.jsp
  5. Glenn runs reDuhClient on his machine and points it to the page: $ java -jar reDuhClient.jar http://ubuntoo.victim.com/uploads/reDuh.jsp (http or https)
  6. Glenn administers reDuhClient by connecting to its management port (1010 by default)
  7. Once connected, Glenn types: [createTunnel]1234:term-serv.victim.com:3389
  8. Now Glenn launches his RDP client and aims it at localhost:1234

The system can handle multiple connections, so while RDP is running, we can use the management connection (on port 1010) again, and request [createTunnel]5555:sshd.victim.com:22
Glenn can now ssh to localhost on port 5555 to access the sshd on sshd.victim.com (while still running his RDP session)

5.2 Un-needed technical details

  1. Behind the scenes, reDuhClient starts listening on 1234 and sends an HTTP message to /uploads/reDuh.jsp which opens a socket to term-serv.victim.com:3389
  2. Any traffic sent to the local socket on 1234 is encoded, and wrapped in HTTP requests and is sent to the /uploads/reDuh.jsp
  3. Any traffic from term-serv.victim.com:3389 to the jsp is placed in a queue and sent back to reDuhClient when it requests it

6. Requirements

ability to upload / create a JSP page on the remote server

6.1 Disclaimer

The JSP version of reDuh is the most deployed/used/tested version. ASPX & PHP ports were done for completeness (but not extensively tested). Please let us know if you have any bug reports on any of these tools

7. Additional Resources

Blackhat USA 2008 slides: http://www.sensepost.com/cms/resources/labs/conferences/eye_of_the_needle/SensePost_Eye_of_a_Needle.pdf

Something went wrong with that request. Please try again.