#1. Name
ReDuh
#2. Authors
Glenn
Ian de Villiers < ian(at)sensepost(dot)com >
Gert Burger < gert(at)sensepost(dot)com >
#3. License, version & release date
License : GPL
Version : v.0.3
Release Date : 2008/07/29
#4. Description
ReDuh was released as part of SensePost's BlackHat USA 2008 talk on tunnelling data in and out of networks.
ReDuh is a tool that can be used to create a TCP circuit through validly formed HTTP requests.
Essentially this means that if we can upload a JSP/PHP/ASP page on a server, we can connect to hosts behind that server trivially.
#5. Usage
##5.1 Basic Overview
- Glenn has the ability to upload / create a JSP page on the remote server
- Glenn wishes to make an RDP connection to the server term-serv.victim.com (visible to the web-server behind the firewall)
- The firewall permits HTTP traffic to the webserver but denies everything else
- Glenn uploads reDuh.jsp to http://ubuntoo.victim.com/uploads/reDuh.jsp
- Glenn runs reDuhClient on his machine and points it to the page: $ java -jar reDuhClient.jar http://ubuntoo.victim.com/uploads/reDuh.jsp (http or https)
- Glenn administers reDuhClient by connecting to its management port (1010 by default)
- Once connected, Glenn types: [createTunnel]1234:term-serv.victim.com:3389
- Now Glenn launches his RDP client and aims it at localhost:1234
The system can handle multiple connections, so while RDP is running, we can use the management connection (on port 1010) again, and request [createTunnel]5555:sshd.victim.com:22
Glenn can now ssh to localhost on port 5555 to access the sshd on sshd.victim.com (while still running his RDP session)
##5.2 Un-needed technical details
- Behind the scenes, reDuhClient starts listening on 1234 and sends an HTTP message to /uploads/reDuh.jsp which opens a socket to term-serv.victim.com:3389
- Any traffic sent to the local socket on 1234 is encoded, and wrapped in HTTP requests and is sent to the /uploads/reDuh.jsp
- Any traffic from term-serv.victim.com:3389 to the jsp is placed in a queue and sent back to reDuhClient when it requests it
#6. Requirements ability to upload / create a JSP page on the remote server ##6.1 Disclaimer The JSP version of reDuh is the most deployed/used/tested version. ASPX & PHP ports were done for completeness (but not extensively tested). Please let us know if you have any bug reports on any of these tools #7. Additional Resources Blackhat USA 2008 slides: http://www.sensepost.com/cms/resources/labs/conferences/eye_of_the_needle/SensePost_Eye_of_a_Needle.pdf