reDuh: Re-inventing TCP like its 1973!

Have you registered? Register (free,instant) for full access click here


Introduction?

reDuh was released as part of SensePost's BlackHat USA 2008 talk on tunnelling data in and out of networks.

Here is a local copy of the slides.


What Does reDuh Do?

reDuh is actually a tool that can be used to create a TCP circuit through validly formed HTTP requests.

Essentially this means that if we can upload a JSP/PHP/ASP page on a server, we can connect to hosts behind that server trivially


License

reDuh is distributed under the GNU General Public License.


More info?

Check out the README.


More(r) info?

While the original documentation made heavy use of bad ascii art we had to have prettier pics for the .ppt so here you go:

a) Glenn has the ability to upload / create a JSP page on the remote server

b) Glenn wishes to make an RDP connection to the server term-serv.victim.com (visible to the web-server behind the firewall)

c) The firewall permits HTTP traffic to the webserver but denies everything else

i) Glenn uploads reDuh.jsp to http://ubuntoo.victim.com/uploads/reDuh.jsp

ii) Glenn runs reDuhClient on his machine and points it to the page: $ java reDuhClient ubuntoo.victim.com 80 /uploads/reDuh.jsp

iii) Glenn administers reDuhClient by connecting to its management port (1010 by default)

iv) Once connected, Glenn types: [createTunnel]1234:term-serv.victim.com:3389

Un-needed Technical Details:
	a) Behind the scenes, reDuhClient starts listening on 1234 and sends an HTTP message to /uploads/reDuh.jsp which opens a socket to term-serv.victim.com:3389.
	b) Any traffic sent to the local socket on 1234 is encoded, and wrapped in HTTP requests and is sent to the /uploads/reDuh.jsp
	c) Any traffic from term-serv.victim.com:3389 to the jsp is placed in a queue and sent back to reDuhClient when it requests it

v)Now Glenn launches his RDP client, and aims it at localhost:1234

reDuhClient and reDuh.jsp will happily shunt TCP until they are killed..

The system can handle multiple connections, so while RDP is running, we can use the management connection (on port 1010) again, and request [createTunnel]5555:sshd.victim.com:22

Glenn can now ssh to localhost on port 5555 to access the sshd on sshd.victim.com (while still running his RDP session)

*Disclaimer: The JSP version of reDuh is the most deployed/used/tested version. ASPX & PHP ports were done for completeness (but not extensively tested). Please let us know if you have any bug reports on any of these tools

Download reDuhClient (the local proxy) | Download reDuhu Server Pages (JSP/PHP/ASP) Register for tool updates

[Squeeza was also updated for the talk and the new version can be found [on the squeeza page]

| Contact the SensePost Team | Return to the full research listing |


Google Groups Subscribe to SensePostResearch
Email:
Browse Archives at groups.google.co.za