SensePost is SecureData’s independent elite consulting arm, renowned for its expertise, 17 year track record and innovation on the frontlines of cybersecurity.

With team members that include some of the world’s most preeminent cybersecurity experts, SensePost has helped governments and blue-chip companies both review and protect their information security and stay ahead of evolving threats.

SensePost is also a prolific publisher of leading research articles and tools on cybersecurity which are widely recognised and used throughout the industry and feature regularly at industry conferences including BlackHat and DefCon.

reGeorg

  • Authors: Willem Mouton, Sam Hunter & Etienne Stalmans
  • Cost: Free
  • Source Code:
  • License: 1.0
  • License: GPL
  • Release date: 2014-11-14

In 2008, we introduced reDuh, as part of our SensePost's BlackHat USA 2008 talk on tunnelling data in and out of networks.

reDuh allowed the user to create a TCP circuit through validly formed HTTP requests. Essentially this means that if you could upload a JSP/PHP/ASP page to a server, you could connect to hosts behind that server trivially.

The technique has since been made harder with the advancement of egress filtering. As a result, we've updated the concept and released reGeorg, which pays respect to reDuh but now takes the idea of TCP tunnelling over HTTP and bolts on a SOCKS4/5 proxy on top of it. This gives you a fully-functional SOCKS proxy into the target network.

Added features include:

  • Ability to launch NMAP in order to scan, and run scripts, against network ranges behind the host
  • Use pwnage frameworks, such as Metasploit, directly at hosts found during the recon phase
  • Browse internal-only websites and resourses
  • Use protocols such as RDP/SMB/SSH

Using reGeorg

reGeorg is a tunneling tool, so you will need a web application that supports file uploads (also also is vulnerable to executing what ever is uploaded) in order to upload the reGeorg client/webshell. reGeorge supports ASP.NET, JSP, PHP and ASP. reGeorge supports Dotnet version 1.1 up to 4. You'll also require urllib3.

Once the webshell has been uploaded, you need to configure reGeorg to use it and also configure proxychain.

We have intructed reGeorg to listen on port 5555, and edited /etc/proxychain.conf to tell proxychains to use that port. Next is executing reGeorg

Finally, we connect to a RDP session, which is not available on the Internet.

Obtaining reGeorg

reGeorg can be downloaded from Github page