In 2008, we introduced reDuh, as part of our SensePost's BlackHat USA 2008 talk on tunnelling data in and out of networks.
reDuh allowed the user to create a TCP circuit through validly formed HTTP requests. Essentially this means that if you could upload a JSP/PHP/ASP page to a server, you could connect to hosts behind that server trivially.
The technique has since been made harder with the advancement of egress filtering. As a result, we've updated the concept and released reGeorg, which pays respect to reDuh but now takes the idea of TCP tunnelling over HTTP and bolts on a SOCKS4/5 proxy on top of it. This gives you a fully-functional SOCKS proxy into the target network.
Added features include:
- Ability to launch NMAP in order to scan, and run scripts, against network ranges behind the host
- Use pwnage frameworks, such as Metasploit, directly at hosts found during the recon phase
- Browse internal-only websites and resourses
- Use protocols such as RDP/SMB/SSH
reGeorg is a tunneling tool, so you will need a web application that supports file uploads (also also is vulnerable to executing what ever is uploaded) in order to upload the reGeorg client/webshell. reGeorge supports ASP.NET, JSP, PHP and ASP. reGeorge supports Dotnet version 1.1 up to 4. You'll also require urllib3.
reGeorg can be downloaded from Github page