Full Report
Hey guys.. Our BlackHat/Defcon talk this year featured a few tools that we promised to release.. The first tool, or set of tools is reDuh which can be found [here]. reDuh is made up of 2 parts, a local proxy and a server component (which is jsp, php or asp). If you run the local proxy on your machine while pointing it to the server component, you are able to make TCP connections clean through the web-server. This comes in surprisingly helpful (and if nothing else is really cute!). You can read more about reDuh (with pretty pictures) by checking out the [reduh page] or by checking out our [Vegas slides].
Analysis Summary
# Tool/Technique: reDuh
## Overview
reDuh is a set of tools designed to facilitate making clean TCP connections tunneled through a web server. It consists of two main components: a local proxy and a server component that can be deployed as JSP, PHP, or ASP pages. When the local proxy connects to the server component, it allows arbitrary TCP connections to pass through the web server seemingly cleanly.
## Technical Details
- Type: Tool
- Platform: The server component targets web servers running Java (JSP), PHP environments, or IIS (ASP). The local proxy component runs on the attacker's machine.
- Capabilities: Tunneling TCP connections over HTTP/S via a web server backend deployed on the target infrastructure.
- First Seen: Released around BlackHat/DefCon 2008 (August 2008).
## MITRE ATT&CK Mapping
Based on its core functionality as an application layer tunnel:
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols
## Functionality
### Core Capabilities
- Establishing a bidirectional communication channel (a tunnel) using standard web protocols (HTTP/S).
- Utilizing a local proxy component to relay connections.
- Server-side components available in JSP, PHP, or ASP formats to be uploaded/deployed on a reachable web server.
### Advanced Features
- Allows making "clean" TCP connections through the web-server, suggesting a method to bypass network restrictions or monitoring focused purely on standard application traffic, as the traffic is wrapped within legitimate-looking web requests/responses.
## Indicators of Compromise
The provided context does not contain specific IOCs (File Hashes, Network Indicators, etc.) for the reDuh tool itself, only links to the materials.
- File Hashes: [Not provided in context]
- File Names: Local proxy component name likely related to "reDuh proxy"; Server components named based on deployment (e.g., utilizing `.jsp`, `.php`, or `.asp` extensions).
- Registry Keys: [Not applicable/provided]
- Network Indicators: Communication occurs via standard web protocols (HTTP/S) targeting a compromised web server.
- Behavioral Indicators: Outbound TCP connections originating from the local proxy masquerading as web requests to a compromised web endpoint.
## Associated Threat Actors
- Associated with the researchers/authors from SensePost who developed and presented the tool publicly (Haroon Meer). No specific named threat groups were mentioned using this tool in the context provided.
## Detection Methods
Detection would focus on identifying the unique request/response patterns used by the proxy to encapsulate arbitrary TCP data over the web connection, rather than general web traffic analysis.
- Signature-based detection: Signatures could potentially be developed for the unique strings or command structures embedded within the web payload by the server components (JSP/PHP/ASP).
- Behavioral detection: Monitoring for unexpected or unusually large streams of data flowing back and forth on established HTTP sessions targeting specific web shells or endpoints.
- YARA rules: Not provided.
## Mitigation Strategies
- **Prevention:** Strict application whitelisting for web servers to only allow known good code execution. Input validation on web application parameters to prevent the initial upload/deployment of the JSP/PHP/ASP components.
- **Hardening:** Network segmentation and strict egress filtering; if the tunnel relies on outbound HTTP/S, monitoring for suspicious HTTP traffic patterns targeting internal/DMZ web servers can be crucial.
## Related Tools/Techniques
- The article also mentions an update to **Squeeza** incorporating "SQL Server OLE goodness," suggesting Squeeza is likely another security tool released by SensePost, possibly related to exploiting SQL features for command execution or data exfiltration.
- General reverse shell/tunneling tools (e.g., chk_shellcode, various SOCKS proxies over HTTP).