README-en.md

Neo-reGeorg

简体中文　｜　English

Neo-reGeorg is a project designed to actively restructure reGeorg with the aim of:

• Improve tunnel connection security
• Improve usability and avoid feature detection
• Improve the confidentiality of transmission content
• Solve the existing problems of reGeorg and fix some small bugs

Version

2.4.0 - Change Log

Features

• Transfer content through out-of-order base64 encryption
• GET request response can be customized (such as masquerading 404 pages)
• HTTP Headers instructions are randomly generated to avoid feature detection
• HTTP Headers can be customized
• Custom HTTP response code
• Multiple URLs random requests
• Server-node DNS resolution
• Compatible with python2 / python3
• High compatibility of the server environment
• Refer to pivotnacci to implement a single SESSION to create multiple TCP connections to deal with some load balancing scenarios
• Support HTTP forwarding, coping with load balancing environment

Dependencies

• [requests] - https://github.com/kennethreitz/requests

Basic Usage

• Step 1. Set the password to generate tunnel server.(aspx|ashx|jsp|jspx|php) and upload it to the web server.

$ python neoreg.py generate -k password

    [+] Create neoreg server files:
       => neoreg_servers/tunnel.jspx
       => neoreg_servers/tunnel_compatibility.jspx
       => neoreg_servers/tunnel.php
       => neoreg_servers/tunnel.ashx
       => neoreg_servers/tunnel.aspx
       => neoreg_servers/tunnel.jsp
       => neoreg_servers/tunnel_compatibility.jsp

• Step 2. Use neoreg.py to connect to the web server and create a socks5 proxy locally.

$ python3 neoreg.py -k password -u http://xx/tunnel.php
+------------------------------------------------------------------------+
  Log Level set to [DEBUG]
  Starting socks server [127.0.0.1:1080]
  Tunnel at:
    http://xx/tunnel.php
+------------------------------------------------------------------------+

Note that if your tool, such as nmap does not support socks5 proxy, please use proxychains

Advanced Usage

1. Support the generated server, by default directly requesting and responding to the specified page content (such as a disguised 404 page)

$ python neoreg.py generate -k <you_password> --file 404.html
$ python neoreg.py -k <you_password> -u <server_url> --skip

2. For example, the server WEB needs to set the proxy to access

$ python neoreg.py -k <you_password> -u <server_url> --proxy socks5://10.1.1.1:8080

3. To set Authorization, there are also custom Header or Cookie content.

$ python neoreg.py -k <you_password> -u <server_url> -H 'Authorization: cm9vdDppcyB0d2VsdmU=' --cookie "key=value;key2=value2"

4. Need to disperse requests, upload to multiple paths, such as memory-webshell

$ python neoreg.py -k <you_password> -u <url_1> -u <url_2> -u <url_3> ...

5. Turn on http forwarding to cope with load balancing

$ python neoreg.py -k <you_password> -u <url> -r <redirect_url>

• For more information on performance and stability parameters, refer to -h help information

# Generate server-side scripts
$ python neoreg.py generate -h
    usage: neoreg.py [-h] -k KEY [-o DIR] [-f FILE] [-c CODE] [--read-buff Bytes]

    Generate neoreg webshell

    optional arguments:
      -h, --help            show this help message and exit
      -k KEY, --key KEY     Specify connection key.
      -o DIR, --outdir DIR  Output directory.
      -f FILE, --file FILE  Camouflage html page file
      -c CODE, --httpcode CODE
                            Specify HTTP response code. When using -r, it is
                            recommended to <400. (default: 200)
      --read-buff Bytes     Remote read buffer. (default: 513)

# Connection server
$ python neoreg.py -h
    usage: neoreg.py [-h] -u URI [-r URL] -k KEY [-l IP] [-p PORT] [-s] [-H LINE]
                     [-c LINE] [-x LINE] [--local-dns] [--read-buff Bytes]
                     [--read-interval MS] [--max-threads N] [-v]

    Socks server for Neoreg HTTP(s) tunneller. DEBUG MODE: -k
    (debug_all|debug_base64|debug_headers_key|debug_headers_values)

    optional arguments:
      -h, --help            show this help message and exit
      -u URI, --url URI     The url containing the tunnel script
      -r URL, --redirect-url URL
                            Intranet forwarding the designated server (only
                            jsp(x))
      -k KEY, --key KEY     Specify connection key
      -l IP, --listen-on IP
                            The default listening address.(default: 127.0.0.1)
      -p PORT, --listen-port PORT
                            The default listening port.(default: 1080)
      -s, --skip            Skip usability testing
      -H LINE, --header LINE
                            Pass custom header LINE to server
      -c LINE, --cookie LINE
                            Custom init cookies
      -x LINE, --proxy LINE
                            Proto://host[:port] Use proxy on given port
      --local-dns           Use local resolution DNS
      --read-buff Bytes     Local read buffer, max data to be sent per
                            POST.(default: 2048 max: 2600)
      --read-interval MS    Read data interval in milliseconds.(default: 100)
      --max-threads N       Proxy max threads.(default: 1000)
      -v                    Increase verbosity level (use -vv or more for greater
                            effect)

TODO

• HTTP body steganography

• Transfer Target field steganography

License

GPL 3.0