ABPTTS

TCP tunneling over HTTP/HTTPS for web application servers.

A Black Path Toward The Sun

(TCP tunneling over HTTP for web application servers)

https://www.blackhat.com/us-16/arsenal.html#a-black-path-toward-the-sun

ABPTTS uses a Python client script and a web application server page/package[1] to tunnel TCP traffic over an HTTP/HTTPS connection to a web application server. In other words, anywhere that one could deploy a web shell, one should now be able to establish a full TCP tunnel. This permits making RDP, interactive SSH, Meterpreter, and other connections through the web application server.

The communication is designed to be fully compliant with HTTP standards, meaning that in addition to tunneling in through a target web application server, it can be used to establish an outbound connection through packet-inspecting firewalls.

A number of novel features are used to make detection of its traffic challenging. In addition to its usefulness to authorized penetration testers, it is intended to provide IDS/WPS/WAF developers with a safe, live example of malicious traffic that evades simplistic regex-pattern-based signature models.

An extensive manual is provided in PDF form, and walks the user through a variety of deployment scenarios.

This tool is released under version 2 of the GPL.

[1] Currently JSP/WAR and ASP.NET server-side components are included.

Compare and contrast with:

• reGeorg (https://github.com/sensepost/reGeorg)

Named as an oblique reference to Cordyceps/Ophiocordyceps, e.g.: http://www.insectimages.org/browse/detail.cfm?imgnum=0014287

from https://github.com/nccgroup/ABPTTS

----

基于SSL加密的隧道工具，全程通信数据加密，一定程度上能对抗取证检测

需要pycrypto、httplib2依赖库，然后生成服务端webshell

1	python abpttsfactory.py -o webshell

生成了aspx、jsp、war三种类型的webshell（不支持PHP），然后上传至网站服务器即可。然后就可以绑定端口建立隧道了

1 2 3

python abpttsclient.py -c webshell/config.txt -u "http://192.168.1.161:8001/abptts.aspx" -f 127.0.0.1:1234/192.168.1.161:3389 -c 指定webshell配置文件