# HTTP(s) Tunneling

## Theory

HTTP tunneling is a technique that involves encapsulating non-HTTP traffic within HTTP to traverse network restrictions or security measures. It allows data to be transmitted in a way that appears as regular HTTP traffic, making it more likely to pass through firewalls and other filtering mechanisms that may be in place. Its a valuable pivoting technique to concidere.

{% hint style="danger" %}
HTTP(S) Tunneling may also be used as an [exfiltration](/redteam/exfiltration.md) channel.
{% endhint %}

## Practice

{% tabs %}
{% tab title="Neo-reGeorg" %}
we will be using [Neo-reGeorg](https://github.com/L-codes/Neo-reGeorg) to achieve tunneling. On our attacking machine we do:

```bash
v4resk@kali$ python3 neoreg.py generate -k 'P@ssw0rd!'
```

then, we have to upload generated files to the target machine and host then on a webserver. On the attacking machine we can do:

```bash
#Establish sock5 proxy
v4resk@kali$ python3 neoreg.py -k 'P@ssw0rd!' -u http://MACHINE_IP/uploader/files/tunnel.php

#We can now use it as sock5 proxy 
v4resk@kali$ curl --socks5 127.0.0.1:1080 http://172.20.0.121:80
```

{% endtab %}

{% tab title="Chisel" %}
[Chisel](https://github.com/jpillora/chisel) is an awesome tool which can be used to quickly and easily set up a tunnelled proxy or port forward. It tunnels connections within the HTTP protocol and uses the SSH protocol within this tunnel to encrypt our data.

For more details, and to learn how to use this tool, please refer to the [Port Forwarding page](/redteam/pivoting/portfwd.md#chisel).
{% endtab %}
{% endtabs %}

## Resources

{% embed url="<https://tryhackme.com/room/dataxexfilt>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://red.infiltr8.io/redteam/pivoting/http-tunneling.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.