Ruse is secure, multi-platform, selective Reverse Proxy (or Redirector) that is fast and easy to deploy. It can help you concealing C2 communications, and reverse shells traffic using the HTTP protocol.
Ruse combines the core features of Python's SimpleHTTPServer, Apache's mod_rewrite, and SSL ProxyPass, all in a single, self-contained and highly-portable executable.
It supports both plain-text HTTP and HTTPS, in a fast and easy to configure portable server executable. Ruse can be rapidly deployed from the command-line or inside a Docker container for added security.
- Runs under Linux, *BSD, Mac OS X, and Windows (7, Server 2008R2 and later)
- Supports Intel x86, AMD64, ARM, ARM64 and PPC64 (little-endian)
- No external dependencies (outside the Go standard library)
- HTTP and HTTPS (SSL/TLS) support
- Support IPv4 and IPv6 addressing
- Selective Reverse Proxying based on:
- User-Agent header field, matching:
- Exact String(s)
- Regular Expression(s)
- Client's network (CIDR matching)
- User-Agent header field, matching:
- Support for VirtualHosts
- Serves static files (with optional directory listing)
- HTTP Logging
Ruse help you overcome multiple challenges, such as:
- Hiding your HTTP listeners from Incident Response teams.
- Load-balancing to multiple remote listeners.
- Simultaneously serving static files and listening for reverse HTTP shellcodes on a single port.
- Leveraging domain-fronting by exposing the redirector from a trusted location or domain.
- Pivoting traffic post-exploitation by proxying reverse HTTP shellcodes.
- Easily proxy your Metasploit's reverse_http(s) payloads.
- Selectively proxy your reverse shellcodes traffic with vhosts and regex matching.
If you're doing Red Team operations or you may simply want to hide your HTTP listeners during an engagement, Ruse may be for you!
To build Ruse from source, simply enter make, it will build the ruse
executable in the current working directory:
$ make
go build -o ruse -v src/ruse/main.go
Alternatively, you can build Ruse inside a Docker container using the make container command:
$ make container
building: bin/amd64/ruse
[...]
Ruse can run unprivileged from a terminal:
$ ./ruse -c conf/ruse.conf
Starting HTTP Server on localhost:8000
By default Ruse ships with a basic configuration file which only allows plain-text HTTP connections from localhost on port tcp/8000. It's also configured to proxy traffic from metasploit's reverse HTTP payloads by exact matching their default User-Agent header fields.
Ruse can also run under a Docker container, and thus in a matter of seconds.
Enter the make container command to build the Docker image and to push it to
your local registry. Once the image has been created, simply start a new
container like demonstrated in the below example:
$ make container
[...]
$ docker run -v `pwd`/conf/ruse.conf:/etc/ruse.conf -p 127.0.0.1:8000:8000/tcp registry/ruse-amd64:1.0.2
Starting HTTP Server on localhost:8000
If you do not want to build Ruse from source, you can directly download the binaries below:
| Filename | OS | Architecture | Version | SHA256 Checksum |
|---|---|---|---|---|
| ruse-1.0.2-linux-debian-amd64.deb | Linux Debian (derivatives) | x86-64 | 1.0.2 | 63b0f3fff7dd0bfa506b2623d1690d3fe9fc69ec15737a235f0c8712764a4c39 |
| ruse-1.0.2-linux-aarch64.tar.xz | Linux (Generic) | AArch64 | 1.0.2 | 0ae13d43fc1279afb330116d4f16e894907f445413617823464df06d52ef45ad |
| ruse-1.0.2-win-amd64.zip | Windows (amd64) | x86-64 | 1.0.2 | 0615349405a47c59984827cf4d8e60480df274d25f430db70e8c2c1c0fb7dbb5 |
| ruse-1.0.2-win-i386.zip | Windows (i386) | x86-32 | 1.0.2 | e34566725a0a31b37e9d66a84123f2b667185fb3862d1db4208a35feed6f0ba9 |
| ruse-1.0.2-darwin-amd64.zip | Mac OS X | x86-64 | 1.0.2 | 52e9804a413db8dca6470bcd13f55dd683e1559aa32c89107b892d98457c4ab3 |
To configure the redirector, edit and copy the ruse.conf
configuration file in the /conf directory to /etc/ruse.conf. The latter is
the default configuration file path, and can be manually specified using the
command-line -c switch. Also Ruse reloads its configuration file when it
receives the SIGHUP signal.
The configuration file is in JSON format, and accepts various configuration options, please see the tables below for further reference:
| Key Name | Type | Default value(s) | Supported value(s) / Description |
|---|---|---|---|
| Hostname | optional | localhost | valid hostname or IPv4/IPv6 address¹ |
| Protocols | optional | plain | plain, tls |
| Port | optional | 8000 | 0-65535 |
| TLSPort | optional | 8443 | 0-65535 |
| TLSKey | optional | server.key | a valid PEM encoded private key file |
| TLSCert | optional | server.crt | a valid X.509 certificate chain file |
| Root | optional | /var/www | root directory for static content |
| Index | optional | directory index file² | |
| Verbose | optional | 0 | 0(off), 1(low), 2(medium), 3(high) |
| Logfile | optional | readable and writable log file | |
| Proxy | optional | see Proxy array's keys table below | |
| VirtualHost | optional | see VirtualHost array's keys table |
Enter a valid IP address to listen on. IPv6 addresses must be enclosed in
square brackets []. Use the special values 0.0.0.0/0 or [::0] to listen
on all interfaces.
Use an empty "" string value as the index page to enable recursive directory
listing.
| Key Name | Type | Default value(s) | Supported value(s) / Description |
|---|---|---|---|
| Type | optional | only 'reverse' is actually supported | |
| Description | optional | administrative description of the proxy | |
| Match | required | see Match object's keys table below | |
| Target | required | valid http:// or https:// schemes URI |
| Key Name | Type | Default value(s) | Supported value(s) / Description |
|---|---|---|---|
| UserAgent | optional | an array of User-Agent string(s) or Regular Expression(s)³ | |
| Network | optional | an array or list of network(s) in CIDR notation⁴ |
| Key Name | Type | Default value(s) | Supported value(s) / Description |
|---|---|---|---|
| Hostname | optional | localhost | valid hostname or IPv4/IPv6 address¹ |
| Root | optional | root directory for static content | |
| Index | optional | directory index file² | |
| Proxy | optional | see Proxy array's keys table above |
You can leverage Regular
Expressions for matching
HTTP User-Agent header field's values. Use the special tilde ~ character
followed by a valid regular expression.
You can negate CIDR networks matching using the exclamation mark ! character.
If you find this project useful and want to contribute, we will be more than happy to receive your contribution in the form of code, documentation and even bug reports. To contribute code, feel free to fork this project and send your pull request(s).