RDP and SOCKS Tunneling with SocksOverRDP
In this scenario, we pivoted in a Windows network environment where establishing a SSH connection with remote hosts was not possible. To do that, we leveraged the RDP protocol and its Dynamic Virtual Channel (DVC) feature. We used the tool SocksOverRDP and created a tunnel between Windows hosts over RDP.
The following image shows the scenario featured by the section.
Uploading the tools to the Windows foothold system
The first step was to upload the Portable Proxifier and the SOCKSOverRDP x64 binaries on the Windows foothold system. We could do this since we were able to establish a RDP session between our Ubuntu attacker server and the Windows foothold system. In a real engagement, we might have gained credentials for this Windows system.
Load the SocksOverRDP.dll
The second step was to load the SocksOverRDP.dll on the Windows foothold system. This was required to set up the tunnel.
To load a .dll, an Administrator console is required
When running this command for the first time, I had the following error.
The solution was to disable the Windows Defender Real Time protection. As it can be seen below, I could successfully load the SocksOverRDP-Plugin dll.
Because the Windows foothold system had two NIC interfaces, we were able to establish a RDP session with the Windows server with the IP 172.16.5.19. An advertising from the SocksOverRDP plugin informed us that it will listen on localhost port 1080.
Then, we copy and paste the SocksOverRDP-server.exe
on the Windows pivot system and ran it as administrator. This create the RDP tunnel.
On the Windows foothold system, we confirmed that a SOCKS was listening on port 1080 as expected with the netstat
command.
The last step was to configure Proxifier in order to forward all our local traffic to 127.0.0.1:1080. This allowed our traffic to get forwarded to the 172.16.5.19 Windows pivot via the RDP tunnel.
With Proxifier and the RDP tunnel configured, we could establish a RDP session with the Window target system with the IP 172.16.6.155.
The connection was pretty much unstable since I had multiple RDP connection open simultaneously. I could optimize a bit the performance by setting up the Experience to Modem (56 kbps), but the connection stayed pretty much unstable.
Hopefully, I got the connection long enough on the target system to get the flag!
Last updated