Using DVC to tunnel arbitrary connections inside of RDP

Guillaume Quéré


Sometimes life gives you lemons. And sometimes life gives you port 3389 only.

During a recent pentest at a client, I was provided with a jump host in a DMZ with some tight firewall rules. Only port 3389 (RDP) could be seen on the jump host, and no reverse shell was possible from the jump host to my laptop. Also I didn’t have elevated privileges on this host, as things should be. OK I lied, I privesced the jump host, but it’s not useful anyways so let’s ignore that. So where to go from there?

Well, turns out there’s a nice lesser known feature of Windows’ Terminal Services (aka Remote Desktop Services) called Dynamic Virtual Channels.

Virtual Channels enable the tunneling of arbitrary packets inside the RDP connection by tagging packets according to the desired source/destination. These channels are used for instance to transfer clipboard data between hosts.

DVC

But according to the documentation one can define his own tunnel by providing a custom DLL to the RDP client and running a custom SOCKS5 proxy server on the remote jump host that doesn’t even require SYSTEM privileges!

Here are two projects that do just that, one for Windows clients and one for Linux hosts.

From Windows

Use SocksOverRdp.

Needed files

Needed binaries are already compiled in a release archive: https://github.com/nccgroup/SocksOverRDP/releases

SocksOverRDP-Plugin.dll
SocksOverRDP-Server.exe

Usage

Check the project’s README for complete instructions.

On windows host, register the DLL:

regsvr32.exe SocksOverRDP-Plugin.dll

Then RDP to the server:

mstsc.exe

On windows server, run the binary as an unprivileged user:

SocksOverRDP-Server.exe

The SOCKS5 server is then available at 127.0.0.1:1080:

ncat.exe --proxy 127.0.0.1:1080 --proxy-type socks5 REMOTECOMPUTER 22

From Linux

Use xfreerdp (should be installed on your Kali or available from any decent package manager) and rdp2tcp.

Cross-compile the Windows server

apt install mingw-w64
make server-mingw32

Compile the Linux client

make client

Needed files

./client/rdp2tcp
./server/rdp2tcp.exe
./tools/rdp2tcp.py

Usage

On Linux host:

xfreerdp /d:DOMAIN /u:USER /p:PASSWORD /v:COMPUTER:PORT /rdp2tcp:/path/to/rdp2tcp

Then on Windows host, as an unprivileged user:

rdp2tcp.exe

Then on Linux host:

echo "socks5 127.0.0.1 1080" >> /etc/proxychains.conf
rdp2tcp.py add socks5 127.0.0.1 1080

Then use standard commands with proxychains:

proxychains nc -z -v REMOTECOMPUTER 22

That’s it. Happy pentesting!