- From Windows
- From Linux
Sometimes life gives you lemons. And sometimes life gives you port 3389 only.
During a recent pentest at a client, I was provided with a jump host in a DMZ with some tight firewall rules. Only port 3389 (RDP) could be seen on the jump host, and no reverse shell was possible from the jump host to my laptop. Also I didn’t have elevated privileges on this host, as things should be. OK I lied, I privesced the jump host, but it’s not useful anyways so let’s ignore that. So where to go from there?
Well, turns out there’s a nice lesser known feature of Windows’ Terminal Services (aka Remote Desktop Services) called Dynamic Virtual Channels.
Virtual Channels enable the tunneling of arbitrary packets inside the RDP connection by tagging packets according to the desired source/destination. These channels are used for instance to transfer clipboard data between hosts.
But according to the documentation one can define his own tunnel by providing a custom DLL to the RDP client and running a custom SOCKS5 proxy server on the remote jump host that doesn’t even require SYSTEM privileges!
Here are two projects that do just that, one for Windows clients and one for Linux hosts.
Needed binaries are already compiled in a release archive: https://github.com/nccgroup/SocksOverRDP/releases
Check the project’s README for complete instructions.
On windows host, register the DLL:
Then RDP to the server:
On windows server, run the binary as an unprivileged user:
The SOCKS5 server is then available at 127.0.0.1:1080:
ncat.exe --proxy 127.0.0.1:1080 --proxy-type socks5 REMOTECOMPUTER 22
Use xfreerdp (should be installed on your Kali or available from any decent package manager) and rdp2tcp.
Cross-compile the Windows server
apt install mingw-w64 make server-mingw32
Compile the Linux client
./client/rdp2tcp ./server/rdp2tcp.exe ./tools/rdp2tcp.py
On Linux host:
xfreerdp /d:DOMAIN /u:USER /p:PASSWORD /v:COMPUTER:PORT /rdp2tcp:/path/to/rdp2tcp
Then on Windows host, as an unprivileged user:
Then on Linux host:
echo "socks5 127.0.0.1 1080" >> /etc/proxychains.conf rdp2tcp.py add socks5 127.0.0.1 1080
Then use standard commands with proxychains:
proxychains nc -z -v REMOTECOMPUTER 22
That’s it. Happy pentesting!