RDP and SOCKS Tunneling w/ SocksOverRDP
There are often times during an assessment when we may be limited to a Windows network and may not be able to use SSH for pivoting. We would have to use tools available for Windows operating systems in these cases. SocksOverRDP is an example of a tool that uses
Dynamic Virtual Channels (
DVC) from the Remote Desktop Service feature of Windows. This feature can also be used to tunnel arbitrary packets over the network.
- We can look for
Connect to target and copy
SocksOverRDPx64.zipfile to the target. From the Windows target, we will then need to load the SocksOverRDP.dll using regsvr32.exe.
C:\Users\user\Desktop\SocksOverRDP-x64> regsvr32.exe SocksOverRDP-Plugin.dll
Now we can connect to 172.16.5.19 over RDP using
mstsc.exe, and we should receive a prompt that the SocksOverRDP plugin is enabled, and it will listen on 127.0.0.1:1080. Use the credentials to connect to 172.16.5.19.
We will need to transfer SocksOverRDPx64.zip or just the SocksOverRDP-Server.exe to 172.16.5.19. We can then start SocksOverRDP-Server.exe with Admin privileges.
When we go back to our foothold target and check with Netstat, we should see our SOCKS listener started on 127.0.0.1:1080.
C:\Users\user\Desktop\SocksOverRDP-x64> netstat -antb | findstr 1080 TCP 127.0.0.1:1080 0.0.0.0:0 LISTENING
After starting our listener, we can transfer Proxifier portable to the Windows 10 target (on the 10.129.x.x network), and configure it to forward all our packets to 127.0.0.1:1080. Proxifier will route traffic through the given host and port.
With Proxifier configured and running, we can start mstsc.exe, and it will use Proxifier to pivot all our traffic via 127.0.0.1:1080, which will tunnel it over RDP to 172.16.5.19, which will then route it to 172.16.6.155 using SocksOverRDP-server.exe.