RDP and SOCKS Tunneling w/ SocksOverRDP

There are often times during an assessment when we may be limited to a Windows network and may not be able to use SSH for pivoting. We would have to use tools available for Windows operating systems in these cases. SocksOverRDP is an example of a tool that uses Dynamic Virtual Channels (DVC) from the Remote Desktop Service feature of Windows. This feature can also be used to tunnel arbitrary packets over the network.

We need:

  1. SocksOverRDP x64 Binaries

  2. Proxifier Portable Binary

  • We can look for ProxifierPE.zip

Connect to target and copy SocksOverRDPx64.zipfile to the target. From the Windows target, we will then need to load the SocksOverRDP.dll using regsvr32.exe.

C:\Users\user\Desktop\SocksOverRDP-x64> regsvr32.exe SocksOverRDP-Plugin.dll

Now we can connect to over RDP using mstsc.exe, and we should receive a prompt that the SocksOverRDP plugin is enabled, and it will listen on Use the credentials to connect to

We will need to transfer SocksOverRDPx64.zip or just the SocksOverRDP-Server.exe to We can then start SocksOverRDP-Server.exe with Admin privileges.

When we go back to our foothold target and check with Netstat, we should see our SOCKS listener started on

C:\Users\user\Desktop\SocksOverRDP-x64> netstat -antb | findstr 1080

  TCP              LISTENING 

After starting our listener, we can transfer Proxifier portable to the Windows 10 target (on the 10.129.x.x network), and configure it to forward all our packets to Proxifier will route traffic through the given host and port.


With Proxifier configured and running, we can start mstsc.exe, and it will use Proxifier to pivot all our traffic via, which will tunnel it over RDP to, which will then route it to using SocksOverRDP-server.exe.