SocksOverRDP

This tool adds SOCKS proxy functionality to Terminal Services (or Remote Desktop Services) and Citrix (XenApp/XenDesktop).
It uses a dynamic virtual channel that allows us to communicate via an open RDP/Citrix connection without the need to open a new socket, connection or port on a firewall.

GitHub - nccgroup/SocksOverRDP: Socks5/4/4a Proxy support for Remote Desktop Protocol / Terminal Services / Citrix / XenApp / XenDesktopGitHub

Resources

Page not found - HackTricksbook.hacktricks.xyz

Servers / Requirements

2 Windows machines (Server or Workstation running)
Linux Host

PoC

Machines

Windows 2008 (Server):
- 2 network cards: 192.168.56.127 (private host) and 10.0.2.4 (NAT network)
- RDP and IIS roles enabled
- IIS server on NAT network 10.0.2.4 (inaccessible by Client machine and Linux Host)
Windows 10 (Client):
- 1 network card (private host): 192.168.56.126
- RDP enabled
Linux host
- 192.168.56.1
On the 2 Windows workstations :
- Installer Visual C++ Redistributable for Visual Studio 2015 package

Steps

Install Releases : .DLL on the Client and .EXE on the Server
On Client, administrator command prompt:

# register the SocksOverRDP-Plugin.dll file as a COM component in Windows so that it works with RDP
regsvr32.exe .\SocksOverRDP-Plugin.dll

On Client: connect to the server via RDP: mstsc.exe.
1. Run a powershell command (admin) on the server via RDP :

# tunnelling of SOCKS connection via RDP, server listens to incoming RDP connections
# verbose option
.\SocksOverRDPServer.exe -v

Back to Client, administrator command prompt:

# list open ports
netstat -anot | findstr LISTEN
# see : TCP 127.0.0.1:1080

Add SOCKS proxy configuration

Control Panel > Network & Internet > Internet Options > Connections > LAN Settings > Use Proxy Server (Advanced) > Socks : 127.0.0.1:1080 Proxy Settings > Use a proxy server (ON) > Address: http://socks=127.0.0.1 ; Port: 1080

(Or use proxifier: https://www.proxifier.com/)

Access: http://10.0.2.4 via Client machine

SOCKS Chain

We want to :

From Linux machine (192.168.56.0/24) -> access server network

Chain : Server -> Client -> Linux

Client

(After step 2)

By default, the binding is set to 127.0.0.1 on the Client machine (inaccessible by the Linux machine), so change this value in regedit.exe to its private IP address (192.168.56.126): HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\Default\AddIns\SocksOverRDP-Plugin.
Repeat steps 3 to 4 to apply this change

Linux

Install proxychains4 on the Linux machine:

sudo apt-get update sudo apt-get install proxychains4

Modify the proxychains4 configuration file and configure it to forward traffic to the SOCKS proxy created by SocksOverRDP on the Windows client:

# /etc/proxychains4.conf or /etc/proxychains.conf
socks5 192.168.56.126 1080 # ip client windows + port socks

Test the connection to the IIS server from the Linux machine:

proxychains4 nc -znv 10.0.2.4 80
# works!

PreviousLigolo-Ng : Pivoting use cases NextFirewalls

Last updated 2 years ago

Was this helpful?