Tool Release – Socks Over RDP

Introduction

Remote Desktop Protocol (RDP) is used to create an interactive session on a remote Windows machine. This is a widely used protocol mostly used by Administrators to remotely access the resources of the operating system or network based services.

As penetration testers we frequently find ourselves in a situation where the only access that we are provided to a server or network is a Remote Desktop account. These servers are commonly called Jump boxes. It means that we need to perform our testing via this server. This usually introduces a few extra steps that takes time from us and our clients to setup and configure:

  • Create a list of tools that needs to be installed on the server (optional)
  • Get the list approved by the client (optional)
  • Install the tools on the server
  • Struggle to test with a quickly prepared environment with lots of limitations
  • Repeat all points above

On top of this disruptive cycle, some of our clients do not really like us needing to install security testing tools on their machines, which is understandable, but this proves to be a deadlock in many cases.

To solve all of these issues above, we are happy to announce our new tool: Socks Over RDP.

Socks Over RDP

In case our testing has to go through a UNIX based server, this is a non-issue. SSH already has support for SOCKS Proxying, which can be set up for example with the “-D” parameter. The Remote Desktop Protocol and its Windows client however has no such feature.

This tool was created to add this functionality to the Remote Desktop Protocol and its client. Just like SSH, upon connection a SOCKS Proxy is created on the client site, which can be used to proxy everything over the existing RDP connection.

The tool has two components:

  • A .dll, which needs to be registered on the client computer and will be loaded to the context of the Remote Desktop Client every time when it runs. This does nothing by itself, to activate the SOCKS Proxy the other component needs to be executed
  • A .exe, which is the server component. This needs to be copied to the server and executed. No installation, no configuration this is completely hassle free.

When the .exe is executed on the server side in the Remote Desktop Connection, it connects back to the plugin over a Dynamic Virtual Channel (which is a feature of the protocol) and the plugin will spin up a SOCKS Proxy on the client side. That proxy by default listens on 127.0.0.1:1080, which can be configured as a proxy in browsers or tools.

Note that the server component (.exe) does not require any special privileges on the server side at all, a low privileged user is also allowed to open virtual channels and proxy over the connection.

It is worth noting that this tool works on Windows only. In case you are a UNIX user, FreeRDP released a similar or equivalent plugin for their tool as well.

The Tool

The tool is open source and was released on an online conference called HAVOC, organized by Hackers Academy and can be found on GitHub.

Technical details, configuration options and other information can be found there as well:

https://github.com/nccgroup/SocksOverRDP

Security Concerns

By default, there are no security concerns associated with the tool.

The server component can be executed as a low privilege user, requiring no configuration or installation at all.

Upon misconfiguration of the plugin (client component), the proxy can be changed to listen on all interfaces, which might expose the proxy to other computers on the client’s local network. With a properly configured firewall this can be mitigated.

Written by:  Balazs Bucsay [@xoreipeip] https://twitter.com/xoreipeip