During a recent pentest, we got access with weak credentials to a Windows machine via Remote Desktop connection, a pretty common scenario. The firewall between us and the target network, however, was blocking all traffic in both directions: only port 3389/tcp was permitted.
While researching ways to bypass this protection, we incurred on information about a feature called Remote Desktop Services Virtual Channels. This feature allows to add additional services that become transmitted over the same Remote Desktop connection. For example, copy and paste, drive sharing, and sound all use this feature. An interesting characteristic of Virtual Channels is that they don’t require a privileged account.
To exploit this feature in the described scenario, we found rdp2tcp, a very old tool that uses Virtual Channels to transport TCP connections over the RDP protocol, but based on our tests it doesn’t work correctly on modern systems. We weren’t able to find a lot of tools that use the Virtual Channels to do something “evil”.
Further research allowed us to find UDVC, a tool that lets you to create a TCP tunnel between the client and the server. UDVC has been created to work with XFLTReaT, a software created to help with data exfiltration. It works pretty well but it’s not able to manage multiple connections.
To get a reliable tunnel via the Remote Desktop connection, therefore, we decided to use Secure Socket Funneling, which will use a single TCP connection allowing us to setup a socks server in a reliable way.
Here’s how to get a socks server tunneled over RDP:
- Client: register the UDVC-Plugin.dll on the system
- Client: connect via RDP to the server (by default it will create the virtual channel on all RDP connections, by binding the TCP port 31337)
- Copy UDVC-Server.exe and the SSF package on the remote server
- Server: execute “ssfd.exe -p 9898”
- Server: execute “UDVC-Server.exe -c -p 9898 -i 127.0.0.1”
- Client: execute “ssf.exe -D 9999 -p 31337 127.0.0.1”
At this point you will have the socks server listening on port 9999 of your client. Simple if you know it 😉