This is a widely used protocol mostly used by Administrators to remotely access the resources of the operating system or network based services.Īs penetration testers we frequently find ourselves in a situation where the only access that we are provided to a server or network is a Remote Desktop account. These servers are commonly called Jump boxes. This usually introduces a few extra steps that takes time from us and our clients to setup and configure: It means that we need to perform our testing via this server. Create a list of tools that needs to be installed on the server (optional).Get the list approved by the client (optional).Struggle to test with a quickly prepared environment with lots of limitations.On top of this disruptive cycle, some of our clients do not really like us needing to install security testing tools on their machines, which is understandable, but this proves to be a deadlock in many cases. To solve all of these issues above, we are happy to announce our new tool: Socks Over RDP. In case our testing has to go through a UNIX based server, this is a non-issue. SSH already has support for SOCKS Proxying, which can be set up for example with the “-D” parameter. The Remote Desktop Protocol and its Windows client however has no such feature.
This tool was created to add this functionality to the Remote Desktop Protocol and its client. Just like SSH, upon connection a SOCKS Proxy is created on the client site, which can be used to proxy everything over the existing RDP connection. This does nothing by itself, to activate the SOCKS Proxy the other component needs to be executed dll, which needs to be registered on the client computer and will be loaded to the context of the Remote Desktop Client every time when it runs. This needs to be copied to the server and executed. No installation, no configuration this is completely hassle free. EXE#Įxe is executed on the server side in the Remote Desktop Connection, it connects back to the plugin over a Dynamic Virtual Channel (which is a feature of the protocol) and the plugin will spin up a SOCKS Proxy on the client side.
That proxy by default listens on 127.0.0.1:1080, which can be configured as a proxy in browsers or tools. Note that the server component (.exe) does not require any special privileges on the server side at all, a low privileged user is also allowed to open virtual channels and proxy over the connection.
0 kommentar(er)
