Skip to content

RDP and SOCKS Tunneling with SocksOverRDP

  • We might have a Windows pivot and cant ssh
  • use SocksOverRDP - https://github.com/nccgroup/SocksOverRDP
    • It uses Dynamic Virtual Channels (DVC) from RDP
  • DVC is responsible for tunneling packets over the RDP connex. eg: Clipboard and audio sharing
  • SocksOverRDP to tunnel our custom packets and then proxy through it using proxifier
  • Proxifier - https://www.proxifier.com/download/#win-tab
  • SocksOverRDP - https://github.com/nccgroup/SocksOverRDP/releases

Workflow:

  • Transfer SocksOverRDPx64.zip to the Windows pivot host
  • Load the SocksOverRDP-Plugin.dll
    • regsvr32.exe SocksOverRDP-Plugin.dll
  • Now we can connect to 172.16.5.19 over RDP usingĀ mstsc.exe, and we should receive a prompt that the SocksOverRDP plugin is enabled, and it will listen on 127.0.0.1:1080.
  • transfer SocksOverRDPx64.zip or just the SocksOverRDP-Server.exe to 172.16.5.19. We can then start SocksOverRDP-Server.exe with Admin privileges.
  • Confirming the SOCKS Listener is Started - Windows Pivot
    • netstat -antb | findstr 1080
  • After starting the listener, transfer Proxifier portable to Windows pivot, and configure to forward all our packets to 127.0.0.1:1080
  • https://academy.hackthebox.com/storage/modules/158/configuringproxifier.gif
  • With Proxifier configured and running, we can start mstsc.exe.
  • It will use Proxifier to pivot our traffic via 127.0.0.1:1080, which will tunnel it over RDP to 172.16.5.19, which will then route it to 172.16.6.155 using SocksOverRDP-server.exe

RDP Performance:

  • In RDP App > Experience > select Modem instead of Performance