This document discusses Socks Over RDP, which is a tool that creates a SOCKS5 proxy over an RDP connection. It allows activities like penetration testing to be conducted over a jump box by tunneling everything through the RDP channel. The tool consists of a .dll plugin for the Remote Desktop Client and a .exe server component. It establishes a bidirectional virtual channel within the RDP connection without needing open ports. The document provides information on the history of similar tools, how to install and configure Socks Over RDP, example usage scenarios, and limitations for prevention.

1. Socks Over RDP
Balázs Bucsay
Managing Security Consultant @ NCC Group - @xoreipeip

2. Bio / Balázs Bucsay
 Managing Security Consultant & Office Research Lead @ NCC Group
 10+ years of offensive security experience
 Twitter: @xoreipeip | Linkedin: https://www.linkedin.com/in/bucsayb
 Strictly technical certificates: OSCE, OSCP, OSWP, GIAC GPEN, CREST CCT Inf
 Frequent speaker on different IT-security conferences
 US – Atlanta, Honolulu
 Europe – UK, Belgium, Norway, Austria, Hungary, Romania, Russia
 Australia – Melbourne
 Asia - Singapore

3. What is Socks Over RDP?
 An extension for Remote Desktop Client that creates SOCKS5 Proxy
 The Proxy tunnels everything over the RDP channel
 Ideal for Penetration Testing or other activities over a jump box
 Supports Windows only at the moment
 Everything above Window Server 2008 & Windows Vista SP1
 Logo was created first

4. Static/Dynamic Virtual Channels
 Bidirectional Data Pipes
 Inside of the RDP connection
 No need to open ports on firewalls
 Prior RDP 6.1 (Windows Server 2008 & Vista SP1) only Static Virtual Channels
 Up to 31 channels to use
 Present from start to session termination

5. Why did this come up?
 Client allows testing over a Jump Box only
 Possible reasons: PCI environment, highly confidential, improper remote access, lack of understanding
 Unix can be solved easily with SSH “–D”
 RDP/Windows was not that trivial
 Extra permissions and list needed about apps to install
 Not practical, lots of limitations
 UDVC was not feasible for Web Application testing for example
 Rdp2tcp Unix only and requires complexity

6. History
 TsTeleport – Transporting Files – ?2007 by Ahmed Tolba?
 Rdp2TCP – Same purpose - 2011 by Nicolas Collignon
 Loki/Sleipnir/Fenrir – 2015 by David Spencer
 Universal Dynamic Virtual Channel – 2018 by Balazs Bucsay
 Socks Over RDP – 2020 by Balazs Bucsay

7. How to use it
 There are two parts:
 .dll – mstsc.exe Remote Desktop Client plugin
 .exe – server component, needs to be copied to the server
 If the DLL is registered, it will pop up an alert box before connection
 In case the executable was ran, it connects back to the plugin, which spawn the proxy

8. Installation/Uninstallation
 Optional: Copy the DLL into system32/SysWOW64
 To Install: regsvr32.exe SocksOverRDP-Plugin.dll
 To Uninstall: regsvr32.exe /u SocksOverRDP-Plugin.dll
 For the .exe, just copy paste and run on the server – no hassle
 Make sure you choose the corresponding architecture

9. Configuration
 Change the values under:
 HKEY_CURRENT_USERSOFTWAREMicrosoftTerminal Server ClientDefaultAddInsSocksOverRDP-
Plugin
 enabled: 1 or 0 to enable or disable the plugin
 ip: IP to listen on, by default 127.0.0.1
 port: port to bind to, by default 1080

10. Demo
DEMO

11. Example Scenarios
 Web Application Testing
 Set SOCKS Proxy in Burp
 Internal Infrastructure Test
 Proxychain everything!
 Nmap
 Metasploit Framework

12. Release
https://github.com/earthquake/SocksOverRDP/

13. Prevention/Limitation
 If clipboard and drive redirection is disallowed, the tool will fail
 Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsRemote Desktop
ServicesRemote Desktop Session HostDevice and Resource Redirection
 Do not allow clipboard redirection == Enabled
 Do not allow drive redirection == Enabled
 Users will not be able to attach drives or copy&paste

14. Q&A
Thank you & Any questions?