This document discusses Socks Over RDP, which is a tool that creates a SOCKS5 proxy over an RDP connection. It allows activities like penetration testing to be conducted over a jump box by tunneling everything through the RDP channel. The tool consists of a .dll plugin for the Remote Desktop Client and a .exe server component. It establishes a bidirectional virtual channel within the RDP connection without needing open ports. The document provides information on the history of similar tools, how to install and configure Socks Over RDP, example usage scenarios, and limitations for prevention.
2. Bio / Balázs Bucsay
Managing Security Consultant & Office Research Lead @ NCC Group
10+ years of offensive security experience
Twitter: @xoreipeip | Linkedin: https://www.linkedin.com/in/bucsayb
Strictly technical certificates: OSCE, OSCP, OSWP, GIAC GPEN, CREST CCT Inf
Frequent speaker on different IT-security conferences
US – Atlanta, Honolulu
Europe – UK, Belgium, Norway, Austria, Hungary, Romania, Russia
Australia – Melbourne
Asia - Singapore
3. What is Socks Over RDP?
An extension for Remote Desktop Client that creates SOCKS5 Proxy
The Proxy tunnels everything over the RDP channel
Ideal for Penetration Testing or other activities over a jump box
Supports Windows only at the moment
Everything above Window Server 2008 & Windows Vista SP1
Logo was created first
4. Static/Dynamic Virtual Channels
Bidirectional Data Pipes
Inside of the RDP connection
No need to open ports on firewalls
Prior RDP 6.1 (Windows Server 2008 & Vista SP1) only Static Virtual Channels
Up to 31 channels to use
Present from start to session termination
5. Why did this come up?
Client allows testing over a Jump Box only
Possible reasons: PCI environment, highly confidential, improper remote access, lack of understanding
Unix can be solved easily with SSH “–D”
RDP/Windows was not that trivial
Extra permissions and list needed about apps to install
Not practical, lots of limitations
UDVC was not feasible for Web Application testing for example
Rdp2tcp Unix only and requires complexity
6. History
TsTeleport – Transporting Files – ?2007 by Ahmed Tolba?
Rdp2TCP – Same purpose - 2011 by Nicolas Collignon
Loki/Sleipnir/Fenrir – 2015 by David Spencer
Universal Dynamic Virtual Channel – 2018 by Balazs Bucsay
Socks Over RDP – 2020 by Balazs Bucsay
7. How to use it
There are two parts:
.dll – mstsc.exe Remote Desktop Client plugin
.exe – server component, needs to be copied to the server
If the DLL is registered, it will pop up an alert box before connection
In case the executable was ran, it connects back to the plugin, which spawn the proxy
8. Installation/Uninstallation
Optional: Copy the DLL into system32/SysWOW64
To Install: regsvr32.exe SocksOverRDP-Plugin.dll
To Uninstall: regsvr32.exe /u SocksOverRDP-Plugin.dll
For the .exe, just copy paste and run on the server – no hassle
Make sure you choose the corresponding architecture
9. Configuration
Change the values under:
HKEY_CURRENT_USERSOFTWAREMicrosoftTerminal Server ClientDefaultAddInsSocksOverRDP-
Plugin
enabled: 1 or 0 to enable or disable the plugin
ip: IP to listen on, by default 127.0.0.1
port: port to bind to, by default 1080
11. Example Scenarios
Web Application Testing
Set SOCKS Proxy in Burp
Internal Infrastructure Test
Proxychain everything!
Nmap
Metasploit Framework
13. Prevention/Limitation
If clipboard and drive redirection is disallowed, the tool will fail
Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsRemote Desktop
ServicesRemote Desktop Session HostDevice and Resource Redirection
Do not allow clipboard redirection == Enabled
Do not allow drive redirection == Enabled
Users will not be able to attach drives or copy&paste