Home >> Audit Pentest >> rdp tunnel (tunnel tcp over rdp)

1. Introduce

Hi everybody in this tutorial i will introduce the method how to create tunnel tcp over rdp (remote desktop protocal), the most common method remote desktop in windows environment,  if you are reading this topic i’m sure that you know what is tunnel, back connect… so in this topic i will don’t take about this concept again.

2. Why need to rdp tunnel

This is some case in real world my pentest, i can take control windows system but that system just open only port 3389 to my network, i wan to use that computer to escalate other system without install pentest tools to that system, how can i do that?

3. Requirement

  • Linux system (i’m use ubuntu)
  • Rdesktop
  • rdp2tcp

4. A bit about rdp and ideas to create rdp tunnel

4.1 RDP protocol history

  • – RDP 4.0 Windows NT 4.0
  • – RDP 5.0 Windows 2000
  • – RDP 5.1 Windows XP
  • – RDP 5.2 Windows 2003
  • – RDP 6.0 Windows Vista
  • – RDP 6.1 Windows 2008
  • – RDP 7.0 Windows 2008R2
  • – RDP 7.1 Soon …

 

  • Extension of T.128 protocol
  • Channels are multiplexed over a single TCP connection
    • rdpdr –> file sharing
    • cliprdr –> clipboard
    • rdpsnd –> sound
  • Applications can dynamically register new channels

4.2 Terminal services and kernel land

4.3 Terminal services and User land

4.4 Idea and Architecture

  • Client implementation
    • Virtual channel implementation to be used with rdesktop client
    • Need OOP rdesktop patch
    • rdesktop -r addin:rdp2tcp:/usr/bin/rdp2tcp [ip to remote]
    • ~256 tunnels / rdp2tcp instance
  • Rdp2tcp server
    • Executable must be uploaded on the TS host
      • SMB, file sharing, …
    • Run on more instances of rdp2tcp.exe within the RDP session
    • WTSVirtualChannelOpen(“rdp2tcp”)

5. Install and config tunnel

5.1 Install dependencies

5.2 Building rdp2tcp

5.3 Build and patch rdesktop

Now go and download the rdesktop 1.8.3 source from rdesktop.org. It’s important that you get 1.8.3.

Download the oop.patch from here. Or you can download oop-1.8.1.patch. Copy it to the extracted rdesktop directory.

5.4 Compile the Windows Source Code (For running on server)

You can compile application as normal application, if you don’t want to compile you can use file i was compile rdp2tcp-server

5.5 How to use

  • On client computer run:

Copy file rdp2tcp.exe you was download about (or you was compile) and runit within the terminal session. It should say “channel connected”.

Note: You must run it on your terminal session over rdesktop.

Now tell rdp2tcp to set up a channel. For example, if you wanted to set up a tunnel to the server called “server1” listening on TCP port 22 behind the terminal server, use the following command to make it appear on your localhost on port 2222.

rdp2tcp.py add forward 127.0.0.1 2222 server1 22

If it works you should be able to SSH to port 2222 as if you were on the terminal server.

Readmore  use rdp2tcp read file README on sourecode

the author

Leave a Reply

Your email address will not be published. Required fields are marked *

Top