# Introduction - There are often times during a pentesting assessment when we may be limited to a Windows network without the ability to use SSH for pivoting - `SocksOverRDP` is a Windows-based tool that uses dynamic virtual channels (DVCs) - DVC is responsible for tunneling packets over the RDP connection - Concept: - Use `SocksOverRDP` to tunnel our custom packets and then proxy through it - Use the tool [Proxifier](https://www.proxifier.com/) as our proxy server - Download needed binaries - [SocksOverRDP x64 Binaries](https://github.com/nccgroup/SocksOverRDP/releases) - [Proxifier Portable Binary](https://www.proxifier.com/download/#win-tab) # Sequence for `SocksOverRDP` - Load `socksoverrdp.dll` in Windows pivot host ```cmd regsvr32.exe SocksOverRDP-Plugin.dll ``` - Connect to target over RDP using `mstc.exe`![[images/Pasted image 20251023140035.png]] - Transfer `socksoverrdpx64.exe` or just `socksoverrdp-server.exe` to 172.16.5.19 target and start `socksoverrdp-server.exe` with admin privs - From Windows pivot host confirm that the SOCKS listener started on 127.0.0.1:1080 ```cmd netstat -antb | findstr 1080 ``` - Setup `proxifier` on Windows pivot host - `proxifier`will pivot all our traffic via 127.0.0.1:1080, which will tunnel it over RDP to 172.16.5.19, which will then route it to 172.16.6.155 using SocksOverRDP-server.exe # Exercise - Ping and light nmap scan Windows pivot host ![[images/Pasted image 20251023140748.png]]![[images/Pasted image 20251023140800.png]] - RDP connect to Windows pivot host with given creds ![[images/Pasted image 20251023140931.png]] - Light enum ![[images/Pasted image 20251023141144.png]] - Download `socksoverrdp` onto Kali host ![[images/Pasted image 20251023141432.png]] - Download and `proxifier` onto Kali host ![[images/Pasted image 20251023141640.png]] - Serve zip files from Kali Host ![[images/Pasted image 20251023142044.png]] - Download files on Windows pivot host ![[images/Pasted image 20251023142103.png]]![[images/Pasted image 20251023142130.png]] - Load `socksoverrdp.dll` in Windows pivot host - `socksoverrdp.dll` keeps getting deleted - Need to disable defender ```powershell #disable defender with admin privs Set-MpPreference -DisableRealtimeMonitoring $true ``` - After disabling, defender reattempt loading of `socksoverrdp.dll`![[images/Pasted image 20251023143029.png]] - RDP connect to target 172.16.6.155 - SocksOverRDP plugin appears to be working ![[images/Pasted image 20251023143252.png]] - But keep getting a failure - Try RDP connect from powershell - No dice ![[images/Pasted image 20251023144359.png]] - Try 172.16.5.19 and creds from within section instead of those provided by exercise text - These correspond to the 172.16.5.0/23 subnet - Looks more promising ![[images/Pasted image 20251023144712.png]] - We are on the downstream Windows host ![[images/Pasted image 20251023144844.png]] - Disable defender - Unable to disable ![[images/Pasted image 20251023145003.png]] - Try to uninstall defender - that worked ![[images/Pasted image 20251023145039.png]] ```powershell #uninstall defender Uninstall-WindowsFeature -Name Windows-Defender ``` - Now ping the further downstream target in the the 172.16.6.0/23 subnet - Now we are getting somewhere ![[images/Pasted image 20251023145250.png]] - Move `SocksOverRDP` and `Proxifier` to 172.16.5.19 - Simple left click copy and paste ![[images/Pasted image 20251023145706.png]] - Run `SocksOverRDP-Server` as admin on 172.16.5.19 ![[images/Pasted image 20251023150449.png]] - Confirm listener started correctly ![[images/Pasted image 20251023150543.png]] - Setup `proxifier` on initial Windows host with access to 10.x.x.x and 172.16.5.x subnets ![[images/Pasted image 20251023151038.png]] - Finally, RDP connect to 172.16.6.155 with given creds