TCP tunnel inside RDP Remote Desktop connection

3 min read rdptcp forwardtcpproxytunnelFile-tunneldrivefile system
TCP tunnel inside RDP Remote Desktop connection
Photo by Alexander Mils / Unsplash

In the IT world, RDP is used for many different purposes. For Active Directory server administration. But also to provide remote virtual machines. And if the client is not located in the same network zone, it can be used to create a software separation between two distinct network zones.

I've always wondered whether it was possible to abuse the features offered by RDP in order to create TCP tunnels. And so to be able to access TCP services on another network from your own machine's network.
Naively, we might think not, because RDP is primarily about sending screen copies from the remote server. That's when I discovered the tool File-Tunnel:

  • It use file system to create TCP tunnel
  • And with RDP you can mount local user drive to remote machine
GitHub - fiddyschmitt/File-Tunnel: Tunnel TCP connections through a file
Tunnel TCP connections through a file. Contribute to fiddyschmitt/File-Tunnel development by creating an account on GitHub.
GitHubfiddyschmitt

Using the file server shared between client and server on a RDP connection, you can use the File-Tunnel tool to create a TCP tunnel.

The tool is great, but you need to specify each individual port to forward. My idea is to have dynamic access on the remote network. With the help of a local proxy on the server, you can access any web service the local machine.

Using CNTLM local proxy I can access app on remote network3
  • Firefox use the port forwarded CNTLM proxy to access the web app.

Server

Local proxy installation and File Tunnel start

For the local proxy I will use the CNTLM. The tool is originally made to forward requests to NTLM proxy. But with a no proxy wildcard, you can use the tool to forward requests directly on the local network. On windows, pre-compiled portables executables are available: https://sourceforge.net/projects/cntlm/files/

Proxy		127.0.0.1:9999 #Can be any port, never contacted
NoProxy		*
Listen		8080

Then, you can start the CNTLM proxy and File-Tunnel from a powershell command line:

$ .\cntlm-0.92.3\cntlm.exe -c .\cntlm-0.92.3\cntlm.ini
$ .\ft-win-x64.exe --read "\\tsclient\c\Users\[...]\File-Tunnel\1.dat" --write "\\tsclient\c\Users\[...]\File-Tunnel\2.dat"

Note: make sure to enable drive forward when start the RDP connection

Client

RDP connection and proxy configuration

On your local computer, you can start File Tunnel to redirect the port 8080 of CNTLM proxy:

$ .\ft-win-x64.exe -L 8080:127.0.0.1:8080 --write "C:\Users\[...]\File-Tunnel\1.dat" --read "C:\Users\[...]\File-Tunnel\2.dat"

When, in Firefox configuration proxy setting to point on the proxy redirected port:

Source: https://support.mozilla.org/en-US/kb/connection-settings-firefox

Finally, using configured Firefox you can access web service on the remote network directly. Or you can imagine forward SSH connection from this TCP tunnel using proxytunnel: blog.arfevrier.fr/master-proxytunnel-to-create-http-or-tcp-tunnel-over-any-proxy/

Master proxytunnel to create HTTP or TCP tunnel over any proxy
When I started looking for solutions to pass any kind of flow through a proxy server I started with a premise. Proxy servers have the role of filtering user requests, protecting users from certain content and also protecting users from direct access to an unknown network. While HTTP proxy servers
Paper ▧ NoteArnaud
Arnaud

Arnaud

Website More posts
me@arfevrier.fr
Rennes, France
Previous Post
Next Post