RDP module

Base protocol: TCP + RDP(TCP+UDP)
Type: Stateful
Parent: Stateful
Support: Window Server 2008 & Windows Vista SP1 and higher

Introduction

It is possible to create virtual channels inside an active Remote Desktop session. That channel can be used to transfer data (this is how copy&paste, remote drives, etc. work over RDP). To make this possible the Universal Dynamic Virtual Channel connector project was used as a base. The .DLL from that project needs to be registered on the client computer where the mstsc.exe will run. When an RDP connection is made to the server the library will be loaded into the process' memory and will set up a Dynamic Virtual Channel. If the server side connects to the channel (that is the XFLTReaT RDP module in server mode) then the library opens a TCP listener on the client side (by default this is 127.0.0.1:31337). This listener is basically a TCP XFLTReaT server, so the framework can be used to connect to it with the TCP Generic module.

When to use

Let's say that there are two networks (A and B) that are fully segregated but there is only one box that can access both. To connect from network A to a server which is on the network B the jump box needs to be used.

Mainly penetration testers had the problem of testing over jump boxes. Testing over Linux or other kind of Unices are easy if SSH is in use because the ports can be forwarded, but that is not possible with an out-of-the-box Windows server that has only Remote Desktop or Terminal Services enabled. By using the Universal Dynamic Virtual Channel connector and the framework's RDP module, it is possible to bridge the two networks.

It comes extremely handy when it is used with the --split argument in client mode. In this case only those IPs will be routed over the RDP that are specified in the scope.txt file.

Steps:

• Install UDVC on the client
• Configure UDVC on the client if you want to change the default config
• Connect to the RDP with the UDVC configured and running
• Install the required driver and tools on the server
• Enable forwarding on the server
• Run the framework on the server in server mode (only RDP enabled)
• Connect to the client's machine with the TCP Generic module

Hint: Disable encryption for this module (set Encryption to none). First of all RDP is already encrypted there is no need to waste bytes and resources for the encryption. Secondly the throughput of this module is quite low, saving bytes and processing power could help you pimp up the speed.

Configuration

IMPORTANT: On the server side you need to install the OpenVPN's TAP-Windows NDIS 6 driver, Python, the requirements and DO NOT FORGET to set the forwarding mode. This is all explained in the Installation's page.

On the client side, please use the Universal Dynamic Virtual Channel connector and configure it accordingly. All necessary information can be found on the Github page.

[RDP]
enabled = no
channelname = UniversalDVC
serverport = 31337
priority = real

enabled

The value of this attribute is either yes or no. If it was set to yes, then the module will be initiated when the framework is started.

channelname

Name of the Dynamic Virtual Channel. You only need to change this if you want to run multiple instances of the XFLTReaT or want to use the framework and UDVC in the same time.

serverport

The port that will be used by the module. By default it is tcp/31337.

priority

This is the priority of the opened data channel. It can be configured to one of the following:

• real - real priority for data transmission, it will get the highest priority over all other things. It might influence how the desktop can be controlled, it can make the connection a bit laggy while big amount of data is being transferred (this is the default value).
• high - high priority
• medium - medium priority
• low - low priority

Firewall rules on the server

None! Only the RDP tcp/3389 needs to be accessible and a valid credential is what you need.