Tcpdump: verbose output suppressed, use -v or -vv for full protocol decode I also ran a quick tcpdump on port 3389, to make sure that I was sending packets. Pkts bytes target prot opt in out source destinationĤ7 2896 DNAT tcp - eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 to:172.16.44.128:3389Ĭhain INPUT (policy ACCEPT 0 packets, 0 bytes)Ĭhain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)Ĭhain OUTPUT (policy ACCEPT 0 packets, 0 bytes)Īdditionally, I checked my conntrack file and saw a successful connection over port 3389. : ~# iptables -t nat -L -v -nĬhain PREROUTING (policy ACCEPT 0 packets, 0 bytes) When I looked at my iptables status, the rules were successfully capturing and modifying packets. Unfortunately, I was unable to connect initially. With my firewall rules in place, I configured a new connection in Royal TSX. : ~# iptables -A FORWARD -p tcp -dport 3389 -j ACCEPT Add a forwarding rule to accept any TCP packets on port 3389.Any packets intended for port 3389 will be forwarded to 172.168.44.128 on port 3389 Add a rule to the nat table that will modify TCP packets as soon as they come in.Next, I configured some iptables rules on the Kali box. : ~# echo 1 > /proc/sys/net/ipv4/ip_forward This would be useful for scenarios where SSH wasn’t available, or for further tunneling into internal networks.įirst, I enabled port-forwarding on my Kali box. In this case, I wanted to be able to RDP to a box that would forward my RDP connection without having to first create an SSH tunnel. While my tunneling was successful, I wanted to expand on it a bit more. Once I corrected this error, I was able to successfully connect! If you noticed above, I put the wrong IP address for the target (172.16.44.129 instead of. Unfortunately, I received an error when I tried to connect. I then setup an RDP connection to localhost using Royal TSX. Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent Individual files in /usr/share/doc/*/copyright. The exact distribution terms for each program are described in the The programs included with the Kali GNU/Linux system are free software The following command opens port 3389 on my local machine, and forwards it to port 3389 : ~/Documents$ ssh -L 3389:172.16.44.129:3389 's password: Next, I setup an SSH tunnel through my Kali box. Inet6 fe80::250:56ff:fe2f:ad0c prefixlen 64 scopeid 0x20Įther 00:50:56:2f:ad:0c txqueuelen 1000 (Ethernet)įinally, I used rdesktop to verify connectivity from my Kali host to the Windows target.įirst, I had to enable SSH root logins on my Kali host. TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 : 255.255.255.0Īs you can see, my Kali box also had a network adapter on my host-only (172.16.44.0/24) network. C:\Users\IEUser>ipconfigĮthernet adapter Local Area Connection 2:Ĭonnection-specific DNS Suffix. I then grabbed the IP address of the host, as this is what I would be connecting to. C:\Users\IEUser>netstat -a | findstr LISTEN Next, I enabled RDP and verified that the host was listening on port 3389. Enabling RDPįirst, I configured my Windows “target” box to have a host-only network adapter. You can also use it for accessing your own hosts, if you don’t want to use something like Guacamole.įor an in-depth write-up on bypassing some network restrictions using RDP tunneling, I recommend this FireEye post.įinally, for another in-depth guide, I really like this Black Hills post for some of the things that it covers. I’ve you’ve never performed RDP tunneling before, then it’s straightforward, and super useful during things like internal penetration tests. I wanted to share a few ways to setup an RDP Tunnel, as it’s proved very helpful during some engagements.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |