Jump to content

RDP Share As Tunnel for Remote Lateral Movement


rdgunner

Recommended Posts

I'm not sure this is the best place to ask this question so please let me know if you think it could be better answered elsewhere.
I'm working on a proof of concept where VMware Horizon View allows a person connecting with the Horizon client to access their local shared folders from the remote VM. These folders are located on the pc they use to connect with.
These show up as shares in the tsclient network location in windows on the remote VM.
This appears to be simple rdp filesharing. The fact that this exists, implies that there is a shared storage space and network connection between the local client pc and the remote vm.

The concept focuses on the fact that because both machines can access this share, network protocol data could be passed between them.
The goal would be to tunnel network traffic over this common share to act as a remote proxy for lateral movement on the remote network by the client who is connecting.
This would grant the local connecting client a privilege of network access essentially equal to that of the remote VM, much like a classic VPN, but without opening any further ports or creating any new services that could be observed.

I'm trying to figure out if there exists software which would for example run an ssh tunnel over this file share or something else that could be used as a proxy / port forwarder to access the other remote machines.
One thought would be to just dump the traffic to a buffering text files on the share and write programs / find programs that can use these files like network buffers as a means of communication. The program would run on both sides and write and read network traffic via the text files in the share.

Essentially it would look like this:
horizon client pc <--> localshare with named pipe or network buffer files <--> remote vm <--> remote network
Does anyone know any way to do this or tools that would help?

 

Link to comment
Share on other sites

  • 1 month later...

Ok.... Let me see if I got this right .... The host PC has network shares mapped and you need VMware to show those mapped drives in the VM? 

This is already possible with GPO and VMware settings.... It's not very secure and may possibly be an issue if you are in a corporate environment that needs legal separation, but totally possible

 

 

Link to comment
Share on other sites

On 2/9/2019 at 11:08 PM, rdgunner said:

 

I'm not sure this is the best place to ask this question so please let me know if you think it could be better answered elsewhere.
I'm working on a proof of concept where VMware Horizon View allows a person connecting with the Horizon client to access their local shared folders from the remote VM. These folders are located on the pc they use to connect with.
These show up as shares in the tsclient network location in windows on the remote VM.
This appears to be simple rdp filesharing. The fact that this exists, implies that there is a shared storage space and network connection between the local client pc and the remote vm.

The concept focuses on the fact that because both machines can access this share, network protocol data could be passed between them.
The goal would be to tunnel network traffic over this common share to act as a remote proxy for lateral movement on the remote network by the client who is connecting.
This would grant the local connecting client a privilege of network access essentially equal to that of the remote VM, much like a classic VPN, but without opening any further ports or creating any new services that could be observed.

I'm trying to figure out if there exists software which would for example run an ssh tunnel over this file share or something else that could be used as a proxy / port forwarder to access the other remote machines.
One thought would be to just dump the traffic to a buffering text files on the share and write programs / find programs that can use these files like network buffers as a means of communication. The program would run on both sides and write and read network traffic via the text files in the share.

Essentially it would look like this:
horizon client pc <--> localshare with named pipe or network buffer files <--> remote vm <--> remote network
Does anyone know any way to do this or tools that would help?

 

One part of your question i can answer

The presentation of a VmWare Horizon client can be over RDP, PCoIP

 

The fact that local shared resources are shown as "\\tsclient\Bla" indicates that its RDP presented through the VmWare Agent/Client

 

Since that stack (TCP 3389) is already taken by the RDP protocol i would reckon that starting another service on that port would only be possible if you would recompile the RDP Client and install that in the golden image on the VmWare View environment. (reverting to the snapshot would remove your alterations).

 

 

 

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...