Jump to content
Sign in to follow this  
rdgunner

RDP Share As Tunnel for Remote Lateral Movement

Recommended Posts

I'm not sure this is the best place to ask this question so please let me know if you think it could be better answered elsewhere.
I'm working on a proof of concept where VMware Horizon View allows a person connecting with the Horizon client to access their local shared folders from the remote VM. These folders are located on the pc they use to connect with.
These show up as shares in the tsclient network location in windows on the remote VM.
This appears to be simple rdp filesharing. The fact that this exists, implies that there is a shared storage space and network connection between the local client pc and the remote vm.

The concept focuses on the fact that because both machines can access this share, network protocol data could be passed between them.
The goal would be to tunnel network traffic over this common share to act as a remote proxy for lateral movement on the remote network by the client who is connecting.
This would grant the local connecting client a privilege of network access essentially equal to that of the remote VM, much like a classic VPN, but without opening any further ports or creating any new services that could be observed.

I'm trying to figure out if there exists software which would for example run an ssh tunnel over this file share or something else that could be used as a proxy / port forwarder to access the other remote machines.
One thought would be to just dump the traffic to a buffering text files on the share and write programs / find programs that can use these files like network buffers as a means of communication. The program would run on both sides and write and read network traffic via the text files in the share.

Essentially it would look like this:
horizon client pc <--> localshare with named pipe or network buffer files <--> remote vm <--> remote network
Does anyone know any way to do this or tools that would help?

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...