TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

The RDP Through SSH Encyclopedia

BHIS · 2019-02-28 · Read original ↗

ATT&CK techniques detected

17 predictions
T1021.001Remote Desktop Protocol
99%
“the rdp through ssh encyclopedia the rdp through ssh encyclopedia carrie roberts / / * i have needed to remind myself how to set up rdp access through an ssh connection so many times that i ’ ve decided to document it here for future reference. i hope it proves useful to you as w…”
T1021.001Remote Desktop Protocol
90%
“this is what we have created. note that we chose local port 3390 because windows complains with a “ your computer could not connect to another console ” error as shown below if you try to connect to localhost 3389 with the rdp client. finally, we can now rdp from our attacker sys…”
T1090.001Internal Proxy
87%
“- p 443 - i at. ppk - nc 127. 0. 0. 1 : 5001 " after executing this command, configure the browser on the attacker system to use the socks proxy on localhost 9999. you can do this in firefox by going to settings ( the hamburger menu in the upper right ) – > options, search for “ …”
T1090.001Internal Proxy
85%
“port proxies use “ reset ” netsh interface portproxy reset now we just need to execute the two commands we learned about earlier to complete the setup, one from the dropbox and one from the attacker system. from the dropbox, run the following commands from the directory containin…”
T1572Protocol Tunneling
81%
“starting point for this scenario. here we have the attacker system on one internal network that is not accessible from the internet. the attacker operating system is windows. next, we have a linux computer on the internet ( e. g. a digital ocean droplet ). we refer to this system…”
T1090.001Internal Proxy
78%
“. this could be a system we literally put on the target internal network or one that already existed that we now have access to execute commands on. the drawing below shows the starting point for this scenario. first, we ’ ll set up a local port listen on 3390 and forward it to o…”
T1090.001Internal Proxy
77%
“you could change the system proxy to point to your dynamic socks proxy on port 9999 but you might be sending more traffic to the internal network than just your browser traffic, which may be undesirable. i recommend using firefox because it manages its own proxy settings apart fr…”
T1572Protocol Tunneling
74%
“proxycmd portion of the command is shown below. plink root @ % external _ ip % - p 443 - i at. ppk - nc 127. 0. 0. 1 : 5001 the state of our connection after just this proxycmd runs is shown below. the “ - nc ” portion of the command tells plink to open a tunnel to 127. 0. 0. 1 p…”
T1572Protocol Tunneling
72%
“port proxies use “ reset ” netsh interface portproxy reset now we just need to execute the two commands we learned about earlier to complete the setup, one from the dropbox and one from the attacker system. from the dropbox, run the following commands from the directory containin…”
T1090.001Internal Proxy
72%
“in ppk format. if you run this command from a different directory than where your at. ppk file is, you ’ ll need to provide the full path to the file such as “ c : \ users \ admin \. ssh \ at. ppk ” in both locations it is referenced in the command. plink - i at. ppk root @ % ext…”
T1090.001Internal Proxy
63%
“the attacker machine to the target system. the example here uses xfreerdp. xfreerdp / u : intdomain \ carrie / v : 127. 0. 0. 1 : 3390 alternatively, instead of setting up for rdp access, we could set up for browser access. this does not require administrative access to run comma…”
T1090.001Internal Proxy
58%
“proxycmd portion of the command is shown below. plink root @ % external _ ip % - p 443 - i at. ppk - nc 127. 0. 0. 1 : 5001 the state of our connection after just this proxycmd runs is shown below. the “ - nc ” portion of the command tells plink to open a tunnel to 127. 0. 0. 1 p…”
T1572Protocol Tunneling
42%
“the attacker machine to the target system. the example here uses xfreerdp. xfreerdp / u : intdomain \ carrie / v : 127. 0. 0. 1 : 3390 alternatively, instead of setting up for rdp access, we could set up for browser access. this does not require administrative access to run comma…”
T1021.004SSH
40%
“an alternative to running the long ssh command above we can add the following to our ssh config file ( / root /. ssh / config ) on the attacker system. host external hostname 208. 8. 8. 8 user root port 443 identityfile ~ /. ssh / at. key host dropbox hostname 127. 0. 0. 1 user r…”
T1572Protocol Tunneling
37%
“protected ] - p 5001 - l 3390 : $ target _ ip : 3389 - j root @ $ external _ ip : 443 now we have a full communication path from port 3390 on our attacker machine all the way to port 3389 on our target server. we can use any linux rdp client to connect to our target. for this exa…”
T1572Protocol Tunneling
36%
“. this could be a system we literally put on the target internal network or one that already existed that we now have access to execute commands on. the drawing below shows the starting point for this scenario. first, we ’ ll set up a local port listen on 3390 and forward it to o…”
T1090.002External Proxy
32%
“you could change the system proxy to point to your dynamic socks proxy on port 9999 but you might be sending more traffic to the internal network than just your browser traffic, which may be undesirable. i recommend using firefox because it manages its own proxy settings apart fr…”

Summary

Carrie Roberts //* I have needed to remind myself how to set up RDP access through an SSH connection so many times that I’ve decided to document it here for […]

The post The RDP Through SSH Encyclopedia appeared first on Black Hills Information Security, Inc..