Git Product home page Git Product logo

socksoverrdp's Introduction

Socks Over RDP / Socks Over Citrix

This tool adds the capability of a SOCKS proxy to Terminal Services (or Remote Desktop Services) and Citrix (XenApp/XenDesktop). It uses Dynamic Virtual Channel that enables us to communicate over an open RDP/Citrix connection without the need to open a new socket, connection or a port on a firewall.

How can I use it?

You need to install a plugin (.dll) on your client computer that you use to connect to the RDP/Citrix server. On the RDP/Citrix server you need to use the other half of the project the .exe, which creates the channel between the plugin and the server executable. More details can be found below. If you want to use it with Citrix/XenApp/XenDesktop please scroll to Citrix section.

How does this work?

If the DLL is properly registered, it will be loaded by the mstsc.exe (Remote Desktop Client) or Citrix Receiver every time it is started. When the server executable runs on the server side, it connects back to the DLL on a dynamic virtual channel, which is a feature of the Remote Desktop Protocol. After the channel is set up, a SOCKS Proxy will spin up on the client computer, by default on 127.0.0.1:1080. This service can be used as a SOCKS5 Proxy from any browser or tool.

Compatibility

Dynamic Virtual Channels were introduced in Window Server 2008 & Windows Vista SP1. These and anything newer than these should be good to go.
Right now the client works with mstsc.exe (Remote Desktop Client). In case you want to use it from Unix, give FreeRDP a try, it has released a similar module in about the same time as this tool was released.
Citrix supports the same underlying API as Microsoft, although not sure when it was introduced, it was before 2013 so the plugin should work with most Citrix solutions.

Installation

You can grab the whole project and compile it by yourself or just use the compiled binaries from the Releases section. It is important that the correct binary is used in all cases, please select the correct one for the corresponding architecture (if your client is 32bit but the server is 64bit then grab the 32bit dll and 64bit exe). The .dll needs to be placed on the client computer in any directory (for long-term use, it is recommended to copy it into the %SYSROOT%\system32\ or %SYSROOT%\SysWoW64\) and install it with the following command as an elevated user (a.k.a Administrator):

regsvr32.exe SocksOverRDP-Plugin.dll

If your user is not an administrator, you need to import the registry settings under your user too. Please use the SocksOverRDP-Plugin.reg file for that.

If you wish to remove it:

regsvr32.exe /u SocksOverRDP-Plugin.dll

Every time you connect to an RDP server from now on, this plugin will be loaded and will configure itself as it was specified in the registry (see below).

The .exe needs to be copied to the server and executed by any user.

Citrix / XenApp / XenDesktop

The tool works with Citrix Receiver that is used to connect to the Citrix server. Either an app or a full desktop can be provided to the user, the tool works in both cases if the plugin was correctly installed and the .exe server component was copied to and executed on the Citrix server.
Citrix seems to have 32-bit Citrix Receiver only. This means that if your operating system is 64-bit, and you have already registered the corresponding .dll, you need to unregister the .dll and use the 32-bit version. In case you use a 32-bit OS, you just register the .dll as mentioned above.
Please note that 64-bit windows has two regsvr32.exe, one in *%WINDIR%\system32* (x64) and the one in *%WINDIR%\SysWOW64* (x32), use the latter to register the 32-bit .dll, which will be automatically loaded by the Citrix Receiver upon execution. Everything else should be the same, please make sure you have followed the readme before opening issues on Github.

Options/Configuration

The server component (.exe) does not need any configuration or requires any arguments. Although there is one for verbosity:

PS C:\Users\SocksOverRDP\> .\SocksOverRDP-Server.exe -h
Socks Over RDP by Balazs Bucsay [[@xoreipeip]]

Usage: SocksOverRDP-Server.exe [-v]
-h              This help
-v              Verbose Mode

The client component (.dll) comes with preset settings, which is installed by the .dll itself when it is registered, or needs to be imported from the SocksOverRDP-Plugin.reg.

  • enabled: 0 disabled, 1 enabled (plugin only). By default it is enabled and will tell you in a messagebox every time you initiate a connection.
  • ip: which IP to connect to or bind to
  • port: which port to connect to or bind to

The client .dll reads all the options from the registry, the values can be found under the following key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\Default\AddIns\SocksOverRDP-Plugin

Every time the module is enabled and before the connection is made a reminder warning is showed. Just like this: warning

This warning ensures that the user knows about the plugin is loaded and with what settings.

Issues

In case the plugin does not load or the executable does not run because it is missing some DLLs for example the VCRUNTIME140.DLL, you might want to install the Visual C++ Redistributable for Visual Studio 2015 package.

Tested on Windows 11 ARM64: Redistributable

0x8002801c

On Windows 11 ARM64 (Macbook Pro M1) the following error message is shown at installation: The module SocksOverRDP-Plugin.dll was located bt the call to DllRegisterServer failed with error code 0x8002801c

Although this error is shown, the module is properly installed and can be used.

Security concerns

The server component (.exe) can be executed with any user, it will work with low privileged users as well, there are no security risks associated with this component at all.

The client component (.dll) by default is configured to listen only on localhost, if that is changed to for example 0.0.0.0 and there is no firewall or it is misconfigured, then it could result in a security issue, since other computers on the network can access the SOCKS Proxy and communicate over the RDP server.

Please note that the SOCKS Server is only up, when the RDP/Citrix connection is alive and the executable is running on the server.

Defence

To prevent users to use this tool the only known way is to disable Virtual Channels in the Remote Desktop Server configuration. Although this blocks the usage of this tool indeed, it also disables copy&paste, which might be a show stopper or a big annoyance for the users.

Although it is possible to disable the dynamic virtual channels in RDP, the following solution to do the same is ineffective for Citrix: https://support.citrix.com/article/CTX202153

socksoverrdp's People

Contributors

earthquake avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

socksoverrdp's Issues

Declared license

Hi!

I just found out about this project, which is inspired by the equivalent virtual channel extension in FreeRDP. Would it be possible to declare an Apache 2.0 license for this project, making it easier to potentially share some of the code with FreeRDP?

I would be interested in giving this project a try, and use it as a reference for other similar projects. I have plans for developing a similar virtual channel extension that would be meant for PowerShell remoting over RDP, porting the extension to mstsc and FreeRDP with the same code base.

Unix support?

Hi there!

I'm currently running MacOS and I'm interest if it's possible to support FreeRDP.

Look at README.md

In case you want to use it from Unix, give FreeRDP a try, it has released a similar module in about the same time as this tool was released.

Could you explain more?

I'm currently testing rdp2tcp (https://github.com/V-E-O/rdp2tcp). It works fine for SSH, but if i'm using a Browser which sents tons a requests, rdp2tcp stop working on the server or client side. Looks like It cant handle multiple connections well.

SOCKS over VMWare Horizon?

Thanks for the hard work you put into this tool.

I was wondering if you had looked at the VMWare Horizon VDI Desktop protocol? It also supports connecting local devices such as USB, so it seems like there may be a chance that this could be extended to work with the Horizons protocol as well as RDP and Citrix.

Not working on Windows Server 2019 17763.rs5_release.180914-1434

I downloaded the x64 version and I am having trouble running it on a domain-joined Windows Server 2019 instance with RDP enabled. When I run SocksOverRDP-Server.exe -v I get the following error:

[-] Could not open Dynamic Virtual Channel: 1 00000001

It is the x64 version of Windows. I have tried both the x86 and x64 versions of the binary. The Microsoft Visual C++ Runtime libraries are installed. This is server-side only. The client-side DLL appears to load fine after registering on my Windows 10 client machine.

It's a lab environment, so I'm comfortable breaking stuff with you if you want me to try things.

Mitigations

Hello.
It's really works! It works even without rdpclip.
But how to prevent it?

Connection corrupt due "Packet corrupt"

Situation

WIN1: My PC, the RDP client.
WIN2: A jump server, the RDP server.
SERVER: A linux server which can`t accessed by WIN1, but can accessed by WIN2:

Issue

Using this software, WIN1 can access SERVER successfullly, this is great! But the connectivity doesn't seem verty stable, I got below error after connected for a while.

Server sent disconnect message
type 2 (protocol error):
"Packet corrupt"

Can this issue be solved at "software" level?

Build fails because buffer overflow is detected

Compiling the server project results in the following error in VS:

error C4789: buffer 'answer2' of size 309 bytes will be overrun; 309 bytes will be written starting at offset 9

This is the relevant code:

        char	null[20], *answer, answer2[300 + sizeof(DWORD) + sizeof(DWORD) + 1];
	DWORD   dwWritten, ret;

	struct threads *pta;

	answer = answer2 + sizeof(DWORD) + sizeof(DWORD) + 1;
	memset(answer, 0, 300 + sizeof(DWORD) + sizeof(DWORD) + 1);

https://github.com/nccgroup/SocksOverRDP/blob/master/SocksOverRDP-Server/SocksServer.cpp#L184

While answer is pointed inside the answer2 buffer, memset writes the full size of the answer2 buffer.

I'm not sure about the intention here, but based on the initialization of answer, I assume that only 300 bytes should be set here (first two pointers and one byte remains intact at the beginning of the buffer).

SocksOverRDP-Server.exe: Could not open Dynamic Virtual Channel: 1 00000001

Hi,

The SocksOverRDP-Server on the RDP server side (Win2012R2) couldn't seem to work (with the error message - Could not open Dynamic Virtual Channel: 1 00000001) after the RDP session has been established.

For the RDP client side on Windows 10, the RDP client process has successfully loaded SocksOverRDP-Plugin.dll (verified by tasklist /m command ) with the message box prompt.

For your advice, please

Can the Server side executable add the ability to connect to the Socks/Http proxy?

This plugin is great! It solves my big problem.
But, Can the Server side executable add the ability to connect to the Socks/Http proxy?
In this way, a proxy chain can be formed. The client plug-in provides the Socks proxy service, and then flows to the server through the DVC. Finally, the Socks/Http proxy egress traffic of the server environment is equivalent to mirroring the proxy of the server to the client.
In this way, we can configure the server proxy to enable the client to enjoy more diversified proxy functions.
It's an exciting thing to think about! Just my C++ is not good enough. This idea is a bit of an impotence for me

connection not stable

thanks for the tool, it is very useful, however running ssh over the socks created on rcp channel is not stable

  • there is a lag for command typed and displayed.
  • ssh connection aborts quite often

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.