From Beacon to Interactive RDP Session
Lateral Movement, Tunnelling, Firewall Evasion
This is a quick note showing how to get an interactive Remote Desktop Session (RDP) session from a Cobalt Strike beacon by leveraging socks proxy and proxychains.
Say we have compromised a box and we have a beacon running on it:
The same compromised machine is listening on 3389, meaning it accepts incoming RDP connections:
Most often you will not be able to reach the machine via RDP from the outside due to corporate and host firewalls, however not all is lost - the machine is still reachable over RDP via sock proxy capability that the beacon provides.
Using the beacon we control, let's create a socks proxy on port 7777. This will expose a TCP port 7777 on the teamserver:
With the socks proxy create, we can now jump onto any linux box (Kali in my case) and configure proxychains to point it to the teamserver and the port we've just exposed:
We can now connect to the compromised box via RDP using xfreerdp:
Below illustrates a successful RDP connection was established although the user on the other end (me) killed the session:
If you are getting...
Error: CredSSP initialize failed, do you have correct kerberos ticket initialized? Failed to connect, CredSSP required by server
Suggestion is to use
rdesktopand the issue will go away.
CredSSP error using rdesktop