Zero Day Archives
  • What is Zero Day Archives?
  • Contributors
  • Wireless Security
    • Intro to WiFi Pentesting
      • WEP Networks
      • WPS
      • WPA-PSK Networks
      • WPA & WPA2 PSK
      • WPA2 & WPA3 Enterprise Networks
      • WPA2 & WPA3-APLess
  • Reverse Engineering
    • Reverse Engineering
      • Introduction to Software Reverse Engineering
        • Introduction to Capture the Flag (CTF) Competitions
        • What are PE & Elf Binaries
        • Assembly Language for Beginner Reverse Engineers
        • Memory Registers for x86-64 (64-bit) and x86 (32-bit)
        • Reversing Tools: Command-Line Utilities for Binary Analysis
        • Reversing ELF Binaries: Techniques and Tools
      • Disassembly & Debugging
        • GDB for Reverse Engineering
        • RADARE2 for Reverse Engineering
        • GHIDRA for Reverse Engineering
        • IDA Pro for Reverse Engineering
      • Binary Exploitation
        • Buffer Overflows
          • What are Buffer Overflows and Stack Protections?
          • Commonly Exploited C Functions and Their Secure Alternatives
          • Basic Buffer Overflow in x86-64 Using GDB
        • Cryptography
          • Understanding Ciphers and Identifying Common Patterns
          • Teaching XOR Operations in Binary Exploitation
        • Return Oriented Programming (ROP)
          • Practical Guide to Exploring and Identifying Return-Oriented Programming (ROP)
        • Cracking and Patching Binaries
          • Tactics, Tools, and Procedures for Cracking and Patching Binaries
        • Ret2Win Challenges
  • Malware Analysis
    • Malware Analysis
      • Static Analysis
  • Transporting Files to/from Victims
    • Transferring Files to/from High Value Targets
      • Linux
      • Windows
      • CrackMapExec (NetExec)
  • Penetration Testing against GIT Remote Repositories
    • Targeting GIT Repositories
      • Attacking GIT
  • Network Pivoting, Port Forwarding, and Tunneling
    • Pivoting
      • Ligolo-ng
        • Basic Pivoting
        • Setup Reverse Shells through Pivot
        • Transferring Files through Pivot
      • Pivoting: Using Remote Desktop
      • ProxyChains
      • Metasploit
    • SSH Tunneling
      • SSH Local Port Forwarding
      • SSH Dynamic Port Forwarding
      • Sshuttle over SSH
    • Port Fowarding
      • Chisel Port Forwarding
      • NetSH for Port Forwarding
      • Plink for Port Forwarding
      • SoCat
      • Metasploit: Port Forwarding
  • Anti-Virus Evasion
    • Anti-Virus Evasion
      • Evasion with Metasploit
      • Evasion wtih Shellter
      • Evasion with Virus Total
  • Public Exploit Research
    • Online Exploit Research & Methods
  • Password Attacks
    • Password Attacks
      • Identifying Hashes
        • Hash Identifier Tools
      • John The Ripper
        • Cracking Passwords with John
        • Convert to Hashes with John
        • NTLM vs NTLMv2 Hashes + CrackMapExec
      • Hashcat
        • Cracking Passwords with Hashcat
      • Hydra
        • Hydra for Network Services
        • Hydra for Web Services
      • Mutating Wordlists for John & Hashcat
        • Mutating Wordlists
  • Digital Forensics & Incident Response (DFIR)
    • Digital Forensics
  • Data Science
    • Data Science/AI
  • Software Defined Radio (SDR)
    • Software Defined Radio
  • Embedded Systems Programming
    • Field Programmable Gate Arrays (FPGAs)
  • Other Resources
    • Resources for Hackers
Powered by GitBook
On this page
  1. Network Pivoting, Port Forwarding, and Tunneling
  2. Pivoting

Pivoting: Using Remote Desktop

Using RDP Through a Pivot Point

In this section, we will go over how to set up and use RDP (Remote Desktop Protocol) through a pivot point. This is especially useful for situations where you want to remotely access a Windows machine behind a firewall or NAT, using a system as a pivot point. Ligolo-ng, combined with a reverse shell, allows us to forward RDP traffic from the target machine through the pivot to our Kali machine.

Step 1: Set Up the Pivot Connection

First, ensure you have an active reverse shell session established with a pivot machine. We will use this pivot machine to forward RDP traffic from the internal network to our Kali machine.

Assume the internal target machine, has RDP enabled, and you want to access it using the pivot point.

Step 2: Set Up RDP on Kali

Now that the pivot is set up, we can connect to the internal RDP service by forwarding the connection through the pivot. You can use xfreerdp, a Linux command-line client for RDP, to connect to the target machine.

To connect to the target machine’s RDP service through the pivot, you can run the following command:

xfreerdp /v:172.16.5.35 /u:marshall /p:'password' /cert:ignore +drive:smbfolder,/home/kali/

Explanation of the command:

  • /v:172.16.5.35: This specifies the RDP server (target machine). In this case, 172.16.5.35 is the IP of the internal machine that is behind the pivot.

  • /u:marshall: This is the username used to authenticate with the RDP server.

  • /p:'password': This is the password for the RDP user. Note: It’s best to use more secure practices when dealing with sensitive credentials, and avoid directly including passwords in commands.

  • /cert:ignore: This option tells xfreerdp to ignore any SSL/TLS certificate verification errors. This is useful when you don’t have a valid certificate for the RDP session.

  • +drive:smbfolder,/home/kali/: This option maps the folder /home/kali/ on your Kali machine to an SMB share in the RDP session. This allows you to transfer files between your Kali machine and the remote Windows machine through the RDP session.

Step 3: Verify the Connection

Once the command is executed, you should see the RDP session connecting to the internal Windows machine. You will have full control over the remote machine’s desktop, and you can interact with it just as if you were sitting in front of it.

  • If you encounter any issues with the connection, ensure that Ligolo-ng is still forwarding traffic correctly, and verify that the pivot machine is properly routing the RDP traffic.

Step 4: Interact with Files and RDP Session

The +drive:smbfolder option ensures that your Kali machine’s /home/kali/ directory is available as an SMB share within the RDP session. This allows you to easily transfer files between the local and remote machine during your RDP session.

  • You can drag and drop files between your Kali machine and the internal Windows machine.

  • You can also use the SMB share to execute tools or scripts stored on your Kali machine, providing an efficient way to work with files during penetration tests.

Why using RDP is a value to you:

Using RDP through a pivot point can be a valuable technique in a penetration testing engagement, as it allows for remote desktop access to systems behind firewalls or NAT. By leveraging Ligolo-ng to forward RDP traffic (or another preferred pivoting tool), you can bypass restrictions and securely connect to internal systems. With tools like xfreerdp, file transfer capabilities can be included, providing additional flexibility during your engagement.

Make sure to follow best security practices when handling credentials and always verify your connection before performing any critical actions on the target system.

PreviousTransferring Files through PivotNextProxyChains

Last updated 19 days ago