Government Security
Network Security Resources

Jump to content

Photo

Reverse Remote Desktop

server network router tools firewall
  • Please log in to reply
18 replies to this topic

#1 extreme

extreme

    Specialist

  • Sergeant Major
  • 615 posts

Posted 26 February 2011 - 01:31 AM

So basically we have this:

an application_1 is installed on terminal server(OR it can be installed on some other machine in network that doesn't have RDP, but is on same subnet as Terminal Server,doesn't matter):

192.168.0.3:3389<-(application_1)->
^
|
|
v

FIREWALL/router in between

^
|
|
v
(555:application_2:123)remote_server

And an explanation:

application_2 LISTENS for incoming connection from application_1 on port 555
application_1 REVERSE CONNECTS to application_2 on port 555
application_2 also LISTENS at port 123.. So we connect to it with "mstsc /v:127.0.0.1:123"
application_1 forwards our connection locally to RDP port at 192.168.0.3:3389
...and we have established a remote desktop connection..

But there is one catch.. I don't know of such tool or combination of tools that can accomplish this:P Do you?
САМО СЛОГА СРБИНА СПАСАВА

#2 Edu

Edu

    First Sergeant

  • Members
  • 2,269 posts

Posted 26 February 2011 - 03:41 AM

why all this trouble ? there are port redirectors but I dont know if they would effectively work for this matter.

Also if both computers are in the same Network, but eg. in another perimeter you can configure the router to permit connections on the machine you wish, by providing the machine´s IP address and port(s). This would save time and disk space as you wouldnt need to install anything.
http://www.secumania.net - Secumania security blog.


Embed any executable in a JPEG image and get it to run upon opening the image with this cool tool that abuses a feature of GDI in Windows systems. for governmentsecurity.org members only! click here to get it!

#3 extreme

extreme

    Specialist

  • Sergeant Major
  • 615 posts

Posted 26 February 2011 - 04:03 AM

Well, yes but if you don't have access to router/firewall, or if port forwarding/upnp is disabled, or if you just wish to keep everything locked out behind firewall, then only solution is to use something like what I mentioned...

Seems it's possible using SSH tunneling+putty+few more things but there is still much more research left to do...
САМО СЛОГА СРБИНА СПАСАВА

#4 Exploter

Exploter

    Private

  • Members
  • 19 posts

Posted 26 February 2011 - 08:41 AM

can be done with simple port redirecting programs like
fpipe (Free Tools | McAfee Downloads)
i have privet vb program mad by friend i will show you the concept over the program[but cant share it just show you the concept]
thare is client and server, server is hosted by me client runned on firewalled box i runing thee client with dos commend to mine ip addres and run the server on waiting mode(program on hebrew sry)
Posted Image
than i connect to mine local ip with the port over the program in mine case 4806{rdp to 127.0.0.1:4806}
Posted Image
and thats it the port is redicted with simple idie just create simple program for you:)

#5 extreme

extreme

    Specialist

  • Sergeant Major
  • 615 posts

Posted 26 February 2011 - 03:17 PM

fpipe would work, if we know that at least one port is allowed to be open... Because it listens locally for incoming connections..

If it would reverse connect to some client program, that would be it :)
САМО СЛОГА СРБИНА СПАСАВА

#6 Edu

Edu

    First Sergeant

  • Members
  • 2,269 posts

Posted 27 February 2011 - 04:33 PM

What you need is a software that supports reverse connection. we have talked here about remote admin tools that supports reverse connections in the past :rolleyes:
http://www.secumania.net - Secumania security blog.


Embed any executable in a JPEG image and get it to run upon opening the image with this cool tool that abuses a feature of GDI in Windows systems. for governmentsecurity.org members only! click here to get it!

#7 extreme

extreme

    Specialist

  • Sergeant Major
  • 615 posts

Posted 28 February 2011 - 07:44 AM

and how will a RAT allow me to connect to Remote Desktop in scenario which I described?
САМО СЛОГА СРБИНА СПАСАВА

#8 Edu

Edu

    First Sergeant

  • Members
  • 2,269 posts

Posted 28 February 2011 - 11:21 AM

the reverse connection concept is basicly this :

server computer acts as the server (as expected) but instead of listening on a port for incoming connections, it connects to some client computer and provides remote access. So, the client necessarily has to accept incoming connections from the server and must bind to a port. This is a "reverse connection" concept, talking very basicly.

If both client and server cannot receive connections, then you would need a 3rd computer (and that seems quite obvious) that is able to receive connections. This computer would then act as a proxy, and would receive the 'commands' from the client and redirect them to the server, which would get and process them.

Now if the computer that you want to control remotely is behind a restrictive firewall/router that stops it from both receiving connections and connecting to remote computers, being it in the same local network or internet, then you are in trouble. You would need to find a way to bypass the firewall/router. Anyway if you want to control a computer that is in the same network but in that perimeter there is a firewall/router that you need to go through, then you should either change the settings yourself or talk to the network admin to do that for you.

you see, that´s what, in my honest opinion, makes your intentions look suspicious upon performing these lots of requests. :rolleyes:
http://www.secumania.net - Secumania security blog.


Embed any executable in a JPEG image and get it to run upon opening the image with this cool tool that abuses a feature of GDI in Windows systems. for governmentsecurity.org members only! click here to get it!

#9 extreme

extreme

    Specialist

  • Sergeant Major
  • 615 posts

Posted 28 February 2011 - 09:16 PM

Haven't heard your honest opinion in a while :)
You didn't understand the question at all.. :( I asked what does RAT(or trojan if you wish) has to do with scenario I described,and not what's reverse connection.. I know what both are of course..

Point of scenario described, is that if you wish to completely block your network from the OUTSIDE access/scanning, how to still use some features you really need but lack reverse connection capabilities, such as remote desktop for ex. You can extend it to any other service.. Like SQL base remote access.. That will keep your services keep from any outside attack, such as brute forcing, exploiting etc. leaving only insider or firewall attack option available..

------------
Now, back to SUBJECT: solution to my question is setting up a connection through SSH tunnel for those that are interested.. For ex. Tunnelier(http://www.bitvise.com/tunnelier) is automatically able to make "reverse connection Remote Desktop" but you can use others...
------------


And as for my requests, to settle this once and for all..
FOR ME,I repeat,FOR ME(and I don't question or wanna get into other people's views) forums are:
a. places to get news
b. places to get help for something you don't know(aka make REQUESTs) and this makes 99% of forum topics..
c. places to get some information quicker and from experts in that field so you don't need to waste time to check if your google finding is working solution, has flaws or there are things I am not even aware of and could cost me dearly in world of security..
d. and when I click VIEW NEW POSTS, if there is something I can help someone with,I will but that's also solving other people's REQUESTs
e. whenever I want advice, or solution from experts and people with experience in the desired field
whenever I am not sure if my thoughts about some subject are completely right and that there might be some other point of view
whenever I am not 100% sure if I covered all angles even of some,on first glance or truly simple subject
whenever I think that posting something will benefit me in a way that it will save me some of my expensive and always lacking time
... I will post a request, and I don't see anything wrong about it... If you think they are malicious/blackhatty/"no way in hell it can be used for good" and have a personal problem about it, then report, say what you mean,that's your full right... I believe that is the core problem of your, let's say softly,"disagreement"..But I have no intentions of explaining to anyone weather I am whitehat,blackhat,work for government/law in doing standard security jobs,work for government/law doing "nonstandard" jobs,or being all that...


So, I really don't understand what do you have against me doing requests.. I found out solution on my own question this time,but this is now the topic where people will find how to make any application reverse connect behind firewall or limited router, and how to secure their network to point of not relaying on running applications security but complete lockout and limitation of entry ways..
САМО СЛОГА СРБИНА СПАСАВА

#10 Edu

Edu

    First Sergeant

  • Members
  • 2,269 posts

Posted 01 March 2011 - 06:16 PM

I fully understood your request. you didnt get what I was trying to explain... that if you got a router/firewall that is not allowing the computer in question to access the internet or receive connections, then unless you are able to bypass the restrictions, you wont be able to use a software to tunnel connections, simply because the computer wont reach any host, and no host will reach your computer.

the same is valid for a local network where a router is between the computer in question and another computer in the LAN. If it does not allow the other computers to connect to it, or the computer to connect to others, then again you would need to bypass the restrictions of the router. to use the solution you stated, the computer where you are going to use it must either :

1) be able to connect to another computer in the network that is able to access the internet (in case you wish to redirect the connection to a remote computer, not in the same local network)

2) be able to receive connection from a computer in the same local network

3) be able to connect directly to a computer on the internet. in this case the computer on the internet must allow incoming connections and it would act as a proxy to an other target in the internet that eg. cannot receive incoming connections but is able to connect to other machines.

So to sum this up, you cannot establish connections via magic when a router restricts incoming and outgoing connections to all hosts.

About your views...I gotta disagree that forums are 99% requests. They are also information sharing. that is people post stuff that can raise discussion and new ideas. OF course at times people do need some advice or help, then yes a request is made, no problem at all.

I dont see you helping others, just making requests after requests, but each person offers what they got. I dont see you as a white/black hat or a gov agent and better not even state what I think, since its off topic.

From the last topic you made (win priv. escalation) it seems you dont have patience to perform searches and simply throw your doubts/wishes in forums in the hope the nice guys will get everything readymade for you.

please try posting something that has not been discussed in the past, so that, in this case it would indeed be helpful and raise a good discussion among the members.

thank you in advance.
http://www.secumania.net - Secumania security blog.


Embed any executable in a JPEG image and get it to run upon opening the image with this cool tool that abuses a feature of GDI in Windows systems. for governmentsecurity.org members only! click here to get it!

#11 extreme

extreme

    Specialist

  • Sergeant Major
  • 615 posts

Posted 01 March 2011 - 10:51 PM

No, you definitely didn't read or understand my question!!! Since you are wrong about 1) 2) and 3) ...
What you say can't be done, is exactly what my found solution is doing!!! And router doesn't need to be asked a thing...
Since the machine that I wish to make "reverse connection Remote desktop" does have outgoing connections enabled, like I stated in the first post(..application_1 reverse connects...), this is all that's important regarding router/firewall settings..
Also, targeted machine don't have to be connected to another networked machine,and it doesn't need to have incoming connection unblocked since application_1 can connection to 127.0.0.1:3389(which was is the vital point of the solution) after the tunnel has been created..
And no, it has never been discussed before, only place mentioning something SIMMILAR is this:
http://www.governmen...showtopic=28923
САМО СЛОГА СРБИНА СПАСАВА

#12 Edu

Edu

    First Sergeant

  • Members
  • 2,269 posts

Posted 04 March 2011 - 06:24 AM

No, you definitely didn't read or understand my question!!! Since you are wrong about 1) 2) and 3) ...
What you say can't be done, is exactly what my found solution is doing!!! And router doesn't need to be asked a thing...
Since the machine that I wish to make "reverse connection Remote desktop" does have outgoing connections enabled, like I stated in the first post(..application_1 reverse connects...), this is all that's important regarding router/firewall settings..
Also, targeted machine don't have to be connected to another networked machine,and it doesn't need to have incoming connection unblocked since application_1 can connection to 127.0.0.1:3389(which was is the vital point of the solution) after the tunnel has been created..
And no, it has never been discussed before, only place mentioning something SIMMILAR is this:
http://www.governmen...showtopic=28923


Your arguments just show you didnt read what I explained or possibly only skimmed through it. I gave you possibilities and the outcomes from those possibilities. I didnt state anything about your computer and didnt say tunneling or connecting to a remote host, when it *is* indeed permitted is not possible. What you have accomplished, could have been done in minutes if you took your time to perform a simple search. Am saying this since you stated you dont have much time and such, and as we know, time is money right?! This question has been answered many times everywhere around, and you come here since 2003, so you might probably have some accross this in the past a few times.

The solution you found is good, but you could have taken a remote admin tool that natively supports reverse connections, which again has been already discussed here, making it not necessary to use a tool for just tunneling connections, with a few advantages like eg. not needing to disconnect the currently (locally) logged on user. It could be faster and better for you.

I saw the link. Just backs up my statements about you not wishing to perform simple searches. ;)
http://www.secumania.net - Secumania security blog.


Embed any executable in a JPEG image and get it to run upon opening the image with this cool tool that abuses a feature of GDI in Windows systems. for governmentsecurity.org members only! click here to get it!

#13 infiltrator

infiltrator

    Staff Sergeant

  • Sergeant Major
  • 421 posts

Posted 05 March 2011 - 10:28 PM

Found this post in the GSO forums, its old but should do the trick.

http://www.governmen...showtopic=15082

#14 extreme

extreme

    Specialist

  • Sergeant Major
  • 615 posts

Posted 09 March 2011 - 05:21 PM

@edu,again, you can't use poison ivy or any other reverse connection RATs/applications to access telnet,RDP or other similar services behind firewall.. :/
If I misunderstood you, then please post a link that shows discussion of similar problem in the past, as I failed to find one,even now when I found the solution..

@infiltrator
That article you posted speaks about reverse VNC connection.. Which is alright for remote administration when user is logged on and you have access to that user's session, and is on one hand good alternative to remote desktop...
BUT, if you want to access a service on server such as telnet, RDP, SQL or any other that works by "bind port" method,
1. behind firewall
2. if you don't wanna be dependent on someone being logged in so you can connect to these services
3. if you can't control router via UPNP or other port forwarding
then only way is installing SSH tunnel or some of the "reverse port forward"(or google for "port gender change") applications as NT AUTHORITY\SYSTEM or even NT AUTHORITY\NetworkService service if you need to access network shares..
САМО СЛОГА СРБИНА СПАСАВА

#15 Edu

Edu

    First Sergeant

  • Members
  • 2,269 posts

Posted 10 March 2011 - 12:04 PM

@edu,again, you can't use poison ivy or any other reverse connection RATs/applications to access telnet,RDP or other similar services behind firewall.. :/
If I misunderstood you, then please post a link that shows discussion of similar problem in the past, as I failed to find one,even now when I found the solution..

@infiltrator
That article you posted speaks about reverse VNC connection.. Which is alright for remote administration when user is logged on and you have access to that user's session, and is on one hand good alternative to remote desktop...
BUT, if you want to access a service on server such as telnet, RDP, SQL or any other that works by "bind port" method,
1. behind firewall
2. if you don't wanna be dependent on someone being logged in so you can connect to these services
3. if you can't control router via UPNP or other port forwarding
then only way is installing SSH tunnel or some of the "reverse port forward"(or google for "port gender change") applications as NT AUTHORITY\SYSTEM or even NT AUTHORITY\NetworkService service if you need to access network shares..




No you cant access specific protocols with a Remote admin tool, unless it supports them but again, if what you need is something to remotely control the desktop using reverse connection, tools like VNC and poison ivy will do the job. you can access the command line and any other software installed to that computer, which will be just fine to fullfill your needs. No need to mess with port redirections and such. But you still fail to realize it. what a pitty.

What infiltrator posted is just fine for you. It can use eg. integrated Windows authentication (in the case of Windows OS), so that you could use a Windows user account to access the desktop. if it doesnt, just set an account to be automatically started when the logon screen shows up at boot time and voila. To access services like telnet, you could use Windows builtin client tools and connect to localhost.

So given these facts yes these have already been discussed here in the past but you don´t seem to like to perform searches so we end up telling u over and over and giving you links.
http://www.secumania.net - Secumania security blog.


Embed any executable in a JPEG image and get it to run upon opening the image with this cool tool that abuses a feature of GDI in Windows systems. for governmentsecurity.org members only! click here to get it!





Also tagged with one or more of these keywords: server, network, router, tools, firewall