Introduction
A month ago, we released a new tool that made it possible to tunnel traffic over an existing Remote Desktop Connection without the need to alter the configuration of the environment. This tool enables penetration testers to conduct their assessments over Windows-based jump boxes.
Remote Access technologies are quite diversified, although Remote Desktop Services is one of the most widely used technology, there are other widely used technologies such as Citrix.
The article about the Socks Over RDP tool release can be found here: https://research.nccgroup.com/2020/05/06/tool-release-socks-over-rdp/
Technicalities
The Citrix Receiver uses the same API as Microsoft uses for Remote Desktop Services. When the Receiver is executed it looks up the entries in registry and loads the corresponding DLLs. If Socks Over RDP is already installed, it will load its DLL, therefore the dynamic virtual channel will be registered. The server component (the .exe part) needs to be transferred to the Citrix server and executed, just as with the case of the Remote Desktop Server. When the tool is executed, the channel will be created and the SOCKS proxy will be listening on the IP and port that was set in the registry on the client computer.
Compatibility & Architecture
Citrix supports Dynamic Virtual Channels; if the Receiver is up-to-date, the tool should work with Citrix, XenDesktop and even with XenApp where only individual apps are published. Obviously, the tool needs to be copied to and executed on the server, which might require a breakout from the environment.
Citrix only distributes a 32-bit compiled version of the Receiver, which only loads 32-bit DLLs. In case the client system is 64-bit, it is necessary to be sure that the 32-bit DLL is installed. More details can be found on the GitHub page of the project: https://github.com/nccgroup/SocksOverRDP
Published