Tunneling services through SSH

While its never a great idea to expose RDP to the world directly, some may argue using filtered ports would be okay. That is, allowing RDP to only specific external networks or IP's... Regardless though, its know RDP is a target for brute force attacks and in some cases exploits on the protocol for things like Bluekeep. In fact its begging to be reported that RDP is a common vector for Ransomware

And some networks may just straight filter RDP outbound, at the network layer or even application layer.

But there are ways to work around these issues. Namely with SSH. SSH if setup correctly (aka key-based authentication) is often exposed to the internet. And while there are definately threat models that may warrant you to take extra precautions, its generally been okay. And its quite powerful.

For example, you can use it to setup a Socks5 Proxy for things like proxying browser traffic with SSH -D.

Well heres another quick trick. SSH -L

The format is ssh -L "Local Port":"internal IP":"Internal Service Port" username@sshhost

Graphical Example

In the example above. Once connecting an SSh session, you can open your RDP window and point to the local port (33389 in this case) and connect to the Remote Desktop session on the IP listed (in my example 192.168.1.10.)

RDP Session Example

Its worth noting for the local port I used a unregistered port..Anything above 49152 are dynamic as well and not assigned by IANA. It is sometimes the case for some OS's to not allow non-admins to bind to registered ports for security reasons so I just make a habit of using a unregistered port above 1000 or so..


Related posts

Published by

wally

wally

My name isnt really Wally, thats my dog. The rest is probably true though.