![]() Once you have executed Tor, close the browser and open up the following file in any text editor: “ %TorInstallPath%\Tor Browser\Browser\TorBrowser\Data\ Tor\torrc”. For the sake of this demo/exercise, I will be referencing “ %TorInstallPath%” as the directory where you have installed Tor. I have set my Tor installation path to be on the Desktop folder for my user account: “ C:\Users\Administrator\Desktop\Tor Browser”. Once you do that, make sure that you run it at least once so the configuration files for Tor get created for the first time. In order to set this up, you first need to download and install Tor Browser (on your system. Do not try this on systems and networks that you do not own or do not have the permission to test. IMPORTANT NOTE: This blog post is intended for educational purposes only. This was tested in a network that I built specifically for this demo/exercise. ![]() ![]() In case you were wondering where or how to try this web browser out, download Tor from their website (At the time of this blog post, I was using a Windows Server 2016 Datacenter to access via RDP, Parallels Remote Application Server version 16.5.0 to use as an RDP client with proxy capabilities, and Tor Browser version 7.5.6. Also known as “The Onion Router”, users of this service can “employ this network by connecting through a series of virtual tunnels rather than making a direct connection, thus allowing both organizations and individuals to share information over public networks without compromising their privacy” (Tor Project). In this blog post, we will cover the basics of proxying RDP traffic over TOR and how to set it up, with tips to avoid being detected.įor those of you who are unfamiliar with Tor, it’s a free and anonymous network that provides anonymity when browsing the Internet. I found this very sneaky by the threat actor, but realized how simple it was to configure it and thought I would share it with everyone. In fact, we could have closed port 3389 on their firewall and the attacker would have still had access to the system via RDP. Therefore, there wasn’t any evidence of RDP (port 3389) being used on the network illegitimately. The best part of this is, because the threat actor was using Tor, all encrypted communications were sent over port 443. Hello everyone! Recently, I encountered a threat actor leveraging Tor to establish Remote Desktop Protocol (RDP) sessions from a victim system to an attacker-controlled server.
0 Comments
Leave a Reply. |