Previously, we have covered reverse SSH tunneling on a compromised Windows machine to a proxy server with a public IP address that we own in order to reach the Remote Desktop Protocol Port.
In this article, we will convert a Windows 10 Gaming Laptop with a NVidia GTX 1050 Ti into a remotely accessible password cracker via a PERSISTENT reverse SSH tunnel to a VPS that we own.
Reachable with a public IP.
Now you have many choices of VPS Infrastructure as a Service providers that you can choose from,
- Amazon Web Services EC2 Cloud
- DigitalOcean Droplets
- Google Compute
But overall, the point is that we need a public IP address to act as a reverse proxy to the machine that we want to RDP login to.
It’s up to you on which one you choose. But I personally am migrating from Amazon AWS over to Vultr due to better pricing for my uses. Since I don’t need a full-blown Kali Linux mega-server running 24/7 and being charged by the hour.
But be sure to sign up for one of these services first and spin up a Linux installation of your choice, either Kali, Debian, or Ubuntu.
Follow this guide to enable RDP on Windows 10
https://www.groovypost.com/howto/setup-use-remote-desktop-windows-10/ but uncheck the Allow connections only from computers running Remote Desktop with Network-level Authentication because the rdesktop command is not compatible with Windows’ newer SSP/Kerberos authentication.
Now install the OpenSSH library and Windows Linux Subsystem by following these guides.
The latter will give you access to the bourne-again shell which gives you useful commands such as grep, sort, uniq, cat, and for-loop operations as well as being able to still run Windows executables.
Now configure your remote VPS with a public IP for root level logins, which is required for the creation of SSH tunnels.
First, edit the file
Then change it all to this configuration
Port 22 Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key UsePrivilegeSeparation yes KeyRegenerationInterval 3600 ServerKeyBits 1024 SyslogFacility AUTH LogLevel INFO LoginGraceTime 120 StrictModes yes RSAAuthentication yes PubkeyAuthentication yes IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes PermitRootLogin yes PasswordAuthentication yes ClientAliveInterval 180 UseDNS no
And give a password for root
Now from the Windows powershell Administrator command-line
ssh -Nf root@<proxyserverip> -R 443:127.0.0.1:3389
-Nf tells the ssh client to run in the background and keep the connection open
-R states a reverse bind port to be bound to the public proxy server
The statement 443:127.0.0.1:3389 remotely binds to the proxy server, port 443 to your gaming laptop at port 3389
Login to your proxyserver and setup socat to forward port 80 (run as root) to localhost:443
socat TCP4-L:80,reuseaddr,fork TCP4:127.0.0.1:443
Without having a root socat session reverse-proxying to the bound port on 443, you would not be able to rdesktop remotely by your VPS’s public IP (only locally by using VNC to access the proxy server’s GUI). You can further secure this connection from onlookers scanning for vulnerable hosts by requiring certificate authentication, further concealing the open port’s actual intents (which is supposed to look like a anonymous webserver).
Now, from your Kali Linux machine, login to it through your publicly accessible proxyserver
rdesktop <public proxyserver ip>:80 -f
Now install your required NVidia drivers and download and install the hashcat binaries and you are done
Enjoy your remotely accessible cracking machine WITHOUT having to rent a expensive Amazon AWS P2 GPU Instance by putting your old gaming laptop to work and paying minimal cost with a publicly reachable reverse proxy server