Skip to content
Pre-compiled tools to tunnel TCP over RDP Connections
C Roff C++ Python Shell M4 Makefile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
sources Remove vim swap file Jan 14, 2018 Update Sep 5, 2018
rdp2tcp Addition of tools and sources. Jan 14, 2018
rdp2tcp.exe Addition of tools and sources. Jan 14, 2018
rdpupload Addition of tools and sources. Jan 14, 2018
test-client Addition of tools and sources. Jan 14, 2018
xte Addition of tools and sources. Jan 14, 2018

rdp2tcp lets you tunnel TCP traffic over an RDP Virtual Channel. It includes port forwards, reverse port forwards, and a redimentary SOCKS5 proxy. It does this by redirecting a local named pipe to the terminal services client.

I got tired of having to compile the tool, so this is pre-compiled using rdesktop 1.8.3

To run it, launch the included rdesktop client with: ./rdesktop -r addin:rdp2tcp:./rdp2tcp

You should see: controller listening on virtual channel disconnected

Upload rdp2tcp.exe to the Terminal Server. try copy/pasting the binary into a local wordpad document, opening wordpad on the terminal server, then copy/pasting the OLE object. This has a fairly high success rate. if this isn't possible, you can try to use rdpupload. This will use sendkeys() to the active window (which should be rdesktop) to generate a vbscript file that'll write the EXE to disk. Start notepad on the Terminal Server, then run this on the client: ./rdpupload -x -f vb rdp2tcp.exe - | xte Then give the rdesktop window focus. This takes FOREVER.

Once you get rdp2tcp.exe on the Terminal Server, run it. You should see this on your rdesktop client logs: chan < 6
virtual channel connected and this on the Terminal Server: chan < 6 channel connected

To add port forwards, use the script. Straight Port Forward ./ add forward

Reverse Port Forward
./ add reverse <lhost> <lport> <rhost> <rport>

Bind a remote process to a local port (like a cmd.exe bindshell)
./ add process <lhost> <lport> <process>

SOCKS5 Proxy (very basic. advanced stuff not supported)
./ socks5 <lhost> <lport>

Run a shell command on the Terminal Server in 'cmd /c'
./ sh <command>
You can’t perform that action at this time.