rdp2tcp lets you tunnel TCP traffic over an RDP Virtual Channel. It includes port forwards, reverse port forwards, and a redimentary SOCKS5 proxy. It does this by redirecting a local named pipe to the terminal services client.

I got tired of having to compile the tool, so this is pre-compiled using rdesktop 1.8.3

To run it, launch the included rdesktop client with: ./rdesktop -r addin:rdp2tcp:./rdp2tcp

You should see: controller listening on 127.0.0.1:8477 virtual channel disconnected

Upload rdp2tcp.exe to the Terminal Server. try copy/pasting the binary into a local wordpad document, opening wordpad on the terminal server, then copy/pasting the OLE object. This has a fairly high success rate. if this isn't possible, you can try to use rdpupload. This will use sendkeys() to the active window (which should be rdesktop) to generate a vbscript file that'll write the EXE to disk. Start notepad on the Terminal Server, then run this on the client: ./rdpupload -x -f vb rdp2tcp.exe - | xte Then give the rdesktop window focus. This takes FOREVER.

Once you get rdp2tcp.exe on the Terminal Server, run it. You should see this on your rdesktop client logs: chan < 6
virtual channel connected and this on the Terminal Server: chan < 6 channel connected

To add port forwards, use the rdp2tcp.py script. Straight Port Forward ./rdp2tcp.py add forward

Reverse Port Forward
./rdp2tcp.py add reverse <lhost> <lport> <rhost> <rport>

Bind a remote process to a local port (like a cmd.exe bindshell)
./rdp2tcp.py add process <lhost> <lport> <process>

SOCKS5 Proxy (very basic. advanced stuff not supported)
./rdp2tcp.py socks5 <lhost> <lport>

Run a shell command on the Terminal Server in 'cmd /c'
./rdp2tcp.py sh <command>