Skip to content

Commit a17f235

Browse files
CBenoitCBenoit
committed
docs: section on proxy-based credentials injection
1 parent ec08280 commit a17f235

File tree

1 file changed

+46
-0
lines changed

1 file changed

+46
-0
lines changed

docs/COOKBOOK.md

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ Developer-oriented cookbook for testing purposes.
66
- [WebSocket-to-TCP tunnel using jetsocat](#websocket-to-tcp-tunnel-using-jetsocat)
77
- [Standalone web application custom authentication](#standalone-web-application-custom-authentication)
88
- [Preflight API](#preflight-api)
9+
- [Proxy-based credentials injection for RDP](#proxy-based-credentials-injection-for-rdp)
910

1011
## RDP routing
1112

@@ -268,3 +269,48 @@ And here is how the response may look like:
268269
{"operation_id":"55821d24-d1df-481c-8b88-66c06f879835","kind":"resolved-host","resolved_host":"devolutions.net","resolved_addresses":["20.239.34.78"]}
269270
]
270271
```
272+
273+
## Proxy-based credentials injection for RDP
274+
275+
### How it works
276+
277+
- Perform two-way forwarding between the client and the target until the TLS security upgrade.
278+
- Separately perform the TLS upgrade for both the client and the server, effectively acting as a man-in-the-middle.
279+
- The client must trust the TLS certificate configured in the Devolutions Gateway.
280+
- Separately perform CredSSP authentication as server with the client, and as client with the target.
281+
- The fake, proxy credentials are used with the client.
282+
- The real, target credentials are used with the target.
283+
- Proceed with the usual two-way forwarding (expect we can actually see and inspect all the traffic)
284+
285+
### Prerequisites
286+
287+
- Generate some tokens. You can use `tokengen` or the PowerShell cmdlet.
288+
- Generate a session token for the RDP session.
289+
- Generate a scope token for the preflight API.
290+
- Configure the TLS certificate and private key.
291+
- Run the Devolutions Gateway.
292+
- We’ll assume it runs on localhost, and it listens for HTTP on 7171 and TCP on 8181.
293+
- Adjust to your needs.
294+
295+
### Push the credentials
296+
297+
```shell
298+
curl "127.0.0.1:7171/jet/preflight?token=<SCOPE_TOKEN>" \
299+
-X POST -H "Content-Type: application/json" \
300+
--data '[
301+
{"id": "ef1a3ae9-e55d-48b8-92b0-ae67c29b2e4e", "kind": "provision-credentials", "token": "<SESSION_TOKEN>",
302+
"proxy_credential": { "kind": "username-password", "username": "FakeUser", "password": "FakePassword" },
303+
"target_credential": { "kind": "username-password", "username": "RealUser", "password": "RealPassword" } }
304+
]'
305+
```
306+
307+
### Connect using the fake (proxy) credentials
308+
309+
```shell
310+
xfreerdp3 /v:127.0.0.1:8181 /u:'FakeUser' /p:'FakePassword' /cert:ignore /pcb:<SESSION_TOKEN>
311+
```
312+
313+
### Demo
314+
315+
[proxy-based-credentials-injection-prototype.webm](https://github.com/user-attachments/assets/d5380053-810d-4529-b3f9-1ed84c2d77c4)
316+

0 commit comments

Comments
 (0)