fiddyschmitt · October 22, 2024 11:51
diff --git a/gistfile1.txt b/gistfile1.txt
 - Server
 	//Enable Shadow RDP
 		Windows Registry Editor Version 5.00

 		; Allow full control without user's permission for RDP shadowing
 		[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
 		"Shadow"=dword:00000002
 		"DisableShadowConsent"=dword:00000001

 	//Firewall rules
 		File and Printer Sharing (SMB-In)
 		Remote Desktop - Shadow (TCP-In)
 	
 	//Article mentioned enabling RPC, but seems to work fine with RPC off on both client & server
 		Windows Registry Editor Version 5.00

 		[HKLM\SYSTЕM\CurrеntControlSеt\Control\Tеrminal Sеrvеr]
 		"AllowRemotеRPC"=dword:00000001
 		
 		//Might be able to check if it's working using
 			qwinsta /server:192.168.1.50
 			
 	This website also suggests RPC is not needed:
 		Despite the Microsoft documentation specifying this binary being related to Remote Desktop Sessions, Remote Desktop does not need to be enabled in order for the binary, and enumeration to succeed
 		
 		https://0xv1n.github.io/posts/sessionenumeration/
 			
 - Client
 	Note: Shadow RDP requires port 445, 3389, and the dynamic ports used by RdpSa.exe on the server.
 	
 	mstsc.exe connects to server's 3389. The server runs RdpSa.exe and tells mstsc.exe which 4 ports it's running on, and IPs.
 	mstsc then connects to one of those.
 	
 	The account running mstsc may need to match the remote account. Try:
 		runas.exe /noprofile /netonly /user:REMOTE_SERVER\remoteuser powershell.exe
 	
 	It should be possible to check remote sessions:
 		qwinsta /server:192.168.56.91
 	
 	Start the shadow connection:
 		mstsc.exe /shadow:1 /v:192.168.1.50 /control /noConsentPrompt
 	
 - Ideas
 	https://blog.bitsadmin.com/spying-on-users-using-rdp-shadowing
 	https://swarm.ptsecurity.com/remote-desktop-services-shadowing/
	- Server
	//Enable Shadow RDP
	Windows Registry Editor Version 5.00

	; Allow full control without user's permission for RDP shadowing
	[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
	"Shadow"=dword:00000002
	"DisableShadowConsent"=dword:00000001

	//Firewall rules
	File and Printer Sharing (SMB-In)
	Remote Desktop - Shadow (TCP-In)

	//Article mentioned enabling RPC, but seems to work fine with RPC off on both client & server
	Windows Registry Editor Version 5.00

	[HKLM\SYSTЕM\CurrеntControlSеt\Control\Tеrminal Sеrvеr]
	"AllowRemotеRPC"=dword:00000001

	//Might be able to check if it's working using
	qwinsta /server:192.168.1.50

	This website also suggests RPC is not needed:
	Despite the Microsoft documentation specifying this binary being related to Remote Desktop Sessions, Remote Desktop does not need to be enabled in order for the binary, and enumeration to succeed

	https://0xv1n.github.io/posts/sessionenumeration/

	- Client
	Note: Shadow RDP requires port 445, 3389, and the dynamic ports used by RdpSa.exe on the server.

	mstsc.exe connects to server's 3389. The server runs RdpSa.exe and tells mstsc.exe which 4 ports it's running on, and IPs.
	mstsc then connects to one of those.

	The account running mstsc may need to match the remote account. Try:
	runas.exe /noprofile /netonly /user:REMOTE_SERVER\remoteuser powershell.exe

	It should be possible to check remote sessions:
	qwinsta /server:192.168.56.91

	Start the shadow connection:
	mstsc.exe /shadow:1 /v:192.168.1.50 /control /noConsentPrompt

	- Ideas
	https://blog.bitsadmin.com/spying-on-users-using-rdp-shadowing
	https://swarm.ptsecurity.com/remote-desktop-services-shadowing/