Light

0x09al / rdpthief Goto Github PK

View Code? Open in Web Editor NEW

1.1K 32.0 349.0 123 KB

Extracting Clear Text Passwords from mstsc.exe using API Hooking.

C++ 93.03% C 6.97%

redteaming cpp pentesting-windows api-hooking

rdpthief's Introduction

RdpThief

RdpThief by itself is a standalone DLL that when injected in the mstsc.exe process, will perform API hooking, extract the clear-text credentials and save them to a file.

An aggressor script accompanies it, which is responsible for managing the state, monitoring for new processes and injecting the shellcode in mstsc.exe. The DLL has been converted to shellcode using the sRDI project (https://github.com/monoxgas/sRDI). When enabled, RdpThief will get the process list every 5 seconds, search for mstsc.exe, and inject to it.

When the aggressor script is loaded on Cobalt Strike, three new commands will be available:

rdpthief_enable – Enables the hearbeat check of new mstsc.exe processes and inject into them.
rdpthief_disable – Disables the hearbeat check of new mstsc.exe but will not unload the already loaded DLL.
rdpthief_dump – Prints the extracted credentials if any.

Screenshot

Demonstration Video : https://www.youtube.com/watch?v=F77eODhkJ80

More details can be found on : https://www.mdsec.co.uk/2019/11/rdpthief-extracting-clear-text-credentials-from-remote-desktop-clients/

rdpthief's People

Contributors

Stargazers

Watchers

Forkers

thewover fengjixuchui rvrsh3ll slyd0g analyticsearch kmwin sry309 socmap runonceex 1337g darryllane pegasusx hello-xbugs nickhakkz m00zh33 imulmul vysecurity usama7628674 modulexcite arryboom mantvydasb kuteminh11 peterg75 l34rn bravery9 arschlochnop 1454325915 0x6b7966 harry1080 sleepyeinstein qianniaoge ashr johndoex1 lhutyra kypressblackhat yangfan6888 marciopocebon justforkin greekers h4xl0r subi3wr3x pt001 fbion m4rm0k mlynchcogent 0xmaohou want2live233 jack51706 richardsonjf agent00049 ze4lfrog mabangde 362902755 tazkimi 02bx hijacker0000 masterscott aravindhseeneevasan quinn-yan sec00 ckelsel levisre redteams vaultadi hack-the-box koushui wb1t worker886 harmj0y backwardn 0ps bcp-infosec-repo boh digitalarche t0mcat3r 5l1v3r1 bb33bb poiuytr92 startagain2016 bigbrobro hansesecure pavlovsg nrojas9 inc-abhijeet lacoil mmg1 useful-stuff clr2of8 xblackswan artofwar344 v4nyl xiaoshzx 8gm ffcommax akpotter hdyang998 axax002 b1gd0g hollow667 reanimat0r

rdpthief's Issues

Crashes RDP upon injection

Running into an issue when Cobalt Strike injects the .tmp file, it crashes RDP. Has this been patched?

Never see the injection happen

victim is a windows 10 (local admin user) - seems like the injection is never done. RDP is turned on, and I can RDP into the machine from another machine...

beacon> sleep 0
[*] Tasked beacon to become interactive
[+] host called home, sent: 16 bytes
beacon> rdpthief_enable
[+] RdpThief enabled

[+] host called home, sent: 12 bytes
[+] host called home, sent: 12 bytes
[+] host called home, sent: 12 bytes
[+] host called home, sent: 12 bytes
[+] host called home, sent: 12 bytes
[+] host called home, sent: 12 bytes
[+] host called home, sent: 12 bytes
[+] host called home, sent: 12 bytes
[+] host called home, sent: 12 bytes
[+] host called home, sent: 12 bytes
[+] host called home, sent: 12 bytes
[+] host called home, sent: 12 bytes
[+] host called home, sent: 12 bytes
[+] host called home, sent: 12 bytes
beacon> rdpthief_disable
[+] Disabling RdpThief
beacon> rdpthief_dump
[*] Tasked beacon to run: type %temp%\data.bin
[+] host called home, sent: 51 bytes
[+] received output:
The system cannot find the file specified.

Issue hooking mstsc.exe on windows 10 1903

I compiled the DLL (RdpThief.dll) and injected it into mstsc.exe process. It is able to hook ADVAPI32!CredIsMarshaledCredentialW but is unable to hook SSPICLI!SspiPrepareForCredRead and dpapi!cryptprotectmemory. I was able to verify this by attaching a debugger and looking at the assembly. Only the CredIsMarshaledCredentialW function has jump into the loaded dll. Any pointers on how do I debug this issue or have you encountered this before?

Are some DLLs immune to hooking?

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.