I needed to enumerate RDP configurations when nmap, and nessus were not available to me. I found this blog post which described exactly the registry keys required.
A bit of poking and so the PowerShell rdp-enum was born:
Does exactly what it says on the tin.
Hope it helps
The short version:
- A tool which works in Linux and Windows which will “upload” a file to an RDP or other remote session where copy and paste or drag and drop are disabled.
Get the tool here:
This is a very old technique. All I have done is have a stab at making my own tool for doing this. I meet aspiring hackers who say they want to jump into coding, but don’t have any “ideas”. They seem unimpressed when I say write a port scanner.
If that is you then I say to you: re-invent the damn wheel!
Sometimes the wheel needs upgrading you know? Many of the tools we have now as the “goto” for something are about 17th in newness of technique. Any tool can be toppled by a better successor.
But world domination is not the goal. Implementing your own versions of old ideas is actually just for getting your skills in for the day you invent an entirely new wheel. It also teaches you how a thing works which is brilliant. At a job interview you will stand out if you actually know what the top tool does under the hood.
What I learned on this one
To make rdpupload I have learned:
- argparse better (I have used this before)
- how to simulate key presses in python
- how to do a progress bar in a CLI
- how to zip a file using python
- how to play an mp3 in python (though it didn’t work on Windows, yolo).
But most importantly I learned how a file upload may work by typing it, along with how to decode that on the server side easily.
The following summarises the techniques used:
- Zip the file you want to upload (might save some characters depending on the file).
- Base64 encode that file (so every character we are going to use is available on a standard English Keyboard).
- Split the encoded file into chunks of size 256 characters (arbitrary length choice here).
- Spoof a keyboard typing each block of 256 characters until it is completed.
- Display a progress bar and optionally play the sound of a typewriter hammering away while the “upload” happens.
- Place the cursor into “Notepad” within an RDP session.
- When the “upload” is complete save that as a “.txt” file.
- Open a command prompt and use “certutil.exe” to decode the base64 encoded file. The syntax for that is shown below.
- Use the zip feature of Windows to unpack the zip file.
The decoder on the server side relies on “certutil.exe”. Unless I am wrong this is available from Server 2003 upwards so is pretty useful for most use cases.
Syntax: certutil -decode &amp;lt;inputfile&amp;gt; &amp;lt;outputfile&amp;gt;
Example: certutil -decode nc.txt nc.zip
The decode command is also spat out on the Kali side for convenience once the upload is complete.