![]() ![]() ![]() Lastly, it is possible to use this feature to create a backdoor on a remote system where a low privileged user can view and take over sessions of high-privileged users to again obtain a foothold in the network. Additionally it is possible to use the shadowing feature if the Remote Desktop port is blocked by a firewall, but the SMB port is open (yes, you read this correctly – RDP via TCP port 445). We as Red Teamers, can also use this feature during a Red Team exercise to spy on both system administrators and users, without dropping any additional binaries on remote systems and while blending in with regular network traffic. Moreover, many organizations provide access to internal resources using RDP. Despite an increased usage of Windows Remote Management ( WinRM), system administrators still make extensive use of RDP. This feature also immediately triggered my hacker mindset. If I would have simply used RDP to logon to the media center, it would have displayed a lock screen on the TV, which defeats the purpose of the media center setup. Think of Netflix, a YouTube video or family pictures. I am able to control the laptop connected to my TV from the couch while the TV displays what I want to see. This shadowing feature means that, while someone is working on their machine, either physically on the console or via RDP, it is possible for another user to view that session, or even control it! This is of course ideal for my use case with the laptop connected to the TV. Because I prefer to use Windows’ built-in solutions over 3rd party tools, after a quick online research, I discovered that Microsoft Remote Desktop Protocol ( RDP) supports a so-called “shadowing” feature and RDP is available in all Windows Server Operating Systems and the business editions of end-user Windows versions. Spying on users using Remote Desktop Shadowing - Living off the LandĪ while ago on a Sunday afternoon I was playing with an old laptop to repurpose it to be a media center for the TV.
0 Comments
Leave a Reply. |