I read Kevin Beaumont’s RDP Session Hijacking article in Medium and was amazed on how it worked so I decided to replicate it.
For more information about the RDP Hijacking please check Kevin Beaumont article (https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6).
2 virtual machines both running in Windows 7
In this situation, I already have an administrator account named “blade” on the target machine. The goal is to hijack the session of “superAdmin” which is currently logged on to the target machine.
First, I RDP to the target machine using the administrator account “blade”.
Using the command “query user” I was able to check the users who are logged on.
On the target machine, I created a service that will hijack the session of “superadmin”.
sc create rdphijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#0" Notes: The number on the tscon is the ID of superadmin. For the "/dest" it is the SessionName of the user used for RDP. In this scenario the SessionName is "rdp-tcp#0".
Lastly, I started the service I created using the command “net start rdphijack” and successfully got an RDP Session using “superadmin” account.
net start rdphijack
Kevin Beaumont – @gossithedog
Alexander Korznikov – @nopernik