🚩 Sponsors

If you like this project, consider sponsoring it on GitHub! Sponsors

EVILRDP - More control over RDP

Th evil twin of aardwolfgui using the aardwolf RDP client library that gives you extended control over the target and additional scripting capabilities from the command line.

Features

• Control mouse and keyboard in an automated way from command line
• Control clipboard in an automated way from command line
• Spawn a SOCKS proxy from the client that channels network communication to the target via RDP
• Execute arbitrary SHELL and PowerShell commands on the target without uploading files
• Upload and download files to/from the target even when file transfers are disabled on the target

Scripts

• evilrdp - GUI + command line RDP client

Usage

After installing this package, a new executable will be available called evilrdp.
Upon making a successful connection to the target you'll be presented with a GUI just like a normal RDP client as well as the command line from where you executed evilrdp will turn into an interactive shell.
There will be two groups of commands available to you, as follows:

• Commands that can be issues any time. This include commands like:
  • mousemove
  • rightclick
  • doubleclick
  • type
  • typefile
  • return/enter
  • invokerun
  • clipboardset
  • clipboardsetfile
  • clipboardget
  • powershell
  • screenshot
• Commands which only work when the PSCMD channel is established
  • pscmdchannel - Changes the PSCMD channel name from the default. Use this when you changed the channelname in agent script file
  • startpscmd - This tries to automatically start the remote agent which allows further commands to be used
  • pscmd - Executes a powershell command
  • getfile - Downloads remote file
  • shell - Executes a shell command
  • socksproxy - Starts a SOCKS4a/5 proxy

As it is with all things RDP, automatic command execution doesn't always work mostly because of timing issues therefore the startpscmd might need to be used 2 times, OR you might need to start the PSCMD channel manually.
When PSCMD channel starts, you'll get a notification in your client shell.

URL format

As usual the scripts take the target/scredentials in URL format. Below some examples

• rdp+kerberos-password://TEST\Administrator:[email protected]/?dc=10.10.10.2&proxytype=socks5&proxyhost=127.0.0.1&proxyport=1080
  CredSSP (aka HYBRID) auth using Kerberos auth + password via socks5 to win2016ad.test.corp, the domain controller (kerberos service) is at 10.10.10.2. The socks proxy is on 127.0.0.1:1080
• rdp+ntlm-password://TEST\Administrator:[email protected]
  CredSSP (aka HYBRID) auth using NTLM auth + password connecting to RDP server 10.10.10.103
• rdp+ntlm-password://TEST\Administrator:<NThash>@10.10.10.103
  CredSSP (aka HYBRID) auth using Pass-the-Hash (NTLM) auth connecting to RDP server 10.10.10.103
• rdp+plain://Administrator:[email protected]
  Plain authentication (No SSL, encryption is RC4) using password connecting to RDP server 10.10.10.103
• See -h for more

Kudos

• Balazs Bucsay (@xoreipeip) SocksOverRDP. The base idea for covert comms over RDP