Red Teaming Experiments
linkedingithub@spotheplanetpatreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
WinRM for Lateral Movement
WinRS for Lateral Movement
WMI for Lateral Movement
RDP Hijacking for Lateral Movement with tscon
Shared Webroot
Lateral Movement via DCOM
WMI + MSI Lateral Movement
Lateral Movement via Service Configuration Manager
Lateral Movement via SMB Relaying
WMI + NewScheduledTaskAction Lateral Movement
WMI + PowerShell Desired State Configuration Lateral Movement
Simple TCP Relaying with NetCat
Empire Shells with NetNLTMv2 Relaying
Lateral Movement with Psexec
From Beacon to Interactive RDP Session
SSH Tunnelling / Port Forwarding
Lateral Movement via WMI Event Subscription
Lateral Movement via DLL Hijacking
Lateral Movement over headless RDP with SharpRDP
Man-in-the-Browser via Chrome Extension
ShadowMove: Lateral Movement by Duplicating Existing Sockets
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
RDP Hijacking for Lateral Movement with tscon
This lab explores a technique that allows a SYSTEM account to move laterally through the network using RDP without the need for credentials.

Execution

It is possible by design to switch from one user's desktop session to another through the Task Manager (one of the ways).
Below shows that there are two users on the system and currently the administrator session is in active:
Let's switch to the spotless session - this requires knowing the user's password, which for this exercise is known, so lets enter it:
We are now reconnected to the spotless session:
Now this is where it gets interesting. It is possible to reconnect to a users session without knowing their password if you have SYSTEM level privileges on the system. Let's elevate to SYSTEM using psexec (privilege escalation exploits, service creation or any other technique will also do):
1
psexec -s cmd
Copied!
Enumerate available sessions on the host with query user:
Switch to the spotless session without getting requested for a password by using the native windows binary tscon.exethat enables users to connect to other desktop sessions by specifying which session ID (2 in this case for the spotless session) should be connected to which session (console in this case, where the active administator session originates from):
1
cmd /k tscon 2 /dest:console
Copied!
Immediately after that, we are presented with the desktop session for spotless:

Observations

Looking at the logs, tscon.exe being executed as a SYSTEM user is something you may want to investigate further to make sure this is not a lateral movement attempt:
Also, note how event_data.LogonID and event_ids 4778 (logon) and 4779 (logoff) events can be used to figure out which desktop sessions got disconnected/reconnected:
Administrator session disconnected
Spotless session reconnected (hijacked)
Just reinforcing the above - note the usernames and logon session IDs:

References

Vol de session RDP
Blog de Gentil Kiwi
Passwordless RDP Session Hijacking Feature All Windows versions
Windows Security Log Event ID 4778 - A session was reconnected to a Window Station
tscon
docsmsft
​
Previous
WMI for Lateral Movement
Next
Shared Webroot
Last modified 3yr ago
Copy link
Contents
Execution
Observations
References