SharpRDP: Remote Desktop Protocol Console Application for Authenticated Command Execution

by do son · May 4, 2020

SharpRDP – Remote Desktop Protocol Console Application for Authenticated Command Execution

How it works

The terminal services library (mstscax.dll) has two different forms that can leveraged, the scriptable control that can be used by web clients or scripts and the non-scriptable control that would be used in native or managed code. SharpRDP relies on the non-scriptable control of the COM library. The ActiveX importer aximp.exe, which is part of the .NET SDK, is required to generate the appropriate DLLs MSTSCLib.DLL and AxMSTSCLib.DLL from the mstscax.dll DLL. MSTSCLib.dll contains the managed definitions for the library while the AxMSTSCLib.dll contains the Windows Form control for the ActiveX classes. Both DLLs contain classes that are required to perform the actions needed for lateral movement.

Windows forms are used during the terminal services connection object instantiation and because of this we create a Windows form object that is invisible to a user to which we are executing from. From this form, we can call methods to perform actions needed for all of the lateral movement steps such as:

connection

authentication

actions on target (command execution)

disconnection from the host

Each of these actions are registered as events and event handlers that determine the course of action to be taken.

There are two ways to authenticate, by either providing plain text credentials (likely the most common and usable scenario) or by current user context with restricted admin mode. Restricted admin mode is a Windows protection mechanism that performs a network type logon rather than interactive to prevent the caching of credentials when RDPing to a host. This has commonly been abused for pass the hash with RDP.

Once authenticated, the SharpRDP sends virtual keystrokes to the remote system via a method called SendKeys. Since SharpRDP currently only supports keystrokes, by default this will open up a Rundialog and enter a specified command. In addition to that, there is also the ability to run as a child process of Cmd.exe or PowerShell.exe that will be spawned from the Run dialog.