AutoRDPwn deploys shadow attacks without a trace

A security tool designed to enable the complete remote takeover of a victim’s desktop was presented at Black Hat USA yesterday (August 5).

AutoRDPwn is a post-exploitation framework that allows security pros to recreate shadow attacks against Microsoft Windows systems.

A shadow attack is the term given to the abuse of misconfigured shadow sessions, explained Joel Gàmez, who built the PowerShell tool.

On-demand control

The open source tool can be used to automate this assault, enabling a remote actor to view the desktop of their victim, and even control it on demand, using native tools of the operating system itself.

It can also be deployed offline and was invented to enable security researchers to understand and protect against vulnerabilities.

Gàmez demonstrated the tool during the Arsenal sessions on the first day of Black Hat, held online this year due to the coronavirus pandemic.

Although AutoRDPwn was written for Windows, some modules can be used in Linux. It can also be deployed through Docker.

“One of the great advantages that the tool offers is the ability to move quickly through a local network of computers with Microsoft Windows,” Gàmez told The Daily Swig.

“Moreover, as it is compatible with almost all versions, this offers us a high probability of success.”

Read more of the latest news from Black Hat 2020

If the victim does not have any advanced protections installed, the tool, which is available in seven different languages, can enable an attacker to snoop on them undetected.

Quiet as a mouse

There are no obvious warning signs that AutoRDPwn has been deployed, says Gàmez. For example, it does not consume a suspicious amount of computer resources, and the victim cannot tell if there is someone watching in real time – unless they move the mouse, that is.

“This would allow [the attacker] to obtain the credentials of a virtual keyboard using the mouse or some touch device, for example, which a conventional keylogger could not capture in any way,” says the researcher.

The shadow attack is different to other remote desktop protocol attacks, such as brute-force or denial-of-service attacks, he explains.

“While all these techniques are based on attacking directly the remote desktop protocol itself, the shadow Attack is based on a totally different concept, which really makes the big difference between the rest of the RDP attacks,” said Gàmez.

“Although they [shadow sessions] were designed to support users on the Windows Server versions, they can be deployed on any other version of Windows (for example, on a Windows 10 Home) even if they do not have a remote desktop.

“For this, we can use any technique, from local access to the machine itself, to remote code execution through SMB, WMI, WinRM, or any other technique.

YOU MIGHT ALSO LIKE KubiScan: Open source Kubernetes security tool showcased at Black Hat 2020

“The tool, mainly, automates this whole process by only having to enter three fields (IP or host name, user and password). In addition, if we do not know the user’s credentials, the tool automatically makes a pass-the-token with the current credentials.

“We can also do a pass-the-hash if we have a user’s hashes, or we can dump them with Mimikatz from the tool itself.”

Once the shadow sessions have been misconfigured, the attacker is able to remotely take complete control of the victim’s desktop.

“In short, [a] Shadow Attack allows us to abuse any type of local or remote execution of a system, to gain control of any user without hijacking their session, without closing or altering it. In addition, the connection is made through RPC using random ports, both in origin and destination.

“This makes the attack totally transparent to the victim, difficult to detect and with unbeatable characteristics for an ethical hacking intrusion.

“Who would imagine that someone is spying on a Windows 10 Home by remote desktop, through a port that is not the remote desktop, when this version does not even have a remote desktop?”

Leave no trace

There are other implications that need to be considered, particularly in ethical hacking situations.

The tool leaves different types of backdoors in the victim’s machine, which should be removed by undoing persistent changes after the intrusion takes place, Gàmez says.

He explained: “Currently, I’m working on this to be done in a fully automatic way at the end of the attack, [making it] possible to cancel this process with the -noclean parameter. It is likely that in the next version of the tool it will be available.”

Gàmez told The Daily Swig that “practically no technical knowledge” is needed to use AutoRDPwn.

He also described it as having “no limit to its use” – it can be deployed to learn more about shadow attacks, or simply to test the defenses of a network.

Gàmez explained: “You can use it to learn how Shadow sessions or lateral movements work on Windows systems.

“You can also use it to get the domain administrator’s account in a Red Team exercise, or you can test your company’s defense measures.

“You can even play a joke on your co-worker who has left his credentials written on a post-it.”

READ MORE ATTPwn: Adversary emulation tool allows pen testers to identify security holes before attackers do