I often resort to remote desktop sessions when pillaging or attempting lateral escalation. Remote desktop provides an easy way to look for important data, get an idea of what applications are in use, run scripts or programs, and transfer data between my host and the target system. Since the Windows “Remote Desktop Connection” program keeps track of IP addresses and makes it easy to redirect local resources to the remote machine, I tend to default towards using it.
However, my Metasploit database also keeps track of target IP addresses, not to mention credentials I’ve acquired and hosts running RDP. Therefore, it occurred to me that using metasploit to launch the Linux rdesktop client would be an easy way to facilitate gui-based pillaging without leaving the comfort of the console. Hence the launch_rdesktop module:
The module is a simple wrapper for rdesktop. If you have rdesktop installed, the module should be able to find it on its own. It requires an IP address and can take a domain, username, and password as arguments as well. It also supports redirecting a local disk to the target system as a share via the LPATH option.
For a simple example of the module in use, let’s say I’m testing credentials I’ve obtained to see if and where they have administrative rights:
Finding a host, I’ll check the nmap results I imported previously to see if that system happens to be running RDP:
We’re in luck. Now I’ll pop over to the launch_rdesktop module. Using the up arrow I can quickly re-enter most of the pertinent options from the smb_login module:
The module returns you to the msfconsole prompt but spawns a new process for rdesktop as seen below:
By allowing one to easily change select parameters via the options and being closer to the metasploit database, this module should expedite the process of making remote desktop connections and facilitate pillaging. With so many organizations using remote desktop and sharing credentials, speeding up that process can be a valuable time saver.
Thanks to steiner for helping make the code clean and efficient.
