RDPThief : Extracting Clear Text Passwords From mstsc.exe Using API Hooking

RDPThief by itself is a standalone DLL that when injected in the mstsc.exe process, will perform API hooking, extract the clear-text credentials and save them to a file.

An aggressor script accompanies it, which is responsible for managing the state, monitoring for new processes and injecting the shellcode in mstsc.exe. The DLL has been converted to shellcode using the sRDI project (https://github.com/monoxgas/sRDI). When enabled, RdpThief will get the process list every 5 seconds, search for mstsc.exe, and inject to it.

When the aggressor script is loaded on Cobalt Strike, three new commands will be available:

  • rdpthief_enable – Enables the hearbeat check of new mstsc.exe processes and inject into them.
  • rdpthief_disable – Disables the hearbeat check of new mstsc.exe but will not unload the already loaded DLL.
  • rdpthief_dump – Prints the extracted credentials if any.

Also Read – SCShell : Fileless Lateral Movement Tool That Relies On ChangeServiceConfigA To Run Command

Screenshot

Demo Video

R K

Recent Posts

How to Install Docker on Ubuntu (Step-by-Step Guide)

Docker is a powerful open-source containerization platform that allows developers to build, test, and deploy…

4 hours ago

Uninstall Docker on Ubuntu

Docker is one of the most widely used containerization platforms. But there may come a…

4 hours ago

Admin Panel Dorks : A Complete List of Google Dorks

Introduction Google Dorking is a technique where advanced search operators are used to uncover information…

1 day ago

Log Analysis Fundamentals

Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…

2 days ago

Networking Devices 101: Understanding Routers, Switches, Hubs, and More

What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…

3 days ago

Sock Puppets in OSINT: How to Build and Use Research Accounts

Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…

3 days ago