RdpThief - Extracting Clear Text Passwords from mstsc.exe using API Hooking


RdpThief by itself is a standalone DLL that when injected in the mstsc.exe process, will perform API hooking, extract the clear-text credentials and save them to a file. An aggressor script accompanies it, which is responsible for managing the state, monitoring for new processes and injecting the shellcode in mstsc.exe. The DLL has been converted to shellcode using the sRDI project (https://github.com/monoxgas/sRDI). When enabled, RdpThief will get the process list every 5 seconds, search for mstsc.exe, and inject to it. When the aggressor script is loaded on Cobalt Strike, three new commands will be available: rdpthief_enable – Enables the hearbeat check of new mstsc.exe processes and inject into them. rdpthief_disable – Disables the hearbeat check of new mstsc.exe but will not unload the already loaded DLL. rdpthief_dump – Prints the extracted credentials if any. Remote Desktop is one of the most widely used tools for managing Windows Servers. Admins love....

November 28, 2019
Notify of
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023
What certifications or qualifications do you hold?
Max. file size: 150 MB.
What level of experience should the ideal candidate have?
What certifications or qualifications are preferred?

Download Free eBook

Step 1 of 4


We’re committed to your privacy. Hakin9 uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.