Skip to content
master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
Mar 4, 2015

Sticky Keys Hunter

This POC bash script tests for sticky keys and utilman backdoors. The script will connect to an RDP server, send both the sticky keys and utilman triggers and screenshot the result.

This script was written to prove a theory I had about detecting these backdoors in a blackbox fashion, and hasn't been updated since I wrote my blog post, Hunting Sticky Keys Backdoors. However, @DennisMald and @notmedic furthered this research and released the Sticky Keys Slayer tool at their DEF CON 24 presentation, Sticky Keys To The Kingdom. Check out their tool as it has many improvements over this POC script.

How does it work?

  1. Connects to RDP using rdesktop
  2. Sends shift 5 times using xdotool to trigger sethc.exe backdoors
  3. Sends Windows+u using xdotool to trigger utilman.exe backdoors
  4. Takes screenshot
  5. Kills RDP connection

Prerequisites

  1. Linux host running an X server
  2. The following packages: xdotool imagemagick rdesktop bc 3. Debian/Ubuntu/Kali install: apt-get install xdotool imagemagick rdesktop bc
  3. Screen cannot be locked during this process or all of the screenshots will turn out black

Usage

Scan a single host: ./stickyKeysHunter.sh 192.168.1.10

Scan Multiple hosts: for i in $(cat list.txt); do ./stickyKeysHunter.sh "${i}"; done

TODO

  1. Automatically analyze screenshots with OCR or image processing to identify backdoors.
  2. Speed up/multithread the tool.

About

A script to test an RDP host for sticky keys and utilman backdoor.

Resources

License

Releases

No releases published

Packages

No packages published

Languages