How can one reverse a remote desktop connection?

remote-desktop youtube

Solution 1:

This vulnerability is described in the Microsoft article A case study in industry collaboration: Poisoned RDP vulnerability disclosure and response. This study was done in collboration with Check Point researcher Eyal Itkin.

In this article is described an attack by an infected server against a client connecting via RDP. The attack consists of the server using the feature of the shared clipboard to copy a group of files to the other computer and paste them in the other computer.

This is also called "path traversal attack", where the malicious RDP server can drop arbitrary files in arbitrary paths on the client machine, thereby gaining total control of that computer.

The server can also notify the client about a fake clipboard update without an actual copy operation inside the RDP window, thus completely controlling the client’s clipboard without the user noticing.

Eyal Itkin's study of RDP vulnerabilities in various RDP software is available in the article Reverse RDP Attack: Code Execution on RDP Clients, where the number of vulnerabilities that he found is simply horrifying.

To protect against these attacks, the only solution is to always use the latest and fully updated RDP client. Otherwise, disable at least the shared clipboard feature while connecting.

Solution 2:

These type of scammers look for non-tech-savy people. Software like Teamviewer detects "likely" scammer activities and warns people about scams if you get connected, for example, to an IP geofenced from say India and you are not in it:

...
We have taken the necessary steps to make sure that the remote IDs can no longer be used for illegal purposes and we are constantly working on new methods of finding and blocking such users. TeamViewer will display a warning message if an incoming connection with a potential fraudulent background is detected to warn our users of the risk of a potential scam
... (https://community.teamviewer.com/t5/Previous-versions-EN/Scammers/td-p/682)

To avoid these kind of detects and warnings the scammer sometimes let the client initiate the connection bidirectionally and then take over - if you are fast you can bug the scammers PC with something that allows you access before that happens.

Sometimes scam baiters leave e.g. a "creditinfo.xls" in a folder "FinanceData" on their desktop in hope that the scammers download it and open it. It contains a macrovirus bugging the scammer's pc and allowing remote access (not by the same tool, but providing their own backdoor).

Both things are probably borderline illegal.

There exists other ways as well - Jim Browning for example sometimes shows that he leverages WireShark to trace network connections and traffic back to the attackers. If/what he uses exactly to bug the network he intrudes into is probably not shown by a reason - I think he's cool none the less. The tool he uses does not use teamviewer, but other ways of backdooring the networks of the scammers.

Related

Close programs from the command line (Windows)
Transfer current command to a detachable session (tmux/screen)
What do those +/- mean if linux job in background finishes (started with &)
Is there a way to copy text in htop?
Windows 7: Image thumbnails fail to appear
7-Zip -- 7z.exe | 7zG.exe | 7zFM.exe (which one to use?)
How to disable overlapping tabs or scrolling tabs in Sublime Text 3
What does the command "sudo !!" mean?
Commuting with a laptop that is powered on
run powershell command from cmd
Is it possible to directly embed an image into a Markdown document?
Where are man pages stored in Ubuntu?