Skip to content

[tstool.py update] Remote Desktop Shadowing feature support #2064

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 17, 2025
Merged

[tstool.py update] Remote Desktop Shadowing feature support #2064

merged 2 commits into from
Nov 17, 2025
+127 −0

Conversation

@fulc2um
Copy link
Contributor

@fulc2um fulc2um commented Oct 18, 2025
edited
Loading

This pull request brings necessary enumerations to tsts.py and tstool.py to utilize the Shadowing features of Remote Desktop services:

Implemented:

  • SessEnvPublicRpc interface
  • RpcShadow2 method call

Complete workflow:
0. Make sure you have the permissions and network visibility

  1. Enable shadowing using any method (gpo/reg.exe or nxc -M shadowrdp)
  2. Enumerate active sessions (qwinsta or nxc --qwinsta)
  3. tstool.py '<domain>/<username>':'<password>'@<host> shadow -session <target_session_id> // optional arguments: [-control|-prompt|-file]; format of the file: .msrcIncident
  4. xfreerdp invite.msrcIncident

Demo:

lin_ver_sp_lq.mov

@fulc2um fulc2um changed the title Remote Desktop Shadowing feature support [tstool.py update] Remote Desktop Shadowing feature support Oct 18, 2025
@snovvcrash
Copy link
Contributor

snovvcrash commented Oct 19, 2025

Another private feature is in public now... Great job @fulc2um!

@Dfte
Copy link
Contributor

Dfte commented Nov 4, 2025
edited
Loading

Holy shit it's so fucking cool someone actually implemented it into Impacket!!!!!

@anadrianmanrique anadrianmanrique added the high High priority item label Nov 7, 2025
@anadrianmanrique anadrianmanrique self-assigned this Nov 7, 2025
anadrianmanrique
anadrianmanrique reviewed Nov 14, 2025
View reviewed changes
anadrianmanrique
anadrianmanrique reviewed Nov 14, 2025
View reviewed changes
@anadrianmanrique
Copy link
Collaborator

anadrianmanrique commented Nov 14, 2025

@fulc2um thanks for the PR. This seems to be an interesting functionality. I requested some minors changes to have this merged. Aside from that, I used xfreedrp to test this. I don't know yet why, but I've got errors, in some iterations. It doesn't seem to be a consistent behavior. I don't know whether there's a problem in xfreerdp per se or in the xml file. So, every time I get an error, I re execute tstool.py to generate again the xml invite file, and then it works ok...

@anadrianmanrique anadrianmanrique added the waiting for response Further information is needed from people who opened the issue or pull request label Nov 14, 2025
@anadrianmanrique anadrianmanrique removed the waiting for response Further information is needed from people who opened the issue or pull request label Nov 17, 2025
@anadrianmanrique
Copy link
Collaborator

anadrianmanrique commented Nov 17, 2025

Thanks, now PR is ready to be merged.

@anadrianmanrique anadrianmanrique merged commit 7bd0d5a into fortra:master Nov 17, 2025
7 checks passed
@fulc2um fulc2um deleted the shadowRdp branch November 18, 2025 00:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anadrianmanrique anadrianmanrique anadrianmanrique left review comments

Assignees

@anadrianmanrique anadrianmanrique

Labels

high High priority item

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@fulc2um @snovvcrash @Dfte @anadrianmanrique