stickyKeysHunter - A Script to Test an RDP Host for Sticky Keys and Utilman Backdoor

This bash script tests for sticky keys and utilman backdoors. The script will connect to an RDP server, send both the sticky keys and utilman triggers and screenshot the result.

How does it work?
  1. Connects to RDP using rdesktop
  2. Sends shift 5 times using xdotool to trigger sethc.exe backdoors
  3. Sends Windows+u using xdotool to trigger utilman.exe backdoors
  4. Takes screenshot
  5. Kills RDP connection

  1. Linux host running an X server
  2. The following packages: xdotool imagemagick rdesktop bc
    1. Debian/Ubuntu/Kali install: apt-get install xdotool imagemagick rdesktop bc
  3. Screen cannot be locked during this process or all of the screenshots will turn out black

Scan a single host: ./stickyKeysHunter.sh
Scan Multiple hosts: for i in $(cat list.txt); do ./stickyKeysHunter.sh "${i}"; done

  1. Automatically analyze screenshots with OCR or image processing to identify backdoors.
  2. Speed up/multithread the tool.

Disqus Comments