Port 3389 - Remote Desktop Protocol (RDP)
Sources for these notes
Description
Basic information about RDP service: Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software (from here).
| Name | Description | |
|---|---|---|
| port | 3389/TCP | |
| state | open | |
| service | ms-wbt-server | |
| version | Microsoft Terminal Services | |
| Banner | rdp-ntlm-info |
RDP works at the application layer in the TCP/IP reference model, typically utilizing TCP port 3389 as the transport protocol. However, the connectionless UDP protocol can use port 3389 also for remote administration. The Remote Desktop service is installed by default on Windows servers and does not require additional external applications. This service can be activated using the Server Manager and comes with the default setting to allow connections to the service only to hosts with Network level authentication (NLA).
Enumeration
Footprinting the service:
rdp-sec-check.pl
rdp-sec-check.pl is a perl script to enumerate security settings of an RDP Service (AKA Terminal Services).
git clone https://github.com/CiscoCXSecurity/rdp-sec-check.git && cd rdp-sec-check
./rdp-sec-check.pl $ip
Connection with rdp
To run Microsoft’s Remote Desktop Protocol (RDP) client, a command-line interface called Microsoft Terminal Services Client (MSTSC) is used. We can connect to RDP servers on Linux using xfreerdp, rdesktop, or Remmina and interact with the GUI of the server accordingly.
xfreerdp
We can first try to form an RDP session with the target by not providing any additional information for any switches other than the target IP address. This will make the script use your own username as the login username for the RDP session, thus testing guest login capabilities.
Try to login with other default accounts, such as user, admin, Administrator, and so on. We will also be specifying to the script that we would like to bypass all requirements for a security certificate so that our own script does not request them:
xfreerdp /cert:ignore /u:Administrator /v:$ip
# /cert:ignore : Specifies to the scrips that all security certificate usage should be ignored.
# /u:Administrator : Specifies the login username to be "Administrator".
# /v:$ip: Specifies the target IP of the host we would like to connect to.
If successful, during the initialization of the RDP session, we will be asked for a password. We can hit Enter to see if the process continue without one. Sometimes there are severe mishaps in configurations like this and we can gain access.
If you know user and credentials:
xfreerdp [/d:domain] /u:<username> /p:<password> /v:$ip
#Pass the hash
xfreerdp [/d:domain] /u:<username> /pth:<hash> /v:$ip
Troubleshoot in PtH attack
Restricted Admin Mode, which is disabled by default, should be enabled on the target host; otherwise, you will be presented with an error. This can be enabled by adding a new registry key DisableRestrictedAdmin (REG_DWORD) under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa with the value of 0. It can be done using the following command:
Once the registry key is added, we can use xfreerdp with the option /pth to gain RDP access.
rdesktop
See rdesktop.
Attacks
Password guessing
rdp_check.py from Impacket
Since RDP takes user credentials for authentication, one common attack vector against the RDP protocol is password guessing. There is a tool for checking known credentials against RDP services.
rdp_check.py from impacket let you check if some credentials are valid for a RDP service:
Brute force
Just think it twice: in many cases, a user account will be locked or disabled after a certain number of failed login attempts.
ncrack
hydra
Password Spraying
Be careful, you could lock accounts.
Crowbar
See crowbar.
Hydra
See hydra.
RDP Session Hijacking
With SYSTEM privileges you can access any opened RDP session by any user without the need of knowing the password of the owner.
Then, in Powershell, get opened sessions:
Access to the selected session:
Now you will be inside the selected RDP session and you will have impersonate a user using only Windows tools and features.
Important: When you access an active RDP sessions you will kickoff the user that was using it.
You could get passwords from the process dumping it, but this method is much faster and led you interact with the virtual desktops of the user (passwords in notepad without been saved in disk, other RDP sessions opened in other machines...).
Mimikatz Session Hijacking
You could also use mimikatz to steal a session:
Sticky-keys & Utilman Combining this technique with stickykeys or utilman you will be able to access a administrative CMD and any RDP session anytime
You can search RDPs that have been backdoored with one of these techniques already with: https://github.com/linuz/Sticky-Keys-Slayer
PsExec for escalating privileges: This method no longer works on Server 2019
PsExec is particularly effective for privilege escalation because it can create and run processes with SYSTEM privileges, even if executed from an Administrator account. Here’s how this process typically works:
- Command Execution as SYSTEM: When using PsExec with the
-sflag (e.g.,psexec -s cmd.exe), it launches a process that runs with SYSTEM privileges instead of the Administrator privileges of the account running it. - How It Works Internally: PsExec does this by leveraging Windows services, which typically run as SYSTEM by default. PsExec creates a temporary service on the machine to launch a command or program with SYSTEM privileges, then removes the service after completion.
- Escalation Path: Once PsExec launches a command prompt or other executable with SYSTEM privileges, the user essentially has unrestricted access. This enables them to perform actions that would other
Example of an exploitation: creating a service that will run as SYSTEM
Results:
USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME
>juurena rdp-tcp#13 1 Active 7 8/25/2021 1:23 AM
lewen rdp-tcp#14 2 Active * 8/25/2021 1:28 AM
Explanation: Create a Windows service that, by default, run as Local System and will execute any binary with SYSTEM privileges. We use Microsoft sc.exe binary. First, we specify the service name (Nameofservice) and the binpath, which is the command we want to execute. Once we run the following command, a service named Nameofservice will be created.
Initiate the service:
Once the service is started, a new terminal with the lewen user session will appear. With this new account, we can attempt to discover what kind of privileges it has on the network, and maybe we'll get lucky, and the user is a member of the Help Desk group with admin rights to many hosts or even a Domain Admin.
RDP with PtH attack
Trobleshooting: Restricted Admin Mode, which is disabled by default, should be enabled on the target host; otherwise, you will be presented with an error. This can be enabled by adding a new registry key DisableRestrictedAdmin (REG_DWORD) under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa with the value of 0. It can be done using the following command:
Once the registry key is added, we can use xfreerdp with the option /pth to gain RDP access.
DoS
To check the available encryption and DoS vulnerability (without causing DoS to the service) and obtains NTLM Windows info (versions).
nmap uses RDPcookies (mstshash=nmap) to interact with the RDP server. These cookies can be identified by security services such as EDRs, and can lock us out, so we need to think twice before running that scan.
Results:
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-enum-encryption:
| Security layer
| CredSSP (NLA): SUCCESS
| CredSSP with Early User Auth: SUCCESS
|_ RDSTLS: SUCCESS
| rdp-ntlm-info:
| Target_Name: EXPLOSION
| NetBIOS_Domain_Name: EXPLOSION
| NetBIOS_Computer_Name: EXPLOSION
| DNS_Domain_Name: Explosion
| DNS_Computer_Name: Explosion
| Product_Version: 10.0.17763
|_ System_Time: 2022-11-11T12:16:26+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
RDP Process Injection
If someone from a different domain or with better privileges login via RDP to the PC where you are an Admin, you can inject your beacon in his RDP session process and act as him.
RDP Sessions Abuse
Shadow Attack
AutoRDPwn is a post-exploitation framework created in Powershell, designed primarily to automate the Shadow attack on Microsoft Windows computers. This vulnerability (listed as a feature by Microsoft) allows a remote attacker to view his victim's desktop without his consent, and even control it on demand, using tools native to the operating system itself.
https://github.com/JoelGMSec/AutoRDPwn
Bluekeep
In 2019, a critical vulnerability was published in the RDP (TCP/3389) service that also led to remote code execution (RCE) with the identifier CVE-2019-0708.
A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Last update: 2024-11-01 Created: January 1, 2023 21:59:36