3389 rdp
Description
source: https://book.hacktricks.xyz/network-services-pentesting/pentesting-rdp and HackTheBox Academy.
Basic information about RDP service: Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software (from here).
| Name | Description |
|---|---|
| port | 3389/TCP |
| state | open |
| service | ms-wbt-server |
| version | Microsoft Terminal Services |
| Banner | rdp-ntlm-info |
RDP works at the application layer in the TCP/IP reference model, typically utilizing TCP port 3389 as the transport protocol. However, the connectionless UDP protocol can use port 3389 also for remote administration. The Remote Desktop service is installed by default on Windows servers and does not require additional external applications. This service can be activated using the Server Manager and comes with the default setting to allow connections to the service only to hosts with Network level authentication (NLA).
Enumeration
To check the available encryption and DoS vulnerability (without causing DoS to the service) and obtains NTLM Windows info (versions).
nmap uses RDPcookies (mstshash=nmap) to interact with the RDP server. These cookies can be identified by security services such as EDRs, and can lock us out, so we need to think twice before running that scan.
Results:
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-enum-encryption:
| Security layer
| CredSSP (NLA): SUCCESS
| CredSSP with Early User Auth: SUCCESS
|_ RDSTLS: SUCCESS
| rdp-ntlm-info:
| Target_Name: EXPLOSION
| NetBIOS_Domain_Name: EXPLOSION
| NetBIOS_Computer_Name: EXPLOSION
| DNS_Domain_Name: Explosion
| DNS_Computer_Name: Explosion
| Product_Version: 10.0.17763
|_ System_Time: 2022-11-11T12:16:26+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
rdp-sec-check.pl is a perl script to enumerate security settings of an RDP Service (AKA Terminal Services).
git clone https://github.com/CiscoCXSecurity/rdp-sec-check.git && cd rdp-sec-check
./rdp-sec-check.pl $ip
Connection with rdp
To run Microsoft’s Remote Desktop Protocol (RDP) client, a command-line interface called Microsoft Terminal Services Client (MSTSC) is used. We can connect to RDP servers on Linux using xfreerdp, rdesktop, or Remmina and interact with the GUI of the server accordingly.
xfreerdp
We can first try to form an RDP session with the target by not providing any additional information for any switches other than the target IP address. This will make the script use your own username as the login username for the RDP session, thus testing guest login capabilities.
Try to login with other default accounts, such as user, admin, Administrator, and so on. We will also be specifying to the script that we would like to bypass all requirements for a security certificate so that our own script does not request them:
xfreerdp /cert:ignore /u:Administrator /v:$ip
# /cert:ignore : Specifies to the scrips that all security certificate usage should be ignored.
# /u:Administrator : Specifies the login username to be "Administrator".
# /v:$ip: Specifies the target IP of the host we would like to connect to.
If successful, during the initialization of the RDP session, we will be asked for a password. We can hit Enter to see if the process continue without one. Sometimes there are severe mishaps in configurations like this and we can gain access.
If you know user and credentials:
Brute force
ncrack -vv --user <User> -P pwds.txt rdp://$ip
hydra -V -f -L <userslist> -P <passwlist> rdp://$ip
hydra -L user.list -P password.list rdp://$ip
Password Spraying
Be careful, you could lock accounts
# https://github.com/galkan/crowbar
crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'
# hydra
hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp
Connect with known credentials/hash
rdesktop -u <username> $ip
rdesktop -d <domain> -u <username> -p <password> $ip
xfreerdp [/d:domain] /u:<username> /p:<password> /v:$ip
xfreerdp [/d:domain] /u:<username> /pth:<hash> /v:$ip #Pass the hash
Check known credentials against RDP services
rdp_check.py from impacket let you check if some credentials are valid for a RDP service:
Attacks
Session stealing
With SYSTEM permissions you can access any opened RDP session by any user without need to know the password of the owner.
Get openned sessions:
Access to the selected session
Now you will be inside the selected RDP session and you will have impersonate a user using only Windows tools and features.
Important: When you access an active RDP sessions you will kickoff the user that was using it. You could get passwords from the process dumping it, but this method is much faster and led you interact with the virtual desktops of the user (passwords in notepad without been saved in disk, other RDP sessions opened in other machines...)
Mimikatz
You could also use mimikatz to do this:
Sticky-keys & Utilman Combining this technique with stickykeys or utilman you will be able to access a administrative CMD and any RDP session anytime
You can search RDPs that have been backdoored with one of these techniques already with: https://github.com/linuz/Sticky-Keys-Slayer
RDP Process Injection
If someone from a different domain or with better privileges login via RDP to the PC where you are an Admin, you can inject your beacon in his RDP session process and act as him:
RDP Sessions Abuse
Shadow Attack
AutoRDPwn is a post-exploitation framework created in Powershell, designed primarily to automate the Shadow attack on Microsoft Windows computers. This vulnerability (listed as a feature by Microsoft) allows a remote attacker to view his victim's desktop without his consent, and even control it on demand, using tools native to the operating system itself.
https://github.com/JoelGMSec/AutoRDPwn
Last update: 2023-07-13 Created: January 1, 2023 21:59:36