RDP

By default, RDP uses port TCP/3389

nmap -Pn -p3389 <IP>

Misconfigurations

Since RDP takes user credentials for authentication, one common attack vector against the RDP protocol is password guessing. Although it is not common, we could find an RDP service without a password if there is a misconfiguration.

Using the Crowbar tool, we can perform a password spraying attack against the RDP service.

crowbar -b rdp -s <IP>/32 -U users.txt -c 'password123'

We can also use Hydra to perform an RDP password spray attack.

hydra -L usernames.txt -p 'password123' <IP> rdp

We can RDP into the target system using the rdesktop client or xfreerdp client with valid credentials.

rdesktop -u admin -p password123 <IP>

Protocol Specific Attacks

RDP Session Hijacking

If a user is connected via RDP to our compromised machine, we can hijack the user's remote desktop session to escalate our privileges and impersonate the account. In an Active Directory environment, this could result in us taking over a Domain Admin account or furthering our access within the domain.

Find the logged in sessions by using:

query user

To successfully impersonate a user without their password, we need to have SYSTEM privileges and use the Microsoft tscon.exe binary that enables users to connect to another desktop session.

tscon #{TARGET_SESSION_ID} /dest:#{OUR_SESSION_NAME}

If we have local administrator privileges, we can use several methods to obtain SYSTEM privileges, such as PsExec or Mimikatz. A simple trick is to create a Windows service that, by default, will run as Local System and will execute any binary with SYSTEM privileges. We will use Microsoft sc.exe binary.

sc.exe create sessionhijack binpath="cmd.exe /k tscon <my_sesssion_id> /dest:<target_session_name>"
net start sessionhijack

PtH RDP

There are a few caveats to this attack:

• Restricted Admin Mode, which is disabled by default, should be enabled on the target host; otherwise, we will be prompted with the following error:

This can be enabled by adding a new registry key DisableRestrictedAdmin (REG_DWORD) under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa. It can be done using the following command:

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

Once the registry key is added, we can use xfreerdp with the option /pth to gain RDP access:

xfreerdp /v:<IP> /u:lewen /pth:<Hash>

If it works, we'll now be logged in via RDP as the target user without knowing their cleartext password.

Keep in mind that this will not work against every Windows system we encounter, but it is always worth trying in a situation where we have an NTLM hash, know the user has RDP rights against a machine or set of machines, and GUI access would benefit us in some ways towards fulfilling the goal of our assessment.