RDP
Last updated
Last updated
By default, RDP uses port TCP/3389
Since RDP takes user credentials for authentication, one common attack vector against the RDP protocol is password guessing. Although it is not common, we could find an RDP service without a password if there is a misconfiguration.
Using the tool, we can perform a password spraying attack against the RDP service.
We can also use Hydra to perform an RDP password spray attack.
We can RDP into the target system using the rdesktop client or xfreerdp client with valid credentials.
RDP Session Hijacking
If a user is connected via RDP to our compromised machine, we can hijack the user's remote desktop session to escalate our privileges and impersonate the account. In an Active Directory environment, this could result in us taking over a Domain Admin account or furthering our access within the domain.
Find the logged in sessions by using:
To successfully impersonate a user without their password, we need to have SYSTEM privileges and use the Microsoft binary that enables users to connect to another desktop session.
There are a few caveats to this attack:
Restricted Admin Mode, which is disabled by default, should be enabled on the target host; otherwise, we will be prompted with the following error:
This can be enabled by adding a new registry key DisableRestrictedAdmin (REG_DWORD) under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa. It can be done using the following command:
Once the registry key is added, we can use xfreerdp with the option /pth to gain RDP access:
If it works, we'll now be logged in via RDP as the target user without knowing their cleartext password.
Keep in mind that this will not work against every Windows system we encounter, but it is always worth trying in a situation where we have an NTLM hash, know the user has RDP rights against a machine or set of machines, and GUI access would benefit us in some ways towards fulfilling the goal of our assessment.
If we have local administrator privileges, we can use several methods to obtain SYSTEM privileges, such as or . A simple trick is to create a Windows service that, by default, will run as Local System and will execute any binary with SYSTEM privileges. We will use binary.