Remote Desktop Services (formerly known as Terminal Services) is a component of Microsoft Windows (server and client operating systems) that allows users to remotely run programs or manage a server from any machine running a Remote Desktop Connection client and network access. In a Remote Desktop Services session, whether the client needs access to the entire environment of the remote computer or simply needs to run individual programs, the Remote Desktop Session Host server does all the processing and uses its hardware resources. Connection technology ensures connection security in two ways. But nothing is impossible. There are methods that can break the security of the connection. Bruteforce is a method of hacking accounts by selecting their passwords.
The essence of the approach consists in the sequential automated search of all possible combinations of symbols with the aim of finding the correct one sooner or later. Or an “inside person”, when there is the ability to read and modify at will the messages exchanged between correspondents, and none of the latter can guess about the presence of an outsider in the channel. It usually begins with listening to the communication channel and ends with an attempt to replace the intercepted message, extract useful information from it, redirect it to some external resource. Therefore, you need to take care of your security in advance and understand that the information or access to it can be used by a third party. Therefore, this section discusses the tools and techniques associated with finding and verifying the security of remote desktops supported by the RDP service.
By default, the RDP server listens on TCP port 3389 and UDP port 3389.
Computers with Remote Desktop enabled can be searched using Nmap with a command like this:
Example:
You can add options to collect banners : -sV –script=banner:
Crowbar, formerly known as levye, is a brute force tool that supports sshkey, vnckey, rdp, openvpn. The feature of the program is its simplicity and efficiency.
Installing crowbar in Kali Linux:
Installing crowbar in BlackArch:
As a target, you can specify a range of IP addresses in CIDR format (-s option) or a file with such ranges (-S option). If you only need to specify one destination (one IP address), just use the /32 mask, for example 192.168.0.101/32. The -U option specifies a file with a list of user names, and the -u option allows you to specify a single user. The -C option specifies a file with a list of passwords, and the -c option allows you to specify a password. With the -b option, you need to specify the protocol to attack, in the case of -b rdp. The default port of the protocol can be changed with the -p option. The -d option makes it pre-check whether ports are open on the specified targets (that is, those specified with the -S and -s options).
All options crowbar: https://kali.tools/?p=3636
An example of a successful RDP attack:
The levye program also works, but it has slightly different options:
Patator it is the most powerful application for brute force of many network services.
An example of RDP brute force launch:
For details on using patator, see the application card https://kali.tools/?p=269, and the instructions link at the bottom of the application card.
This is a modified version of the previously discussed rdesktop program, which is a client for connecting to Windows Remote Desktop. This version differs from the original in that a brute force patch has been added. Let me remind you that the rdesktop program requires additional configuration if network level authentication (NLA) is enabled, so it is not very convenient to use it.
The rdp-sec-check tool checks what encryption algorithms and authentication methods are used, as well as some other security options. At the end of the scan, rdp-sec-check provides a brief summary of possible RDS security issues.
Installing rdp-sec-check on Kali Linux
Installing rdp-sec-check in BlackArch
The launch command is very simple:
In the screenshot, you can see the security methods used on the remote RDP server. There is nothing after the [+] Summary of security issues line, so no obvious problems have been detected.
Let’s check another, less secure host:
Here we see the following RDP server security issues:
They say that there is no NLA and therefore a DOS attack is possible. If NLA is not used, a man-in-the-middle attack is also possible. It goes on to say that SSL is supported but not required, allowing for a MITM (man-in-the-middle) attack.
Complete list of scripts: https://nmap.org/nsedoc/. Among them I found 3 related to RDP.
Rdp-enum-encryption
Determines which level of security and encryption level is supported by the RDP service. This happens by looping through all protocols and ciphers. When run in debug mode, the script also returns the protocols and ciphers that failed, as well as any errors encountered.
Rdp-ntlm-info
This script lists information from remote RDP services with CredSSP authentication (NLA) enabled.
Rdp-vuln-ms12-020
Checks if the machine is vulnerable to the MS12-020 RDP vulnerability.
To run, you need to use the –script option, after which you can specify a script or several scripts separated by a comma:
You can also use all scripts like this:
An example of searching for RDP servers in the local network and obtaining information using NSE scripts:
Responder is a comprehensive man-in-the-middle attack tool against Windows authentication methods. Among others there is an RDP server.
Pyrdp – is a man-in-the-middle attack tool and RDP library written in Python 3. It includes three tools:
pyrdp-clonecert
pyrdp-mitm
pyrdp-player
pyrdp does not have its own spoofer, so traffic redirection must be done by third-party tools such as bettercap, Ettercap, or MITMf. The author of pyrdp created his own version of bettercap, the main difference from the original one, which redirects all traffic when attacked, is that this version only redirects RDP traffic. Details about it here: https://github.com/GoSecure/pyrdp/blob/master/docs/bettercap-rdp-mitm.md
An example of running a man-in-the-middle attack on RDP using pyrdp:
Error «ImportError: cannot import name ‘RsaKey’ from ‘Crypto.PublicKey.RSA’»
The following error may occur:
To fix it, run the following commands:
Error «The server failed the negotiation. Error: The server requires that the client support Enhanced RDP Security»
The following error is also possible:
The reason is that the program does not support Network Level Authentication (NLA), that is, authentication only at the network level. Network Level Authentication (NLA) is a good way to add additional security to RDP, as it is impossible for an attacker to perform a man-in-the-middle attack on RDP without knowing the Windows user’s password.
seth performs a MitM attack and extracts credentials in plain text from RDP connections.
Using:
Launch example:
sensepost-xrdp is the simplest X11 remote desktop tool for exploiting X11 sessions that do not require authentication.
sticky-keys-hunter this is a script for testing RDP hosts for sticky keys and utilman backdoor.
Using: