Remote Desktop allows you to connect to another computer, see its screen, run programs on it, and work on it as if you were sitting in front of it. Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that provides a graphical user interface for connecting to another computer over a network connection. To do this, the user runs the RDP client software, and the RDP server software must be running on the other computer. The technology ensures connection security in two ways. The first uses an internal subsystem (Standard RDP Security). An RSA key pair is generated on the remote machine and a public key certificate is signed by one of them. During connection, the client receives a signed certificate and a public key, which is used to select a data encryption technology. The second method suggests using external security tools (Enhanced RDP Security).
As an example, let’s talk about the TLS protocol. When the connection is initialized, it encrypts the connection and checks the user’s login permission. This approach reduces the load on the terminal server with a large number of simultaneous connections. The principle of operation is similar to the first option. As a rule, large companies use the second option, and small ones – the first. The RDP protocol is used for remote connection only in the Windows environment. The connection is completely secure, as it uses encryption and a user authentication procedure. For other operating systems, there is special software that supports work with RDP. The principle of operation is similar to the first option. As a rule, large companies use the second option, and small ones – the first. The RDP protocol is used for remote connection only in the Windows environment. The connection is completely secure, as it uses encryption and a user authentication procedure. For other operating systems, there is special software that supports work with RDP.
By default, the RDP server listens on TCP port 3389 and UDP port 3389, but you can change it to either. First we need a list of IP ranges, you can find them here:
Or any convenient “ip ranger”. We are looking for the countries we need. We copy all the hums. Now we create a folder on the desktop with some “Range” of parts of the world from where the countries were taken – we create a text file in it and paste the copied text. We copy everything that was issued, create a second text file in our “Range” folder, paste it, save it. Now let’s move on to the programs.
Here, we simply indicate the range of ir addresses and port 3389 and wait for the result, then download the list of addresses to a text file, edit it leaving only ir addresses, we will use them for the brute in crowbar.
Among the found systems, you can find vulnerable ones and connect to them. Here is an example:
Let’s start with gathering information about the system. For now, I will not touch on the previously found system, but I will tell about the ways to hack RDP, so that as a result, with the help of the received information, we were able to hack the wheelbarrow. A sample with CVE-2019-0708 vulnerabilities but no open port 445.
A remote code execution vulnerability exists in Remote Desktop Services, formerly known as Terminal Services, when an unauthenticated attacker connects to a target system using RDP and sends specially crafted requests, known as Remote Desktop Services Remote Code Execution Vulnerability.
Computers with Remote Desktop enabled can be found using Nmap with a command like:
The -sV –script=banner (Nmap) options can be added to collect banners:
rdp-enum-encryption -defines the level of security and encryption.
rdp-ntlm-info – lists info from remote RDP services with CredSSP authentication (NLA) enabled.
rdp-vuln-ms12-020 – scans system for ms12-020 vulnerability
To run all scripts at once:
The rdp-sec-check tool checks what encryption algorithms and authentication methods are used, as well as some other security options. At the end of the scan, rdp-sec-check provides a brief summary of possible RDS security issues.
Supports target list files
Supports saving tool output to the specified log file
Control of connection time and responses
Controls the number of retries when the timeout is exceeded
rdp-sec-check – is a Perl script to list various Terminal Services security settings. Does not require authentication, only a network connection to TCP port 3389. It can define many (but not all) security settings from the RDP-Tcp Properties tab | General:
- Checking which security levels are supported by the service: Standard RDP Security, TLSv1.0, CredSSP;
- For Standard RDP Security, the tool determines the encryption level supported: 40-bit, 56-bit, 128-bit, FIPS.
The service supports Standard RDP Security – known to be vulnerable to an active man-in-the-middle attack;
- The service supports weak encryption (40-bit or 56-bit);
- The service does not require Network Layer Authentication (NLA) — NLA can help prevent certain types of denial-of-service attacks;
The service supports FIPS encryption but does not require it – may only be of interest to jurisdictions where FIPS is required.
Check the host 192.168.0.101 :
Test the set of hosts specified in the file (–file hosts.txt) with a timeout of 15 seconds (–timeout 15) and three retries (–retries 3):
Check the RDP host service on port 3389 (192.168.69.69:3389) and save the received data to a file (–outfile rdp.log) :
Check multiple hosts specified in the file (–file hosts.txt) and save the resulting data to a file (–outfile rdp.log) using verbose output (–verbose) :
Here we see the following server security issues RDP:
It says that there is no NLA and therefore a DOS attack is possible. I would like to add that if NLA is not used, then a man-in-the-middle attack is also possible. It goes on to say that SSL is supported but not required, allowing for a MITM (man-in-the-middle) attack. If there is nothing after the line “[+] Summary of security issues” (a short list of security issues), no obvious problems have been detected.
For a brute force attack, consider crowbar. First, let’s install crowbar:
And confirm the installation by pressing the Y key when necessary. Even a range of IP addresses can be specified as a target using the -S file.txt option, where “file.txt” is a file with IP addresses. The -s option can be used to specify a range of IP addresses in CIDR format. If you want to specify a single target, use -s ip/32 where “32” is the mask.
-b rdp – protocol
-U user.txt – file with users
-C – password file
-s – Goal
Let’s take the previously found machine and try to access it via RDP using the above information. First, let’s collect information about the server. By the way, open ports are immediately indicated on shodan and among them there is 445 (vulnerability eternalblue or ms17_010):
Enter the command to check security through rdp-sec-check:
As you can see, there are problems on the server. A Dos or MITM attack can be recreated. There is also weak encryption. Now let’s enter the command to collect information through nmap:
Information on the server is enough to understand that the administrator did not bother with its security. Let’s try to use crowbar for a dictionary attack. For this, we download the utility https://github.com/Bitwise-01/Passwords
Go to the folder where you downloaded the tool Passwords:
and run it using the command:
Here you need to enter keywords that are known about the victim (computer name, organization, date of birth, network name, etc.).
When you finish filling the dictionary, type the word gererate and you will see how the dictionary is generated.When you finish the procedure of filling the dictionary, type the word gererate and you will see how the dictionary is generated.
Next, we will use brutfrs:
We agree with the certificate (yes). To switch from full-screen mode to windowed mode:
In Kali Linux, by default, the open source RDP client xfreerdp is installed, which is able to connect to the system by hashing. This hash is stored on the system to which you want to connect in NT format.
Command to attack:
де після / d: -domain name,
після /u: – user name,
після / pth: -hash,
після /v: – Server IP.
But there is a subtlety to it. This method will work only as an administrator, that is, you cannot connect to users from the RDP Users group. You can install xFREERDP 11 using Terminal.
The command syntax for freerdp-x11 is as follows:
Responder – is a comprehensive man-in-the-middle attack tool against Windows authentication methods. Among other rogue servers, the program has an RDP server.
pyrdp —is a man-in-the-middle attack tool and RDP library written in Python 3.
pyrdp does not have its own spoofer, so traffic redirection must be done by third-party tools such as bettercap, Ettercap, or MITMf. The author of pyrdp created his own version of bettercap, the main difference from the original one, which redirects all traffic when attacked, is that this version only redirects RDP traffic. Details about it here: https://github.com/GoSecure/pyrdp/blob/master/docs/bettercap-rdp-mitm.md. example of launching a man-in-the-middle attack on RDP using pyrdp:
The following error may occur:
To fix it, run the following commands:
The following error is also possible:
The reason is that the program does not support Network Level Authentication (NLA), that is, authentication only at the network level. It is said in more detailhere: https://github.com/GoSecure/pyrdp/issues/168
Network Level Authentication (NLA) is a good way to further protect RDP, because without knowing the Windows user’s password, it becomes impossible for an attacker to perform a man-in-the-middle attack on RDP.
seth performs a MitM attack and obtains credentials in plain text from RDP connections.
sensepost-xrdp is the simplest X11 remote desktop tool for exploiting X11 sessions that do not require authentication.
sticky-keys-hunter this is a script for testing RDP hosts for sticky keys and utilman backdoor.