search

πŸ–₯️RDP

hashtag
Enumeration

nmap -Pn -p3389 192.168.2.143

hashtag
Misconfiguration

We can try to brute force credentials but a much much better way is to use password-spraying

It works by attempting a single password against multiple usernames before moving on to another password. This can help avoid triggering a password lockout policy.

hashtag
Crowbar Password Spraying

crowbar -b rdp -s IP/32 -U users.txt -c 'password123'

hashtag
Hydra Password Spraying 

hydra -L usernames.txt -p 'password123' IP rdp

hashtag
Logging In

Once we find credentials we can log in with rdesktop or any other software 

rdesktop -u founduser -p pass IP
xfreerdp /v:IP /u:founduser /p:pass /cert:ignore +clipboard

hashtag
RDP Session Hijacking

Once successfully connected to can check if our account has local administrator privileges. We can attempt to hijack a user's RDP session.

We can check for logged-on users with either the Task Manager -> Users or PowerShell

hashtag
PowerShell

hashtag
Impersonate a User

To impersonate a user without their password we need to have SYSTEM privileges

We can then use the tscon.exe binary to connect to the session

To obtain SYSTEM privileges we can use tools like Mimikatz or PsExec.

We can create a Windows service that will run as Local System and execute any binary with SYSTEM privileges using the sc.exe binary.

We first choose the service name (hijacksession) the command we want to execute.

Lastly, we can run

This will start the service a new terminal for the specified user will appear.

hashtag
Pass The Hash

RDP Linux Pass the Hash

circle-info

If we get the error Restricted Admin Mode we may be able to bypass it by changing the Registry Key

PreviousMSSQLNextSMB

Last updated