π₯οΈRDP
Enumeration
nmap -Pn -p3389 192.168.2.143 Misconfiguration
We can try to brute force credentials but a much much better way is to use password-spraying
It works by attempting a single password against multiple usernames before moving on to another password. This can help avoid triggering a password lockout policy.
Crowbar Password Spraying
crowbar -b rdp -s IP/32 -U users.txt -c 'password123'Hydra Password Spraying
hydra -L usernames.txt -p 'password123' IP rdpLogging In
Once we find credentials we can log in with rdesktop or any other software
rdesktop -u founduser -p pass IP
xfreerdp /v:IP /u:founduser /p:pass /cert:ignore +clipboard RDP Session Hijacking
Once successfully connected to can check if our account has local administrator privileges. We can attempt to hijack a user's RDP session.
We can check for logged-on users with either the Task Manager -> Users or PowerShell
PowerShell
Impersonate a User
To impersonate a user without their password we need to have SYSTEM privileges
We can then use the tscon.exe binary to connect to the session
To obtain SYSTEM privileges we can use tools like Mimikatz or PsExec.
We can create a Windows service that will run as Local System and execute any binary with SYSTEM privileges using the sc.exe binary.
We first choose the service name (hijacksession) the command we want to execute.
Lastly, we can run
This will start the service a new terminal for the specified user will appear.
Pass The Hash
Last updated
Was this helpful?