notes

3389 - RDP

2 min read

3389/tcp open  ms-wbt-server

By default RDP run on TCP/3389.

Misconfigurations

Even though it is uncommon, but we could find an RDP service without a password if there is a misconfiguration.

One of the most common attack vector again RDP is Password Spraying. Password Spraying is attacking multiple usernames with a single password.

Using a tool like CrackMapExec, we can perform password spraying attack against RDP.

Let’s say we want to attack a list of usernames with the password: password123, we would use the following command:

crackmapexec rdp <ip> -u <user.list> -p 'password123'

Hydra - RDP Password Spraying

==Click here to view the command.==

Logging into RDP

rdesktop -u <user> -p <password> <ip>

Protocol Specific Attacks

Now let’s say we got access to a machine and have local administrator privileges. If a user is connected via RDP to our compromised machine, we can hijack the user’s session to escalate our privileges and impersonate the account. In AD this would result us taking over Domain Admin account.

RDP Session Hijacking

We can use the command:

query user

to know what users are currently active.

To successfully impersonate a user without their password, we need to have SYSTEM privileges and use the Microsoft tscon.exe binary that enables users to connect to another desktop session.

tscon #{TARGET_SESSION_ID} /dest:#{OUR_SESSION_NAME}

or

sc.exe create sessionhijack binpath= "tscon #{TARGET_SESSION_ID} /dest:#{OUR_SESSION_NAME}"

net start sessionhijack

Note

This method no longer works on Server 2019.

RDP Pass-the-Hash (PtH)

Let’s say we have the NT hash of the user and we are not able to crack it to reveal the plaintext password. We can perform an RDP PtH attack to gain GUI access to the target system.

There are a limitations to this attack:

  • Restricted Admin Mode, which is disabled by default, should be enabled on the target host or we will be prompted with the following error:

Adding the DisableRestrictedAdmin Registry Key

This can be enabled by adding a new registry key DisableRestrictedAdmin (REG_DWORD) under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa. It can be done using the following command:

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

Once added, we can use xfreerdp to gain RDP access:

xfreerdp /v:<IP> /u:<username> /pth:<NT Hash>

Graph View