Keep It Simple Stupid.. AKA KISS
I did a lighting talk at BruCON on Saturday 25 Sept 2010, this is the talk plus extra information
Click here to view my actually quick 5 min talk
The Fix
Ok as promised to fix this on your terminal server go to the following location:
1) Start > All Programs > Administrative Tools > Terminal Services Configuration
2) Under the 'Connections' folder, right click 'RDP-Tcp' conection then click on Properties
3) Click on the Enviroment Tab and add a tick into 'Override settings from user profile ...'
4) Leave the other options blank ('Program path and file name' also 'Start in') then Click ok.
More Information
Obtaining login names
With this demo, I have shown someone logging into Terminal Services with a known user name.
how can you get this username? Well, you could already have an account and you just may want to
mess around or you found it on the interent. Since we know they are using Microsoft and after a
port scan we can discover they have SMTP, WWW and RDP ports open. If we investigate their webpages
we may find some email address. Microsoft by default will create an email address based on there
username for example if you find an email address of john.smith@company.com then I would bet
their user name to log in would be john.smith :)
Cracking RDP passwords
OK, so we now think we got a user name, good times. But we need a password, bad times
The only way I know is if we try and bruteforce the password, which sucks. You have to be
EXTRA careful incase they have a locked policy, but what account doesn't lockout is the admin
account. Anyway, if you are able do this you can use tools like TSGrinder, TSCrack or
rdesktop plus bruteforce patch. You will also need a password list I would recommend either
CUPP (Common User Password Profiler) or creating a password list of the company name
converted to leet speech for example create a Microsoft list containing words like
m1cr05oft, m1crosoft etc etc. You can find tools on the Internet to create these lists.
Or you can just social-engineer the password. :)
Windows Temp Folder
Some of you may or may not know, that everybody has read / write access to the
windows/temp folder. This can be useful as in this demo I shown that even if you have
restricted access to the local drive and you can't save anything but you can save it to the
temp folder, so I can how download anything an execute it there :) Happy days!
RDP Port
You always see in reverse connection demos they connect back via port 4444.
But what happens if they have block outgoing ports, you screwed. You could try and
firewalk the firewall to see what ports are open. Wait, look at it you have connect
to RDP which is port 3389. So all you have to do is create a listening port of 3389
on your attacking box I doubt you have got RDP running on your attacking box :)
Metasploit
There are issues getting Metasploit working with this type of attack, which sucks!
Not sure why, well thats a lie.. I think I know why but I can't explain it, if that makes sense
Anyway, what happens is you can't seem to escalate your privileges if you block the 16 bit applications
Yes I know the exploit that executes is the 16 bit flaw, but the other options doesn't work!!
Also when this does work, you have to attach to the explorer process to get the hash dump!!
A video of using metasploit can be found here!
Advice / Help
If anybody knows an better techniques to preform these attacks, or more effective way
Then I would love to know ANY information that can improve my knownledge is alwasy welcome.
Even if I have got something wrong then let me know, but I have tested all these
and so far a good success rate :). Rememeber I am pretty much self taught by listening to
podcasts and reading lots of stuff on the internet. Yes, I did the 504 SANS course
but I pretty knew most of it anyway. So I am ALWAYS looking for new ways to learn.
I hope you found this useful or got something out of it, thanks again!.
Wicked Clown