🔬RDP

Lab 1

🔬 Windows: Insecure RDP Service

• Target IP: 10.4.18.131

• RDP exploitation

• Dictionaries to use:

  • /usr/share/metasploit-framework/data/wordlists/common_users.txt

  • /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

Enumeration

ping 10.4.18.131

nmap -sV 10.4.18.131

PORT      STATE SERVICE        VERSION
135/tcp   open  msrpc          Microsoft Windows RPC
139/tcp   open  netbios-ssn    Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds   Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3333/tcp  open  ssl/dec-notes?
49152/tcp open  msrpc          Microsoft Windows RPC
49153/tcp open  msrpc          Microsoft Windows RPC
49154/tcp open  msrpc          Microsoft Windows RPC
49155/tcp open  msrpc          Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

• Use Metasploit rdp_scanner module to check if port 3333 is running RDP.

📌 The RDP is exposed on target port 3333, and not on the default port 3389.

RDP Brute-force

• Try hydra to find valid username and password

• freerdp cannot be used in this lab

• Use xfreerdp to connect to target via RDP

Lab 2 - BlueKeep (Extra)

🔬 Home Lab

I have prepared a vulnerable Windows 2008 R2 Virtual Machine and connected it to the same network of the Kali virtual machine. On the server, I have activated RDP service on default port 3389.

• Host system: Kali Linux

• Target system: Windown Server 2008 R2 - IP 192.168.31.131 - Administrator:Eternal17010

• Exploitation tool:

• Vulnerability: CVE-2019-0708 - BlueKeep

• ❗ Targeting Kernel space memory and apps can cause system crashes.

• The attacker can remotely execute arbitrary code by gaining access to a chunk of kernel memory, without authentication.

• BlueKeep PoC's (Proof of Concepts) and exploits could be malicious in nature, use only verified exploit code and modules.

• Target RDP activated:

Enumeration

• 📌 RDP Port 3389 is open

Exploitation

❗ Kernel CRASH can be caused by this exploit, so pay attention on production environment ❗

Adjusting the exploit

• To make the exploit work, I've used the Pentest-Tools blog on BlueKeep and Alexandre Vieira blog post.

• On WinServer2008 target, open regedit

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

  • Set fDisableCam reg key on 0

Finding the NPP

• To make the exploit work, it needs the correct GROOMBASE value which is the start address of the Non Paged Pool area (NPP).

• The NPP address can be extracted from a memory dump of the target machine.

• In VMWare, take a snapshot of the target virtual machine (Win Server 2008 R2).

  • Download the vmss2core tool

  • From the VM (virtual machine) folder copy the .vmem and .vmsn files to the vmss2core tool folder

  • Run the tool to generate a memory.dmp file

• Run WinDbg and open the memory.dmp file

  • Run !polfind a to get a message

  • That is the start of address of Non Page Pool, in this case fffffa8018c08000

• Edit the exploit and set the GROOMBASE variable if not already set.

  • In my case it is already set as the above address, for the 2008 R2 (6.1.7601 x64 - VMWare 15.1) target number 5.

• Save the exploit file and run reload_all in the Metasploit interface.

• Set the GROOMSIZE to 50.

Lab 3 (Extra)

Windows RDP: Dictionary Attack

• Target IP: 10.4.22.41

• RDP exploitation

• Dictionaries to use:

  • /usr/share/metasploit-framework/data/wordlists/common_users.txt

  • /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt