In this article, we will learn to
hijack an RDP session using various methods. This is a part of Lateral movement
which is a technique that the attacker uses to move through the target
environment after gaining access.
Table of Content:
·
Introduction to RDP
·
Features of RDP
·
Working of RDP
·
Manual
·
Task manager
·
Mimikatz
·
Mitigation
·
Conditions for the practical
·
Conclusion
Introduction to RDP
RDP stands for Remote Desktop
Protocol which works on port number TCP/UDP 3389 which was developed by
Microsoft. Later, it was applied to other operating systems as well. It allows
a user to connect with another user remotely using a GUI. As though it comes
by-default in windows but there are numerous third-party tools available too.
This protocol was designed to remotely manage systems and applications.
Features of RDP
RDP 6.0 came with various
features in 2011. These features are listed below:
·
Windows Presentation Foundation applications and
remoting
·
Multiple monitor support
·
Redirection
·
Aero glass remoting
·
Encrypted connection
·
Bandwidth reduction
·
Supports up to 64,000 channels for data
transmission
Working of RDP
When an RDP connection is
initiated and the data is ready for transfer, the system encrypts the data.
This encrypted data is then further added to frames for transmission. The data
is then transferred on the principles of TCP/IP table.
Wdtshare.sys, the RDP driver,
manages the GUI and is in-charge of encryption and transmission of data. It
also takes care of compressing the data and adding it to the frames. Tdtcp.sys,
transport driver, make sure that data is ready and is being sent through the
network on the bases of TCP/IP table.
Manual
As we have understood the RDP
protocol and its working, so let’s move the focus on one thing, i.e. this RDP
protocol also allows us to connect to a different user in the same system using
tscon.exe. And that’s what we will do in this method. First, we will get an RDP
session of user 1, i.e. yashika, and once we have established RDP
connection with yashika then we will obtain RDP connection of user 2, i.e.
pavan, via yashika (user 1). The only condition in this method is that you
should have administrator rights of yashika (user 1). Let’s start with the
proof of concept.
As you can see, in the image
below, we have two users – yashika and pavan
Let now get the IP of yashika
(user 1) using the ipconfig command just like we have shown in the image
below:
Launch the remote desktop
connection app and enter the IP of the target system, in our case that is the
IP yashika (user 1) and then click on Connect button as shown in the image
below:
As you click on the Connect
button, it will ask you for the credentials for yashika (user 1) as shown
below:
Once you have entered the
credentials, click on OK button and as soon as you click on OK, Remote Desktop
GUI will be activated. Now that we have access to yashika (user 1), we will use
a couple of commands from the command prompt to first check the pavan’s (user
2) information such as their user ID and then we will use tscon command to
create a process that will interact with pavan (user 2) and then we will start
the process to enable Remote Desktop GUI of pavan (user 2).
Syntax:
sc create
binpath= “cmd.exe /k tscon /dest:”
And the commands are:
query user
sc create hijack binpath=
“cmd.exe /k tscon 2 /dest:rdp-tcp#1”
net start hijack
And as you can see in the image
below, we have the Remote Desktop GUI of pavan (user 2) which can be validated
using the command whoami.
Task Manager
Now the same thing can also be
done via task manager. The one condition with this method is to know the
credentials of both users. And then using a similar method above just get the remote
session of GUI of yashika (user 1) and then open task manager and go to user
tab. Under the user tab, you can see pavan (user 1) just like in the image
below. There, right-click on pavan (user 2). A drop-down menu will
appear. From that menu click on Connect.
As soon as you click on Connect,
it will as you for the credentials of pavan (user 2) as shown in the image
below:
Once you give the credentials,
the remote session GUI of pavan will be initiated as shown in the image below.
And then again you can validate the session using whoami command.
Mimikatz
Another method of hijacking RDP
is through Mimikatz. This is one of the best methods as there are no conditions
in this method. Once you are connected with yashika (user1), fire up the good
ole mimikatz. Use the following command to have various user’s information:
ts::sessions
Once you have the required user
information, use the following command for privilege escalation:
privilege::debug
token::elevate
And when the privileges are
elevated, use the following command to initiate the remote GUI connection to
pavan (user 2):
ts::remote /id:1
here, in id:1, 1 is the session
number that we retrieved by using the command ts::sessions.
Once the above set of commands is
executed, you will have the remote GUI connection to pavan (user 2) via yashika
(user 1).
Mitigation
For mitigation against RDP
session hijacking use the following methods:
·
Apply various group policies such as log off the
disconnected session after user disconnects.
·
Implement network Segmentation, i.e. do not
reveal RDP to the internet.
·
You can also apply two-factor authentication.
·
Disable RDP is not necessary
·
Make sure your employees are aware of how RDP
hijacking is done.
·
Limit the permissions of a user accessing RDP.
·
Audit the remote Desktop users regularly
·
Monitor tscon.exe
·
Keep an eye on all the services using cmd.exe /k
or cmd.exe /c parameters in regards to RDP
Conditions for the practical
- You must
have Full Control access permission or Connect special access permission
to connect to another session.
- The
/dest:
parameter allows you to connect the session of another user to a different session. - If you do
not specify a password in the
parameter, and the target session belongs to a user other than the current one, tscon fails. - You cannot
connect to the console session.
TL; DR
Attackers can connect to various
systems/users in the network using RDP. This technique is known as Remote
Desktop Session Hijacking. They can use various credential dumping techniques
to get their hands-on credentials for RDP but tools like Mimikatz allow us to
highjack such RDP sessions without knowing the credentials. This high-jacking
of RDP sessions can be done both remotely and locally for both active and
disconnected sessions. It can be locally by using the following commands:
query user
sc create hijack binpath=
“cmd.exe /k tscon 2 /dest:rdp-tcp#1”
net start hijack
the tscon.exe allows an attacker
to get RDP session without the requirement of credentials. RDP session
high-jacking can also be done using task manager (which is explained above in
the article) and when implementing such a technique with Mimikatz, use following
commands:
privilege::debug
token::elevate
ts::remote /id:1
Conclusion
RDP session hijacking has been
done large scales. Many C2 servers such as Cobalt Strike and Kodiac allows us
to initiate RDP connection which further leads to lateral movement such as RDP
session hijacking. The attacker has used this technique in multiple high-level
attacks. For example, Lazarus Group used RDP for propagation, WannaCry tries to
execute itself on each session, Leviathan targeted RDP credentials and used it
to move through the network, FIN8 used RDP for lateral movement, etc.
Therefore, it is important to be familiar with such methods and technique to
protect oneself as it a liability which works in the favour of attackers. It is
one of the popular lateral movement techniques as it does not make proper event
logs which allows the attacker to cover their tracks. Such a technique can also
point the attacker to Remote System Discovery. And all of this is done by using
mere native windows commands.
Reference
Author: Yashika Dhir is a
Cyber Security Researcher, Penetration Tester, Red Teamer, Purple Team
enthusiast. Contact her on Linkedin
and Twitter
0 comments:
Post a Comment