Upgrade to Pro — share decks privately, control downloads, hide ads and more …

RDP Hijacking

RDP Hijacking

Presented at null Dubai Meet 13 Dec 2019 Monthly Meet


Pralhad Chaskar

December 13, 2019


  1. RDP Hijacking Pralhad Chaskar (@c0d3xpl0it)

  2. Agenda ➔ Privilege Escalation (aka PrivEsc) Life Cycle ➔ Brian-storming

    Common PrivEsc Techniques ➔ Common Methods of PrivEsc ➔ RDP Hijacking for Fun and Profit
  3. PrivEsc Life Cycle https://sec-consult.com/wp-content/uploads/2019/04/sec-widows-privilege-escalation-phase.png

  4. Brian-storming Common PrivEsc Techniques https://c1.sfdcstatic.com/content/dam/blogs/ca/Blog%20Posts/brainstorm-customer-service-og.jpg

  5. Common PrivEsc Technique 1. Basic Enumeration of the System 2.

    Cleartext Passwords (In Files, In Registry, etc) 3. Kernel Exploits 4. Token Impersonation (using Incognito) 5. Scheduled Tasks 6. Weak Service Permissions 7. Unquoted Service Paths 8. Vulnerable Drivers 9. AlwaysInstallElevated 10. Group Policy Preference
  6. What is RDP Hijacking ➔ Post exploitation technique ➔ Credentials-less

    hijacking of remote desktop connections ➔ With this technique you can, ◆ You can connect to ANY disconnected sessions ◆ It unlocks ANY locked user sessions ◆ It works for the physical console ◆ It works remotely ➔ Requires no external tools like Mimikatz, Meterpreter etc.
  7. Essential Prerequisite ➔ You need to be an “administrator” OR

    NT AUTHORITY\SYSTEM on the machine ➔ We did a quick recap of Privilege Escalation Techniques ➔ There are real world use cases that can be seamlessly execute without any hacking tools ..
  8. Real works use cases ➔ Hijack a business user’s RDP

    session to access sensitive systems in an organization ➔ Hijack help desk RDP connections as they more privileged ➔ Hijack RDP sessions of privileged users such a Domain admins ➔ Hijack ANY user RDP session ➔ Use hijacked sessions to move laterally across the enterprise ➔ Etc. Etc.
  9. If you are an admin ➔ Easiest method from admin

    to SYSTEM with psexec, but requires psexec.exe to be there: psexec -s \\localhost cmd Psexex -i -s cmd.exe
  10. Via Command Line 1. Get all sessions information C:\Windows\system32>query user

    2. Create service which will hijack user's session: C:\Windows\system32>sc create sesshijack binpath= "cmd.exe /k tscon <ID> /dest:<sessions_name>" 3. Start service: net start sesshijack 4. Right after that your session will be replaced with target session
  11. Via GUI 1. On the machine with SYSTEM privileges C:\Windows\system32>taskmgr.msc

    2. Goto Users Tab Right click on the connection you want to hijack and choose “Connect” 3. Right after that your session will be replaced with target session
  12. Tested on .. ➔ Windows 2016 ➔ Windows 2012 R2

    ➔ Windows 2008 ➔ Windows 10 ➔ Windows 7
  13. Case Study ➔ Low privileged user can access some critical

    system which Domain Admin shouldn't login ➔ Low privileged user or Local admin want to abuse Domain Admin privileges
  14. Demo Time https://c1.sfdcstatic.com/content/dam/blogs/ca/Blog%20Posts/brainstorm-cus tomer-service-og.jpg

  15. Mitigation/Defending ➢ Using Group Policy to log off disconnected sessions,

    either immediately or soon after the user disconnects. ➢ Set up process monitoring for tscon.exe usage and monitor service creation that uses cmd.exe /k or cmd.exe /c in its arguments to prevent RDP session hijacking. ➢ Also, note how event_data.LogonID and event_ids 4778 (logon) and 4779 (logoff) events can be used to figure out which desktop sessions got disconnected/reconnected
  16. References ➢ http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html ➢ https://sec-consult.com/en/blog/2019/04/windows-privilege-escalation-an-approach-for-penetration-testers/ ➢ https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through- an-da2a1e73a5f6 ➢ https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/

    ➢ https://ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement ➢ https://attack.mitre.org/techniques/T1076/ ➢ https://www.fuzzysecurity.com/tutorials/16.html ➢ https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/