Upgrade to Pro — share decks privately, control downloads, hide ads and more …

RDP Hijacking

RDP Hijacking

Presented at null Dubai Meet 13 Dec 2019 Monthly Meet

Pralhad Chaskar

December 13, 2019
Tweet

More Decks by Pralhad Chaskar

Other Decks in Technology

Transcript

  1. Agenda ➔ Privilege Escalation (aka PrivEsc) Life Cycle ➔ Brian-storming

    Common PrivEsc Techniques ➔ Common Methods of PrivEsc ➔ RDP Hijacking for Fun and Profit
  2. Common PrivEsc Technique 1. Basic Enumeration of the System 2.

    Cleartext Passwords (In Files, In Registry, etc) 3. Kernel Exploits 4. Token Impersonation (using Incognito) 5. Scheduled Tasks 6. Weak Service Permissions 7. Unquoted Service Paths 8. Vulnerable Drivers 9. AlwaysInstallElevated 10. Group Policy Preference
  3. What is RDP Hijacking ➔ Post exploitation technique ➔ Credentials-less

    hijacking of remote desktop connections ➔ With this technique you can, ◆ You can connect to ANY disconnected sessions ◆ It unlocks ANY locked user sessions ◆ It works for the physical console ◆ It works remotely ➔ Requires no external tools like Mimikatz, Meterpreter etc.
  4. Essential Prerequisite ➔ You need to be an “administrator” OR

    NT AUTHORITY\SYSTEM on the machine ➔ We did a quick recap of Privilege Escalation Techniques ➔ There are real world use cases that can be seamlessly execute without any hacking tools ..
  5. Real works use cases ➔ Hijack a business user’s RDP

    session to access sensitive systems in an organization ➔ Hijack help desk RDP connections as they more privileged ➔ Hijack RDP sessions of privileged users such a Domain admins ➔ Hijack ANY user RDP session ➔ Use hijacked sessions to move laterally across the enterprise ➔ Etc. Etc.
  6. If you are an admin ➔ Easiest method from admin

    to SYSTEM with psexec, but requires psexec.exe to be there: psexec -s \\localhost cmd Psexex -i -s cmd.exe
  7. Via Command Line 1. Get all sessions information C:\Windows\system32>query user

    2. Create service which will hijack user's session: C:\Windows\system32>sc create sesshijack binpath= "cmd.exe /k tscon <ID> /dest:<sessions_name>" 3. Start service: net start sesshijack 4. Right after that your session will be replaced with target session
  8. Via GUI 1. On the machine with SYSTEM privileges C:\Windows\system32>taskmgr.msc

    2. Goto Users Tab Right click on the connection you want to hijack and choose “Connect” 3. Right after that your session will be replaced with target session
  9. Tested on .. ➔ Windows 2016 ➔ Windows 2012 R2

    ➔ Windows 2008 ➔ Windows 10 ➔ Windows 7
  10. Case Study ➔ Low privileged user can access some critical

    system which Domain Admin shouldn't login ➔ Low privileged user or Local admin want to abuse Domain Admin privileges
  11. Mitigation/Defending ➢ Using Group Policy to log off disconnected sessions,

    either immediately or soon after the user disconnects. ➢ Set up process monitoring for tscon.exe usage and monitor service creation that uses cmd.exe /k or cmd.exe /c in its arguments to prevent RDP session hijacking. ➢ Also, note how event_data.LogonID and event_ids 4778 (logon) and 4779 (logoff) events can be used to figure out which desktop sessions got disconnected/reconnected
  12. References ➢ http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html ➢ https://sec-consult.com/en/blog/2019/04/windows-privilege-escalation-an-approach-for-penetration-testers/ ➢ https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through- an-da2a1e73a5f6 ➢ https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/

    ➢ https://ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement ➢ https://attack.mitre.org/techniques/T1076/ ➢ https://www.fuzzysecurity.com/tutorials/16.html ➢ https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/