RDP Hijacking

Transcript

1. RDP Hijacking Pralhad Chaskar (@c0d3xpl0it)

2. Agenda ➔ Privilege Escalation (aka PrivEsc) Life Cycle ➔ Brian-storming

   Common PrivEsc Techniques ➔ Common Methods of PrivEsc ➔ RDP Hijacking for Fun and Profit

3. PrivEsc Life Cycle https://sec-consult.com/wp-content/uploads/2019/04/sec-widows-privilege-escalation-phase.png

4. Brian-storming Common PrivEsc Techniques https://c1.sfdcstatic.com/content/dam/blogs/ca/Blog%20Posts/brainstorm-customer-service-og.jpg

5. Common PrivEsc Technique 1. Basic Enumeration of the System 2.

   Cleartext Passwords (In Files, In Registry, etc) 3. Kernel Exploits 4. Token Impersonation (using Incognito) 5. Scheduled Tasks 6. Weak Service Permissions 7. Unquoted Service Paths 8. Vulnerable Drivers 9. AlwaysInstallElevated 10. Group Policy Preference

6. What is RDP Hijacking ➔ Post exploitation technique ➔ Credentials-less

   hijacking of remote desktop connections ➔ With this technique you can, ◆ You can connect to ANY disconnected sessions ◆ It unlocks ANY locked user sessions ◆ It works for the physical console ◆ It works remotely ➔ Requires no external tools like Mimikatz, Meterpreter etc.

7. Essential Prerequisite ➔ You need to be an “administrator” OR

   NT AUTHORITY\SYSTEM on the machine ➔ We did a quick recap of Privilege Escalation Techniques ➔ There are real world use cases that can be seamlessly execute without any hacking tools ..

8. Real works use cases ➔ Hijack a business user’s RDP

   session to access sensitive systems in an organization ➔ Hijack help desk RDP connections as they more privileged ➔ Hijack RDP sessions of privileged users such a Domain admins ➔ Hijack ANY user RDP session ➔ Use hijacked sessions to move laterally across the enterprise ➔ Etc. Etc.

9. If you are an admin ➔ Easiest method from admin

   to SYSTEM with psexec, but requires psexec.exe to be there: psexec -s \\localhost cmd Psexex -i -s cmd.exe

10. Via Command Line 1. Get all sessions information C:\Windows\system32>query user

    2. Create service which will hijack user's session: C:\Windows\system32>sc create sesshijack binpath= "cmd.exe /k tscon <ID> /dest:<sessions_name>" 3. Start service: net start sesshijack 4. Right after that your session will be replaced with target session

11. Via GUI 1. On the machine with SYSTEM privileges C:\Windows\system32>taskmgr.msc

    2. Goto Users Tab Right click on the connection you want to hijack and choose “Connect” 3. Right after that your session will be replaced with target session

12. Tested on .. ➔ Windows 2016 ➔ Windows 2012 R2

    ➔ Windows 2008 ➔ Windows 10 ➔ Windows 7

13. Case Study ➔ Low privileged user can access some critical

    system which Domain Admin shouldn't login ➔ Low privileged user or Local admin want to abuse Domain Admin privileges

14. Demo Time https://c1.sfdcstatic.com/content/dam/blogs/ca/Blog%20Posts/brainstorm-cus tomer-service-og.jpg

15. Mitigation/Defending ➢ Using Group Policy to log off disconnected sessions,

    either immediately or soon after the user disconnects. ➢ Set up process monitoring for tscon.exe usage and monitor service creation that uses cmd.exe /k or cmd.exe /c in its arguments to prevent RDP session hijacking. ➢ Also, note how event_data.LogonID and event_ids 4778 (logon) and 4779 (logoff) events can be used to figure out which desktop sessions got disconnected/reconnected

16. References ➢ http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html ➢ https://sec-consult.com/en/blog/2019/04/windows-privilege-escalation-an-approach-for-penetration-testers/ ➢ https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through- an-da2a1e73a5f6 ➢ https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/

    ➢ https://ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement ➢ https://attack.mitre.org/techniques/T1076/ ➢ https://www.fuzzysecurity.com/tutorials/16.html ➢ https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/