RDP Hijacking Pralhad Chaskar (@c0d3xpl0it) 

Agenda ➔ Privilege Escalation (aka PrivEsc) Life Cycle ➔ Brian-storming Common PrivEsc Techniques ➔ Common Methods of PrivEsc ➔ RDP Hijacking for Fun and Profit 

PrivEsc Life Cycle https://sec-consult.com/wp-content/uploads/2019/04/sec-widows-privilege-escalation-phase.png 

Brian-storming Common PrivEsc Techniques https://c1.sfdcstatic.com/content/dam/blogs/ca/Blog%20Posts/brainstorm-customer-service-og.jpg 

Common PrivEsc Technique 1. Basic Enumeration of the System 2. Cleartext Passwords (In Files, In Registry, etc) 3. Kernel Exploits 4. Token Impersonation (using Incognito) 5. Scheduled Tasks 6. Weak Service Permissions 7. Unquoted Service Paths 8. Vulnerable Drivers 9. AlwaysInstallElevated 10. Group Policy Preference 

What is RDP Hijacking ➔ Post exploitation technique ➔ Credentials-less hijacking of remote desktop connections ➔ With this technique you can, ◆ You can connect to ANY disconnected sessions ◆ It unlocks ANY locked user sessions ◆ It works for the physical console ◆ It works remotely ➔ Requires no external tools like Mimikatz, Meterpreter etc. 

Essential Prerequisite ➔ You need to be an “administrator” OR NT AUTHORITY\SYSTEM on the machine ➔ We did a quick recap of Privilege Escalation Techniques ➔ There are real world use cases that can be seamlessly execute without any hacking tools .. 

Real works use cases ➔ Hijack a business user’s RDP session to access sensitive systems in an organization ➔ Hijack help desk RDP connections as they more privileged ➔ Hijack RDP sessions of privileged users such a Domain admins ➔ Hijack ANY user RDP session ➔ Use hijacked sessions to move laterally across the enterprise ➔ Etc. Etc. 

If you are an admin ➔ Easiest method from admin to SYSTEM with psexec, but requires psexec.exe to be there: psexec -s \\localhost cmd Psexex -i -s cmd.exe 

Via Command Line 1. Get all sessions information C:\Windows\system32>query user 2. Create service which will hijack user's session: C:\Windows\system32>sc create sesshijack binpath= "cmd.exe /k tscon /dest:" 3. Start service: net start sesshijack 4. Right after that your session will be replaced with target session 

Via GUI 1. On the machine with SYSTEM privileges C:\Windows\system32>taskmgr.msc 2. Goto Users Tab Right click on the connection you want to hijack and choose “Connect” 3. Right after that your session will be replaced with target session 

Tested on .. ➔ Windows 2016 ➔ Windows 2012 R2 ➔ Windows 2008 ➔ Windows 10 ➔ Windows 7 

Case Study ➔ Low privileged user can access some critical system which Domain Admin shouldn't login ➔ Low privileged user or Local admin want to abuse Domain Admin privileges 

Demo Time https://c1.sfdcstatic.com/content/dam/blogs/ca/Blog%20Posts/brainstorm-cus tomer-service-og.jpg 

Mitigation/Defending ➢ Using Group Policy to log off disconnected sessions, either immediately or soon after the user disconnects. ➢ Set up process monitoring for tscon.exe usage and monitor service creation that uses cmd.exe /k or cmd.exe /c in its arguments to prevent RDP session hijacking. ➢ Also, note how event_data.LogonID and event_ids 4778 (logon) and 4779 (logoff) events can be used to figure out which desktop sessions got disconnected/reconnected 

References ➢ http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html ➢ https://sec-consult.com/en/blog/2019/04/windows-privilege-escalation-an-approach-for-penetration-testers/ ➢ https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through- an-da2a1e73a5f6 ➢ https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ ➢ https://ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement ➢ https://attack.mitre.org/techniques/T1076/ ➢ https://www.fuzzysecurity.com/tutorials/16.html ➢ https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/