Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Jesse Burke RDPwned HackMiami7

280 views

Published on

An overview of adversarial TTPs against RDP

Published in: Technology
  • I earned $5000 ultimate month by using operating online only for 5 to 8 hours on my computer and this was so smooth that i personally couldn't accept as true with before working on this website. if you too need to earn this sort of huge cash then come and be part of us. do this internet-website online... ●●● http://ishbv.com/ezpayjobs/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • See how I make over $7,293 a month from home doing REAL online jobs! ♥♥♥ http://t.cn/AisJWCv6
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • If you want to enjoy the Good Life: making money in the comfort of your own home with just your laptop, then this is for YOU...  http://t.cn/AieX2Loq
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • 8 Simple Tips & Tricks To Extend The Life Of Your Car Battery.. ◆◆◆ http://ishbv.com/ezbattery/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Businesses pay you up to $25 per hour to be on Twitter? ●●● http://ishbv.com/socialpaid/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Jesse Burke RDPwned HackMiami7

  1. 1. HackMiami7 RDPwned – An analysis of adversarial RDP TTPs Jesse V. Burke, Senior Analyst May 18, 2019 Copyright © 2019 Wapack Labs, LLC. All rights reserved. 1 <1337>Presentation
  2. 2. jburke$ whoami && echo Introduction Jesse V. Burke (Twitter: @Jesse_V_Burke) • Co-Owner Wapack Labs (4 of 4) • Team Leader Wapack Labs’ Team Jaeger • Wapack Labs’ Underground collections department • Responsible for training interns and Wounded Warrior Project employees • OPSEC trainer & coordinator • Studied Computer Science & Criminal Justice for three years at Suffolk University and two years at UMASS Boston • Involved in cryptocurrency since 2010 • Senior Software Developer and Cyber Intelligence Analyst by day • Passions (Not in order): • Cryptography & Cryptographic Attacks • Cryptocurrency • Robotics; Raspberry Pis, Arduinos, UAVs, quadcopters, boats, submarines, etc. • Radio Frequency use, recording/replaying, interception, and MiTM • Linux • Vulnerabilities and Exploits • Web crawling & scraping • Trading bots • Reverse Engineering 2
  3. 3. Recently I wrote a series of four reports on different RDP attacks. Now I am going to discuss the attacks against RDP to show the RDP attack cycle from start to finish. What’s going on here? 3
  4. 4. Reports Available Free TLP GREEN copies of reports with mitigations available at RedSkyAlliance.org Blacklists and other TLP GREEN reports available for free too! 4
  5. 5. Let’s Review the Kill Chain Phases 5
  6. 6. Attackers will use Shodan (left) , Zoomeye (right), and Censys or manually scan your subnets, ASNs, etc. targeting your organization looking for standard RDP port 3389. RDP Reconnaissance (Manual) 6
  7. 7. RDP Reconnaissance (Manual) cont’d Attackers have two easy choices once they have identified systems with port 3389 open that they desire to attack: MS12-020 / CVE- 2012-0002, ShadowBroker’s leaked EsteemAudit Remote Code Execution (RCE) against Windows Server 2003 and Windows XP RDP |OR| Brute forcing if the machine are not vulnerable to RCE. 7 It’s on youtube so novices can easily learn!
  8. 8. • Hydra – Doesn’t work well with modern systems utilizing CredSSP (Will discuss CredSSSP later); but has a cool logo • Ncrack – Preferred over Hydra and works well against moder systems • Crowbar (Formerly Levye) – “ It was developed to brute force some protocols in a different manner according to other popular brute forcing tools. As an example, while most brute forcing tools use username and password for SSH brute force, Crowbar uses SSH key(s). This allows for any private keys that have been obtained during penetration tests, to be used to attack other SSH servers.”. People mention Patator, I have never used this Python solution because Crowbar. RDP Brute Forcing 8
  9. 9. MS12-020 / CVE-2012-0002 9 In MS-12-020 there were two exploits released. One is a DoS CVE-2012-0152 (boring) and the other is CVE-2012-0002 RCE. There is no PoC for the RCE on exploitDB, but an old Forcepoint article mentions a PoC was published by the Chinese hacking group “Silic Group Hacker Army”. Searching for the group yields funny Python and Ruby PoCs. Joshua Drake aka jduck wrote a better PoC of the “Chinese Shit” and Silic Group responded by writing a Python version of his Ruby version with the string “fuck you chelios in the shell code”
  10. 10. A buffer overflow in Smart Card authentication code in gpkcsp.dll in Microsoft Windows XP through SP3 and Server 2003 through SP2 allows a remote attacker to execute arbitrary code on the target computer, provided that the computer is joined in a Windows domain and has Remote Desktop Protocol connectivity (or Terminal Services) enabled. EsteemAudit – CVE-2017-9073 10 This exploit is NOT exclusive to smart card authentication only devices and can be mitigated with GPOs: * Run gpedit.msc * Go to Computer ConfigurationAdministrative TemplatesWindows ComponentsTerminal ServicesClient/Server data redirection * Set enable on "Do not allow Smart Card device redirection" Restart the server. “This is done by exploiting the gpkcsp.dll of the Windows Smart Card. EsteemAudit performs a buffer overflow of the key_data component of the key_set structure when a call to memcpy() is made! This awesome exploit provides a real ms08_67 sort of capability to situations when a RedTeamer finds themselves in an environment where XP or Server 03 is present with RDP enabled. ” Source: https://blog.obscuritylabs.com/esteemaudit/ RDP
  11. 11. RDP RCE(CVE-2019-0708)'s patch in XP changed IcaBindVirtualChannels and IcaReBindVirtualChannels in termdd.sys adding MS_T120 stricmp and select different IcaBindChannel to mitigate CVE-2019-0708 NEW CVE-2019-0708 11
  12. 12. CVE-2019-0708 Fake PoC K8Gege 12
  13. 13. RDP Reconnaissance (Automatic) Russianmarket.gs parent market 13
  14. 14. While most actors looking to carry out a specific targeted attack against a company will usually not have much luck in the underground without directly contacting the sellers and asking (potentially peaking others curiosity and creating competition). There are also opportunistic actors which are not targeting any specific company but hoping to laterally move throughout a company and get access to the domain controller so they can sell access to the entire network. One prolific group known for doing this was TheDarkOverlord (TDO); who was found to often use purchased RDP servers from now seized xDedic[.]biz and move laterally throughout organizations with the initial RDP foothold. Once TDO was able to gain primary control over the domain via administrator accounts or domain controller they would sell access to the company for thousands (sometimes hundreds of thousands) of dollars in private forums. TheDarkOverlord (TDO) 14
  15. 15. FXMSP / BigPetya / Lampeduza FXMSP operates similarly to TDO and currently has access to the networks/source code of three major US antivirus companies for sale on exploit.in for $300,000. FXMSP has sold access to in the past: • Hampton Inn Radisson Blu Keystone Bank Limited • Key Family of Companies • DeltaWestern Petroleum • Peckar & Abramson, PC (US law firm) • Blue Stone Capital Investments LLC • Reliance Industries (India Industrial Holdings) • Ghana Ministry of Finance Database • Bogota e-government database Using stolen identity of “Andrey Turchin” 15
  16. 16. Once in a system an attacker needs to be able to get back into the system in case of a password change on the account they are abusing. An RDP backdoor can allow the attacker system level command prompt at the login screen which allows the attacker to create a new account, change passwords on existing accounts, or perform other actions. RDP backdoors which allow an attacker system level command prompt at login are on Windows Accessibility functions. An attacker can either create a registry key to make the accessibility tool spawn a cmd prompt which will be ran as system user or perform binary replacement replacing the accessibility tool with a signed malicious payload. Due to requiring a signature binary replacement is less common RDP Backdoors (Installation) 16
  17. 17. Moving onto the next phase, weaponization, an attacker can easily backdoor the system they already have RDP access to moving onto delivery, exploitation, installation… but we are looking at the process as it pertains to other systems on the network on moving laterally. So the next logical step for the attacker is to see if there are any other active RDP connections coming into the system after already completely compromising and backdooring the system. The attacker is now presented with a few additional pieces of data from full compromise of the machine without touching any of the other machines on the network (yet): • What accounts exist on the machine? • What are the accounts observed behaviors regarding login times, frequency, method, etc. • What accounts are remotely connecting in and are they authenticating using local credentials or NLA through a domain controller. • If they are authenticating through a domain controller; what other potential systems would their NTLM or Kerberos auth work on potentially within the same subnet (note the attacker typically has not scanned the subnet yet because they don’t want to be detected and have initial foothold removed). So we’re in, now what? 17
  18. 18. Windows RDP Security Protocols Windows uses Enhanced TLS or CredSSP tunnels to protect RDP authentication credentials. Windows 7 and older systems use Enhanced TLS for RDP authentication, while newer systems utilize CredSSP. Enhanced TLS is flawed because every system has the same public/private key pair which is publicly available from Microsoft. If a modern system utilizing CredSSP is a part of a domain, CredSSP will use Kerberos encryption and request a ticket from the domain controller on port 88. An attacker in a MiTM position can block the client’s Kerberos ticket request to the domain controller on port 88, when this happens the client will revert to NTLM encryption. By default, Windows 10 Home has Remote Desktop client disabled and requires a manual patch for CredSSP, which most manufacturers overlook, luckily unpatched systems cannot connect to patched servers. Often users of tech forums suggest disabling CredSSP, to allow unpatched systems to connect to the patched RDP server, without realizing the proposed solution makes the system vulnerable to CVE-2018- 0886 again. NLA = Network Level Authentication: * NTLM (NT Lan Manager) * Kerberos (KBGT) TLS Tunnels for credentials: * EnhancedTLS * CredSSP Source: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms- rdpbcgr/c2389e29-5706-4ac4-b555-e26f93144db7 NTLM encryption is HMAC-MD5 based and therefore already weak and susceptible to offline brute forcing with JohnTheRipper or Hashcat with PCAP. “Enhanced TLS” 18
  19. 19. Lateral Movement Attack Decisions (Weaponization) RDP Session Hijiack (Low Risk of detection): • Requires attacker to have access to an account on the system and other users to be logged in or have active RDP sessions. • Works on all versions of Windows Server MiTM (High Risk of detection): • Requires an attacker to be on the same subnet • Greater chance for detection and leaving network artifacts or getting initial RDP foothold cleaned up (infection removed). Inception Attack (Medium Risk of detection): • Only possible if clients are remotely mounting drives over RDP • Can be placed on infected RDP machine to potentially exploit anyone mounting remote drives over RDP. 19
  20. 20. Attack Decisions Visualized 20
  21. 21. RDP Session Hijacking (Delivery) 21
  22. 22. RDP Session Hijacking (Exploitation) 22
  23. 23. • $100 license upgrade from Home to Pro. • ActiveDirectory: Only the Professional Editions (pro/Enterprise) or the Ultimate have the license value WorkstationService-DomainJoinEnabled set. Home users cannot join a domain via GUI, but there are CLI solutions. • Concurrent connections, mitigations for credSSP through GUI not possible. To mitigate CredSSP have to use registry keys or powershell. • Orgs sometimes have an RDP hop box, if an admin is using Windows Home not manually patched (no gedit.msc without pro) to access the hop box and attacker is in a MiTM position, they could execute CVE-2018-0886 CredSSP RCE Windows Home vs. Pro RDP 23
  24. 24. Performing the same session hijacking steps against a Windows 10 Home system which has installed the popular third-party RDP multi user solution, RDPWrap, results in a Denial-of-Service (DoS). The desired outcome is to hijack the session but instead the user is kicked off the session and the attacker is presented with a login screen instead of the active session. An attacker could script this to repeatedly knock remote users or administrators/defenders off of a system while leveraging it during odd/off hours and attempting to move laterally. RDPWrap DoS via attempted session hijacking 24
  25. 25. Cain&Abel MiTM 25
  26. 26. Cain&Abel MiTM cont’d 26
  27. 27. Seth RDP MiTM Attacks Seth is a Python script by Adrian Vollmer used to downgrade CredSSP authentication to Enhanced TLS and break encryption. Instead of capturing and using the NTLM authentication response, Seth sends a copied server NTLM response stating it could not contact the domain controller; which causes the client to downgrade to Enhanced TLS RDP and transmit the user’s password to the server inside the TLS tunnel. If the intended target is a part of a domain the attacker will have to block Kerberos ticket requests on port 88 from the client to the domain controller before executing a Seth attack. 27
  28. 28. CVE-2018-0886 CredSSP RCE When Google searching for “CredSSP Remediation Error” a lot of posts recommend uninstalling the patch or changing the server to allow non NLA authentication by default. Seth can downgrade NLA to Enhanced TLS or default easily, but by performing the recommendation on the left it doesn’t need to and can just directly make an Enhanced TLS request. 28
  29. 29. This Remote Code Execution requires a MiTM position. CVE- 2018-0886 is very similar to a Seth attack except it uses MSRPC CVE-2018-0886 CredSSP RCE CRED SSP E-TLS 29
  30. 30. ‘ RDP Inception Attack (Optional Installation) Remote mounting of drives via RDP is an option the user is presented when using the native Windows RDP client to initiate a connection with a server. It is not enabled by default. RDP Inception can be utilized by attackers to automate RDP lateral movement attempts. RDP Inception attacks are only possible if a user manually mounts a drive in the Windows RDP client. RDP Inception works by creating a logon script which enumerates RDP remote mounted drives and attempts to place a copy of itself in any mounted drives before moving the copy to startup. RDP remote mounted drives get mapped to //tsclient directory with a respective drive letter A-Z, representing each server connection to the client. The script then moves the copy from tsclient to the target systems startup. Note: Sharing a clipboard in hyper-V between host and guest also mounts a //tsclient drive useful for VM escapes 30
  31. 31. Source: https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html APT RDP TTPs – RDP Tunneling • Putty Link or pLink is a commonly abused to create encrypted ssh tunnels. For example, FIN8 has used pLink to create tunnels allowing RDP ports on infected systems to communicate back to the C2 • NAT, Firewalls, and other forms of network segmentation can help, but not mitigate network- tunneling or host-based port forwarding methods observed by FireEye utilized by APT. •HKEY_CURRENT_USERSoftwareSimo nTathamPuTTY •HKEY_CURRENT_USERSoftWareSim onTathamPuTTYSshHostKeys 31
  32. 32. Source: https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html APT RDP TTPs – RDP Tunneling (cont’d) • Windows Network Shell (netsh) commands can be used to utilize RDP port forwarding to access newly discovered segmented networks reachable only through an administrative jump box. • A threat actor could configure the jump box to listen on any port for traffic being sent from a previously compromised system. The traffic would then be forwarded directly through the jump box to any system on the segmented network using any designated port, including the default RDP port TCP 3389. HKEY_CURRENT_USERSYSTEMCurrentControlSetServicesPortProxyv4tov4 32
  33. 33. Log of all RDP Events on Windows Server: Computer Management > System Tools > Event Viewer > Application and Service Logs > Microsoft > Windows > TerminalServices- LocalSessionManager > Operational Detections 33
  34. 34. MITIGATIONS • Do not expose RDP servers externally to the internet, limit the attack surface. • Manually patch systems for CVE-2018-0886 • Do not disable Windows Firewall on systems that have not been patched for CVE-2018-0886. • Secure RDP connections to servers by using an SSL certificate signed by a trusted certificate authority or sign all server certificates with your enterprise CA. All client systems will need the root CA in their list of trusted CAs and will require manual addition if not using a certificate from a popular trusted CA. This mitigation makes RDP SSL prompts and irregular behavior which should be reported to IT as it’s evidence of an attempted RDP MiTM. • Group Policies can be set to enforce a user’s successful authentication only from a valid trusted CA in the server’s trusted CA list. • Use Powershell’s EnableWSManCredSSP to enable “Encryption Oracle Remediation” on client’s Windows Home systems to prevent CVE-2018-0886. This will NOT prevent against Seth or PyRDP downgrade attacks and should be used in conjunction with other mitigations mentioned. • Alternatively, the following registry key reportedly enables CredSSP for Windows 10 Home Users: REG ADD HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters /v AllowEncryptionOracle /t REG_DWORD /d 2 • Create a dedicated administrator account for accessing the domain controller and do not allow any other accounts access. Do not allow the dedicated administrator account for the domain controller to access any other systems. Tools like Mimikatz can dump users’ credentials from a system including NTLM and Kerberos. 34
  35. 35. Source: https://www.gosecure.net/blog/2018/12/19/rdp-man-in-the-middle-smile-youre-on-camera PyRDP MiTM Honeypot Credential Sinkholing One of the features we wanted was the ability to change the username and password entered by the user. We use this to make any connection to the MITM tool successful, regardless of the username and password used. This allows us to see what malicious users do when they get an actual RDP session, not just a login screen. File Collecting Among the advanced features of RDP that we implemented are virtual channels. These are RDP “plugins” that have various uses: clipboard sharing, drive mapping, sound playback, etc. When a client connects to the drive redirection channel and sends a file, our MITM saves it to disk. This can be useful to malware analysts, since they can retrieve the files later for analysis. Clipboard Spying When the client connects to the clipboard channel and copies text to their clipboard on their host machine, the MITM logs the copied data – even if it the client doesn't paste it. This works even if the RDP window is out of focus. Other channels Other virtual channels should work seamlessly for the client. However, the MITM doesn't do any special processing: it simply forwards data to the real server without parsing or modifying it at all. Not to be confused with RDPy, another Python RDP MiTM library. This tool was influenced by RDPy but is more capable according to the author. 35
  36. 36. PyRDP MITM records the following events: • Bitmap graphics • Mouse movements • Keyboard input • Connection info (local IP address, username, password, domain, computer name) • Clipboard content PyRDP MiTM Honeypot (cont’d) Fun Pentesting Prank: • Bettercap or any other method or ARP Poisoning • PyRDP • Fake RDP landing server defaced (may be able to phish creds with it) or with a a screenshot of the desktop and the taskbar/icons hidden + taskbar locked & Windows key disabled –users will try to double click the picture of desktop icons and the start button. 36
  37. 37. A bash script that does the following: • Connects to RDP using rdesktop • Sends shift 5 times using xdotool to trigger sethc.exe backdoors • Sends Windows+u using xdotool to trigger utilman.exe backdoors • Takes screenshot • Kills RDP connection Note: One must still process the images or use OCR extraction to compare and flag anomalies. Screen cannot be locked during this process or all the screenshots will turn out black There are other accessibility backdoors, this only checks for two but could be modified for more StickyKeysHunter Automating against a large list of IPs in a for loop, OCR extracting, and recording anomalous IPs can be a great/unique source of Threat Intelligence. 37
  38. 38. Questions & Comments? Contact: jburke@wapacklabs.com Feel free to contact about Linux, robotics, embedded systems, drones, exploits, hacking, hacker forums (parsing & monitoring), coding, Tor usage, cryptocurrency, etc. Also available in the Red Sky Alliance portal 24/7 End 38 >> EOF | END TRANSMISSION

×