Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Breaking out of restricted RDP


Published on

BSidesLondon 20th April 2011 - @wickedclownuk
Lots of companies are using RDP to support their external users. The administrators lock down the servers via group policy believing it is all secure, I will demostrate how you can instantly bypass group policy and how to escalate your privileges with the use of Metasploit.

Published in: Technology
  • Sex in your area is here: ❶❶❶ ❶❶❶
    Are you sure you want to  Yes  No
    Your message goes here
  • Dating for everyone is here: ❶❶❶ ❶❶❶
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Breaking out of restricted RDP

  1. 1. Breaking out of arestricted RDP sessionBy Wicked ClownBsides London 20 April 2011.
  2. 2. A little bit of crap about me :) I am Wicked Clown I regularly attend DC4420 (DefCON London) Working in the security arena for 3 years as a tech support engineer. Unhealthy interest in everything security related for 20 years :) Jack of all trades, other interests include. – Lock picking, Social Engineering, Exploit & Vulnerability Research, Pen testing. Anything security related!
  3. 3. Talk Outline*** THIS FOR EDUCATIONAL PURPOSE ONLY!! *** Extended version of my lighting talk I gave at BruCON 2010. I got video demo’s, I chicken out a live one! I am going to show how to fix it :( This is a bit of random talk (covers lots of things not just RDP)
  4. 4. So what have I discovered Any one who can connect to your Terminal Server, can run and execute pretty much anything. Bypassing your Group Policy settings!! Even if you think they are restricted!Note: Only tested on windows 2000 and 2003
  5. 5. Is this a security issue or not! Majority of people I have spoken to think this is an issue. Informed Microsoft – Don’t seem to care. This is OPEN BY DEFAULT!! I have seen this in the wild.
  6. 6. Lets pop a box! - Recon - Nmap scan the box - Port 3389 - Do we have an account and password? - If no, how do we get in! - If yes, AWESOME!!
  7. 7. Lets pop a box! - UsernameWe don’t have a username.Most companies use the username in their email address mostly the username will be ‘JD’
  8. 8. Lets pop a box! - Password* PASSWORD LOCK OUT POLICY!! * Brute Force or social engineer. Don’t need to just use TSCrack Check for FTP (21) or IMAP (143) services = Hydra Administrator DOESN’T LOCK OUT!! :)* PASSWORD LOCK OUT POLICY!! *
  9. 9. Lets pop a box! – Got detailsWe have a valid username and password!We log in but restricted.. And now the cool bit!! :)
  10. 10. DEMO!! Lets all pray to the demo gods!!Show you the group policyLog in as user to show its restrictedShow how to get command shell inabout 5 secondsHow to abuse this to escalateprivilegesThen how to prevent this happening
  11. 11. Demo Group Policy Setup
  12. 12. Demo Con’tAttack – The cool bit you want to see!
  13. 13. Demo Cont How to fix it – the boring bit!!
  14. 14. Now What!!Lets f*ck a network! Try the local admin password on other servers Check for other services running. VNC? Use Metasploit to route exploits through this box (Video on website) Upload ‘Cain & Able’ to sniff the network for logins / passwords
  15. 15. Game over man!!
  16. 16. Email Server Access anybodies email account Send an email from someone to their boss saying they are gay and have a crush on them. Search the emails for the word ‘Password’ Use it as a spam server
  17. 17. Internal / ExternalNetwork Inject malicious code into your Intranet website Deface or Inject code into your external website Attack their external resources Turn their machines against them Modifying your backups
  18. 18. Accounts System Create a phantom employee who gets paid. Transfer money to me or an enemy Publish everybody’s payslips Change everybodys pay Over charge their customers
  19. 19. Your Customers Obtain access to their networks Steal there information Block / sabotage their access to support them Denial of services ALL their customers
  20. 20. Conclusion Forgetting a little tick can screw you over!! Finding ‘features’ is not just about exploiting code If you get caught doing this don’t blame meWeb: