Jesse V. Burke presents on adversarial RDP tactics, techniques, and procedures (TTPs). The presentation reviews the RDP attack cycle from initial reconnaissance using tools like Shodan to identify open RDP ports, through exploitation of vulnerabilities like MS12-020 and EsteemAudit, lateral movement using session hijacking, and potential mitigations. It provides details on common RDP attacks like brute forcing passwords, downgrading encryption, and using tools like Cain & Abel or Seth to perform man-in-the-middle attacks to decrypt credentials. The presentation emphasizes that proper patching, firewalls, and securing RDP connections can help prevent many external and internal RDP attacks.

1. HackMiami7
RDPwned – An analysis
of adversarial RDP TTPs
Jesse V. Burke, Senior Analyst
May 18, 2019
Copyright © 2019 Wapack Labs, LLC. All rights reserved.
1
<1337>Presentation

2. jburke$ whoami && echo Introduction
Jesse V. Burke (Twitter:
@Jesse_V_Burke)
• Co-Owner Wapack Labs (4 of 4)
• Team Leader Wapack Labs’ Team Jaeger
• Wapack Labs’ Underground collections
department
• Responsible for training interns and
Wounded Warrior Project employees
• OPSEC trainer & coordinator
• Studied Computer Science & Criminal Justice
for three years at Suffolk University and two
years at UMASS Boston
• Involved in cryptocurrency since 2010
• Senior Software Developer and Cyber
Intelligence Analyst by day
• Passions (Not in order):
• Cryptography & Cryptographic Attacks
• Cryptocurrency
• Robotics; Raspberry Pis, Arduinos, UAVs,
quadcopters, boats, submarines, etc.
• Radio Frequency use, recording/replaying,
interception, and MiTM
• Linux
• Vulnerabilities and Exploits
• Web crawling & scraping
• Trading bots
• Reverse Engineering
2

3. Recently I wrote a series of four reports on
different RDP attacks. Now I am going to
discuss the attacks against RDP to show the
RDP attack cycle from start to finish.
What’s going on here?
3

4. Reports Available
Free TLP GREEN copies of reports
with mitigations available at
RedSkyAlliance.org
Blacklists and other TLP GREEN
reports available for free too!
4

5. Let’s Review the Kill Chain Phases
5

6. Attackers will use Shodan (left)
, Zoomeye (right), and Censys
or manually scan your subnets,
ASNs, etc. targeting your
organization looking for
standard RDP port 3389.
RDP Reconnaissance (Manual)
6

7. RDP Reconnaissance (Manual) cont’d
Attackers have two easy choices once they have identified systems
with port 3389 open that they desire to attack: MS12-020 / CVE-
2012-0002, ShadowBroker’s leaked EsteemAudit Remote Code
Execution (RCE) against Windows Server 2003 and Windows XP
RDP |OR| Brute forcing if the machine are not vulnerable to RCE.
7
It’s on youtube so novices
can easily learn!

8. • Hydra – Doesn’t work well with modern systems utilizing
CredSSP (Will discuss CredSSSP later); but has a cool
logo
• Ncrack – Preferred over Hydra and works well against
moder systems
• Crowbar (Formerly Levye) – “ It was developed to brute
force some protocols in a different manner according to
other popular brute forcing tools. As an example, while
most brute forcing tools use username and password for
SSH brute force, Crowbar uses SSH key(s). This allows for
any private keys that have been obtained during
penetration tests, to be used to attack other SSH
servers.”. People mention Patator, I have never used this
Python solution because Crowbar.
RDP Brute Forcing
8

9. MS12-020 / CVE-2012-0002
9
In MS-12-020 there were two exploits released. One is a DoS CVE-2012-0152 (boring) and the
other is CVE-2012-0002 RCE. There is no PoC for the RCE on exploitDB, but an old Forcepoint
article mentions a PoC was published by the Chinese hacking group “Silic Group Hacker Army”.
Searching for the group yields funny Python and Ruby PoCs. Joshua Drake aka jduck wrote a
better PoC of the “Chinese Shit” and Silic Group responded by writing a Python version of his
Ruby version with the string “fuck you chelios in the shell code”

10. A buffer overflow in Smart Card authentication code in gpkcsp.dll in Microsoft Windows XP through SP3 and Server
2003 through SP2 allows a remote attacker to execute arbitrary code on the target computer, provided that the
computer is joined in a Windows domain and has Remote Desktop Protocol connectivity (or Terminal Services)
enabled.
EsteemAudit – CVE-2017-9073
10
This exploit is NOT exclusive to smart card authentication only devices
and can be mitigated with GPOs:
* Run gpedit.msc
* Go to Computer ConfigurationAdministrative TemplatesWindows
ComponentsTerminal ServicesClient/Server data redirection
* Set enable on "Do not allow Smart Card device redirection"
Restart the server.
“This is done by exploiting the gpkcsp.dll of the
Windows Smart Card. EsteemAudit performs a
buffer overflow of the key_data component of the
key_set structure when a call to memcpy() is made!
This awesome exploit provides a real ms08_67 sort
of capability to situations when a RedTeamer finds
themselves in an environment where XP or Server
03 is present with RDP enabled. ”
Source: https://blog.obscuritylabs.com/esteemaudit/
RDP

11. RDP RCE(CVE-2019-0708)'s patch in XP changed
IcaBindVirtualChannels and IcaReBindVirtualChannels in termdd.sys
adding MS_T120 stricmp and select different IcaBindChannel to
mitigate CVE-2019-0708
NEW CVE-2019-0708
11

12. CVE-2019-0708 Fake PoC K8Gege
12

13. RDP Reconnaissance (Automatic)
Russianmarket.gs parent
market
13

14. While most actors looking to carry out a specific targeted attack against a company will usually not
have much luck in the underground without directly contacting the sellers and asking (potentially
peaking others curiosity and creating competition). There are also opportunistic actors which are not
targeting any specific company but hoping to laterally move throughout a company and get access to
the domain controller so they can sell access to the entire network. One prolific group known for
doing this was TheDarkOverlord (TDO); who was found to often use purchased RDP servers from now
seized xDedic[.]biz and move laterally throughout organizations with the initial RDP foothold. Once
TDO was able to gain primary control over the domain via administrator accounts or domain controller
they would sell access to the company for thousands (sometimes hundreds of thousands) of dollars in
private forums.
TheDarkOverlord (TDO)
14

15. FXMSP / BigPetya / Lampeduza
FXMSP operates similarly to TDO and
currently has access to the networks/source
code of three major US antivirus companies
for sale on exploit.in for $300,000.
FXMSP has sold access to in the past:
• Hampton Inn
Radisson Blu
Keystone Bank Limited
• Key Family of Companies
• DeltaWestern Petroleum
• Peckar & Abramson, PC (US law firm)
• Blue Stone Capital Investments LLC
• Reliance Industries (India Industrial Holdings)
• Ghana Ministry of Finance Database
• Bogota e-government database
Using stolen identity of “Andrey Turchin”
15

16. Once in a system an attacker needs to be able to get back into
the system in case of a password change on the account they
are abusing. An RDP backdoor can allow the attacker system
level command prompt at the login screen which allows the
attacker to create a new account, change passwords on existing
accounts, or perform other actions. RDP backdoors which allow
an attacker system level command prompt at login are on
Windows Accessibility functions. An attacker can either create a
registry key to make the accessibility tool spawn a cmd prompt
which will be ran as system user or perform binary replacement
replacing the accessibility tool with a signed malicious payload.
Due to requiring a signature binary replacement is less common
RDP Backdoors (Installation)
16

17. Moving onto the next phase, weaponization, an attacker can easily backdoor the system they already have RDP access to moving
onto delivery, exploitation, installation… but we are looking at the process as it pertains to other systems on the network on
moving laterally. So the next logical step for the attacker is to see if there are any other active RDP connections coming into the
system after already completely compromising and backdooring the system. The attacker is now presented with a few additional
pieces of data from full compromise of the machine without touching any of the other machines on the network (yet):
• What accounts exist on the machine?
• What are the accounts observed behaviors regarding login times, frequency, method, etc.
• What accounts are remotely connecting in and are they authenticating using local credentials or NLA through a domain
controller.
• If they are authenticating through a domain controller; what other potential systems would their NTLM or Kerberos auth work on
potentially within the same subnet (note the attacker typically has not scanned the subnet yet because they don’t want to be detected
and have initial foothold removed).
So we’re in, now what?
17

18. Windows RDP Security Protocols
Windows uses Enhanced TLS or CredSSP tunnels to protect RDP authentication
credentials. Windows 7 and older systems use Enhanced TLS for RDP authentication,
while newer systems utilize CredSSP. Enhanced TLS is flawed because every system
has the same public/private key pair which is publicly available from Microsoft.
If a modern system utilizing CredSSP is a part of a domain, CredSSP will use Kerberos
encryption and request a ticket from the domain controller on port 88. An attacker
in a MiTM position can block the client’s Kerberos ticket request to the domain
controller on port 88, when this happens the client will revert to NTLM encryption.
By default, Windows 10 Home has Remote Desktop client disabled and requires a
manual patch for CredSSP, which most manufacturers overlook, luckily unpatched
systems cannot connect to patched servers. Often users of tech forums suggest
disabling CredSSP, to allow unpatched systems to connect to the patched RDP server,
without realizing the proposed solution makes the system vulnerable to CVE-2018-
0886 again.
NLA = Network Level
Authentication:
* NTLM (NT Lan
Manager)
* Kerberos (KBGT)
TLS Tunnels for
credentials:
* EnhancedTLS
* CredSSP
Source: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-
rdpbcgr/c2389e29-5706-4ac4-b555-e26f93144db7
NTLM encryption is HMAC-MD5
based and therefore already weak
and susceptible to offline brute
forcing with JohnTheRipper or
Hashcat with PCAP.
“Enhanced TLS”
18

19. Lateral Movement Attack Decisions (Weaponization)
RDP Session Hijiack (Low Risk of detection):
• Requires attacker to have access to an account on the system
and other users to be logged in or have active RDP sessions.
• Works on all versions of Windows Server
MiTM (High Risk of detection):
• Requires an attacker to be on the same subnet
• Greater chance for detection and leaving network artifacts or
getting initial RDP foothold cleaned up (infection removed).
Inception Attack (Medium Risk of detection):
• Only possible if clients are remotely
mounting drives over RDP
• Can be placed on infected RDP machine
to potentially exploit anyone mounting
remote drives over RDP.
19

20. Attack Decisions Visualized
20

21. RDP Session Hijacking (Delivery)
21

22. RDP Session Hijacking (Exploitation)
22

23. • $100 license upgrade from Home to Pro.
• ActiveDirectory: Only the Professional Editions (pro/Enterprise) or the Ultimate have
the license value WorkstationService-DomainJoinEnabled set. Home users
cannot join a domain via GUI, but there are CLI solutions.
• Concurrent connections, mitigations for credSSP through GUI not possible. To
mitigate CredSSP have to use registry keys or powershell.
• Orgs sometimes have an RDP hop box, if an admin is using Windows Home not
manually patched (no gedit.msc without pro) to access the hop box and attacker is
in a MiTM position, they could execute CVE-2018-0886 CredSSP RCE
Windows Home vs. Pro RDP
23

24. Performing the same session hijacking steps against a Windows 10 Home system which has installed the
popular third-party RDP multi user solution, RDPWrap, results in a Denial-of-Service (DoS). The desired
outcome is to hijack the session but instead the user is kicked off the session and the attacker is presented
with a login screen instead of the active session. An attacker could script this to repeatedly knock remote
users or administrators/defenders off of a system while leveraging it during odd/off hours and attempting
to move laterally.
RDPWrap DoS via attempted session hijacking
24

25. Cain&Abel MiTM
25

26. Cain&Abel MiTM cont’d
26

27. Seth RDP MiTM Attacks
Seth is a Python script by Adrian Vollmer
used to downgrade CredSSP
authentication to Enhanced TLS and
break encryption. Instead of capturing
and using the NTLM authentication
response, Seth sends a copied server
NTLM response stating it could not
contact the domain controller; which
causes the client to downgrade to
Enhanced TLS RDP and transmit the
user’s password to the server inside the
TLS tunnel. If the intended target is a
part of a domain the attacker will have to
block Kerberos ticket requests on port 88
from the client to the domain controller
before executing a Seth attack.
27

28. CVE-2018-0886 CredSSP RCE
When Google searching for
“CredSSP Remediation
Error” a lot of posts
recommend uninstalling
the patch or changing the
server to allow non NLA
authentication by default.
Seth can downgrade NLA
to Enhanced TLS or default
easily, but by performing
the recommendation on
the left it doesn’t need to
and can just directly make
an Enhanced TLS request.
28

29. This Remote Code Execution requires a MiTM position. CVE-
2018-0886 is very similar to a Seth attack except it uses MSRPC
CVE-2018-0886 CredSSP RCE
CRED SSP
E-TLS
29

30. ‘
RDP Inception Attack (Optional Installation)
Remote mounting of drives via RDP is an option the user
is presented when using the native Windows RDP client
to initiate a connection with a server. It is not enabled
by default.
RDP Inception can be utilized by attackers to automate
RDP lateral movement attempts. RDP Inception attacks
are only possible if a user manually mounts a drive in
the Windows RDP client.
RDP Inception works by creating a logon script which
enumerates RDP remote mounted drives and attempts
to place a copy of itself in any mounted drives before
moving the copy to startup. RDP remote mounted
drives get mapped to //tsclient directory with a
respective drive letter A-Z, representing each server
connection to the client. The script then moves the
copy from tsclient to the target systems startup.
Note: Sharing a clipboard in
hyper-V between host and guest
also mounts a //tsclient drive
useful for VM escapes
30

31. Source: https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
APT RDP TTPs – RDP Tunneling
• Putty Link or pLink is a commonly abused to create encrypted ssh tunnels. For example, FIN8 has
used pLink to create tunnels allowing RDP ports on infected systems to communicate back to the C2
• NAT, Firewalls, and other forms of network segmentation can help, but not mitigate network-
tunneling or host-based port forwarding methods observed by FireEye utilized by APT.
•HKEY_CURRENT_USERSoftwareSimo
nTathamPuTTY
•HKEY_CURRENT_USERSoftWareSim
onTathamPuTTYSshHostKeys
31

32. Source: https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
APT RDP TTPs – RDP Tunneling (cont’d)
• Windows Network Shell (netsh) commands can be used
to utilize RDP port forwarding to access newly
discovered segmented networks reachable only through
an administrative jump box.
• A threat actor could configure the jump box to listen on
any port for traffic being sent from a previously
compromised system. The traffic would then be
forwarded directly through the jump box to any system
on the segmented network using any designated port,
including the default RDP port TCP 3389.
HKEY_CURRENT_USERSYSTEMCurrentControlSetServicesPortProxyv4tov4
32

33. Log of all RDP Events on Windows
Server:
Computer Management > System
Tools > Event Viewer > Application
and Service Logs > Microsoft >
Windows > TerminalServices-
LocalSessionManager > Operational
Detections
33

34. MITIGATIONS
• Do not expose RDP servers externally to the internet, limit the attack surface.
• Manually patch systems for CVE-2018-0886
• Do not disable Windows Firewall on systems that have not been patched for CVE-2018-0886.
• Secure RDP connections to servers by using an SSL certificate signed by a trusted certificate authority or sign all server
certificates with your enterprise CA. All client systems will need the root CA in their list of trusted CAs and will require
manual addition if not using a certificate from a popular trusted CA. This mitigation makes RDP SSL prompts and irregular
behavior which should be reported to IT as it’s evidence of an attempted RDP MiTM.
• Group Policies can be set to enforce a user’s successful authentication only from a valid trusted CA in the server’s
trusted CA list.
• Use Powershell’s EnableWSManCredSSP to enable “Encryption Oracle Remediation” on client’s Windows Home systems to
prevent CVE-2018-0886. This will NOT prevent against Seth or PyRDP downgrade attacks and should be used in conjunction
with other mitigations mentioned.
• Alternatively, the following registry key reportedly enables CredSSP for Windows 10 Home Users:
REG ADD HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters /v
AllowEncryptionOracle /t REG_DWORD /d 2
• Create a dedicated administrator account for accessing the domain controller and do not allow any other accounts access.
Do not allow the dedicated administrator account for the domain controller to access any other systems. Tools like Mimikatz
can dump users’ credentials from a system including NTLM and Kerberos.
34

35. Source: https://www.gosecure.net/blog/2018/12/19/rdp-man-in-the-middle-smile-youre-on-camera
PyRDP MiTM Honeypot
Credential Sinkholing
One of the features we wanted was the ability to change
the username and password entered by the user. We use
this to make any connection to the MITM tool successful,
regardless of the username and password used. This allows
us to see what malicious users do when they get an actual
RDP session, not just a login screen.
File Collecting
Among the advanced features of RDP that we implemented
are virtual channels. These are RDP “plugins” that have
various uses: clipboard sharing, drive mapping, sound
playback, etc. When a client connects to the drive
redirection channel and sends a file, our MITM saves it to
disk. This can be useful to malware analysts, since they can
retrieve the files later for analysis.
Clipboard Spying
When the client connects to the clipboard channel and
copies text to their clipboard on their host machine, the
MITM logs the copied data – even if it the client doesn't
paste it. This works even if the RDP window is out of focus.
Other channels
Other virtual channels should work seamlessly for the client.
However, the MITM doesn't do any special processing: it
simply forwards data to the real server without parsing or
modifying it at all.
Not to be confused with RDPy, another Python RDP MiTM library. This
tool was influenced by RDPy but is more capable according to the
author.
35

36. PyRDP MITM records the following events:
• Bitmap graphics
• Mouse movements
• Keyboard input
• Connection info (local IP address,
username, password, domain, computer
name)
• Clipboard content
PyRDP MiTM Honeypot (cont’d)
Fun Pentesting Prank:
• Bettercap or any other method or ARP Poisoning
• PyRDP
• Fake RDP landing server defaced (may be able to
phish creds with it) or with a a screenshot of the
desktop and the taskbar/icons hidden + taskbar
locked & Windows key disabled –users will try to
double click the picture of desktop icons and the
start button.
36

37. A bash script that does the following:
• Connects to RDP using rdesktop
• Sends shift 5 times using xdotool to trigger sethc.exe backdoors
• Sends Windows+u using xdotool to trigger utilman.exe backdoors
• Takes screenshot
• Kills RDP connection
Note: One must still process the images or use OCR extraction to
compare and flag anomalies.
Screen cannot be locked during this process or all the screenshots will
turn out black
There are other accessibility backdoors, this only checks for two but could
be modified for more
StickyKeysHunter
Automating against a large list of IPs in a for loop, OCR
extracting, and recording anomalous IPs can be a great/unique
source of Threat Intelligence. 37

38. Questions & Comments?
Contact: jburke@wapacklabs.com
Feel free to contact about Linux,
robotics, embedded systems,
drones, exploits, hacking, hacker
forums (parsing & monitoring),
coding, Tor usage, cryptocurrency,
etc. Also available in the Red Sky
Alliance portal 24/7
End
38
>> EOF | END TRANSMISSION