Breaking out of Restricted RDP

we had to earn healthy interested in security for the past or trades I've patched up a lot picking such engineering expert comprehensive research fantastic anything really security related so outline of my talk this is an extended talk from a pro con what I did last year I was going to do a live videos but I chickened out so I'm just going to do this video and we also going to show you how to fix it which sucks and this is a bit of a random torch covers lots of other things such as the IDP issue so what am I discovered pretty much if you've got terminal server anybody who connects to it and by passive group policy settings and run

pretty much any type of software they really want to run so it's a security issue or not George of people spoken to think this is an issue I've been fooled Microsoft they didn't give a [ __ ] so hot okay this is open by default all the systems so you have to actually locking system down and I have seen this in the wild so let's break in let's do something so basically done nmap scan and try find port 3389 open you need a person account to get in if you know a bit of a problem yes awesome let's go if you don't have the username this Microsoft you can use check the website and normally the user name in the email

address is the login name by default for Microsoft if you ever got a password you can remember the password lockout policy brute force it especially going to lock out so you can social engineer your victim you don't have to use TS crack to crack turn on services if they've got other ports open for Microsoft FTP or IMAP on you can use Hydra and that will actually break the account as well remember the ministry account does it look out going back to social engineering if you do lock the account out just from the helpdesk up and most likely they're going to reset it for you for a nice easy password so he pretends to be that person so we've got fella

username password so we want to login so now the cool bits the videos the demo so basically I've got three videos once it's going to show you the group policy set up the next one it's going to show you logging in it's restricted the only going to show I'm going to get command in about five seconds let me show how deputies to get your privileges and then I'm going to show you how to prevent this from happening so the group policy set up hope this is right so basically this is the group policy on your terminal server Fox so I'm just going to quickly just show you that is actually tied down and locked down so if

we go to the Windows Explorer you can see pretty much everything's enabled so it's quite pretty much tied down my computer is all restricted to the hard disks which you won't see so that's also restricted so carry on looking the desktops all locked down so you can access anything on the desktop so you might not have a machine tied down this much but for the demonstration purposes desktop so lock down so you can't do anything there we go into this system and you say they've got prevented access to command prompt so that's locked out we can only run certain windows applications these are we can only run calculating ms paint this demo and being pacifically till windows not to run

command CMD internet explorer and notepad so that's the admin spit them so now that we're going to break in okay so in my broken one I did it for Microsoft so from here I'm doing it from backtrack so basically all I'm doing is doing going to show you restrict his connection what you normally look like I'm using our desktop we connected to the server as we were expected with restricted user account login so this is all restricted so we won't run paint that works as expected notepad wasn't allowed to run so that's denied as you see the desktops pretty much locked down so can't run pretty much nothing so locked down nice and tight so we're trying to explore yeah full

lockdown okay so let's break into it takes about five seconds or so type so type in our desktop again or I'll type it in space minus S which stands for the shell you put in the percent system root which is the variable for the windows directory backs us back stress system 32 bash command calm the IP address of the target and load up we log in again with restricted user let's put the past of you and just let my GV that command prompt so it's all locked down so to say we can actually run other stuff from the command prompt beacon the load of Internet Explorer so because we're using command esscom it's all in the short

format see if you want to see everything else you've got put dir four slash X which will give you the short name version so we're going to program till 21 I did videos also to slow me down from talking going to Internet Explorer and we can load it into exploit so you can win any command we want then from there as the restricted user so just to prove that I can run any application and want not just come on calm i'm going to log up here and do the same again boost on with internet explorer so just to prove a point so we are desktop minus s and then put in c program files

I'm not fast typing and then it's an explorer I explorer.exe and this will just when we log in automatically launch its export remember it's X Pro has also denied so we weren't allowed to run that so we log back in so now what we can do put into Explorer we can upload our payloads to this machine quite happily black truck can either be our malicious but can either be inside the network outside the network so basically I've launched the apache server on their patch on the box so 150 and with your metasploit i just created a payload board clown exe which I copy to the far dub folder so as you see it there so all

I can do now from my box from the terminal server box I can upload that to my machine so upload it so I want to save it because the system is actually locked down can't access the c drive or any other drives so it's actually quite hard to find a place that's actually we can save it to so you need we try to save it to the desktop or make any change to the desktop we're denied access we don't even have rights to save it to my documents folder but we can save to is the temp folder within windows since we don't know where the operating system inis we can just type again present system route it's % / temp

/ clown exe is everybody has to be rights to the temp folder so we save that so now we saved uploaded a payload to this box for malicious purposes so now we want to run the payload began guess I can do this so from the window again just type in our desktop I can show the metasploit I've already set most about ready to listen to it so our desktop minus s because we don't know where the forest we can just same again just put % system route vitis backslash temp black / clown to exe the reason why I'm showing you this is because you see in a minute that is it's not as simple as firing the

metasploit payload to it you've got to make a few changes so as it launches you see here that palos been executed as you would expect it so everyone is now automatically typed shell we try that now in this box it fails so we get a nice little area when i type shell so it felt good type list of processes you'll actually see that we're only not getting we're not getting all the processes we're interests a lemonade restrict and other processes seem to be missing the user name so we type get system come on this should escalate I pretty distant hope so but it works cool banoffee type here so we actually get a restricted account so we still haven't got it

properly so what you need to do now is we need to migrate to one of the system accounts so if we type PS again you see all the sore appeared now so we can now the one you can't really see it because of my cramp editing but i always recommend to use the migrate with the winlogon exe at the top there it's the first one you come across multiple on there and if you use when the other ones it just kills the machine [ __ ] knows why it's going so just migrated to that one and then once it's done that what though shell again and we now got system so basically pretty much on the box just

to prove it I would help if I could spell so there you go got system and we've come out again dump hashes just to show it all works okay so next so how to fix the boring better buy it all get pissed now if you don't really care how you fix it I was just the standard restricted user so basically this is how you would fix this problem if you go to see if you try there from here I like to remember this screams it looks very similar to the one we click OK it doesn't work says you've got to enter a path of file name so what we need to do is we go to start and we load up the

tillman service configurator but our DB tcp environment you just gotta put a tick in there as well it is it's a tick but no one Microsoft can't do it we put a tick in there and you also might be think you got put something in there but you don't just leave it blank so like I said on to the terminal at the group policy you have to make a change so just to show that tick does work so we do our desktop minus s and we run Internet Explorer again it will actually won't work just come up and log in as the normal user program files I explored that I explore and when that it's there

come on and when we login at the restricted user again it would just load up as the restricted terminal servers or stricted screen we're expected to be your lockdown so as you see Internet Explorer hasn't run ms plate runs like normal nope neither it's not restricted so it's just the restricted laptop desktop again so just to show you again so if I can't there just shows just a simple tick or go back to the other server move the tick which is removed by default so if you don't see in that box you mess around Terminal Services you open to this type of attack so just run again login and into X plural runs so it's just that single tick they actually

screwed you over okay so now let's [ __ ] around with a network once we've got it we can try get the local admin passwords I've try that on other servers to see if it works because most likely be the same password check other services like running up VNC you've got VNC and it takes you five seconds to crack the password each point on the registry on your target box and then you can use it to attack other boxes you can use metasploit so to route exploits through this box so you can actually set up metasploit so on that box so when you connect in and metal it connects back out you can attack other boxes within

that network quite happily but loading payloads you can actually see the video of me doing that on the website to just demonstrate it we cannot locate an able to sniff network logins for passwords so it's pretty much game over so if I want to know what crime I'm going to do if you're an executive you and I've understand any that [ __ ] i said before so this stuff might hammer it home if you've got access to email service i can access all the email accounts i can send email from someone to the bombs to stay in the game they've got a crush on them i can search your emails for passwords because you receive

stuff through player tax passwords and you can use it or spam server if you have found your internal network I found your internet site I can set up some malicious payload on there every time anybody buys up the homepage that machine would connect back to my machine easy I can't in phase to inject to external website are you going explains the customer that you can be pasted I can attack your external resources in the previous slide said I found your passwords days which is pops European cousin found a bunch of passwords that was for another company's hosting the email from websites so I was able to if I wanted to redirect all their websites to another site or I can turn the

machines against him as heard in the previous talk you know we can make tins of beans stop running I can modify your back up so early packs up want a single nul file the current manager sees get to the backup C&C to be working but it doesn't I can come back and afterwards and delete the data you won't know I can attack your accounting system make a phantom employee who gets paid I can either transfer money or to our enemy you might say why an enemy well I'm not very good at laundering money but I could transfer somebody who I don't like forgot the bank details and then when they gets investigated they're the ones

who can get shafted I could publish everybody's pay slips or change everybody's pays 20 or overcharging customers what you're going to say to your customers that you just be hacked and but so your customers you can access to your network access to their net wins by vpm I can steal their information or I can block your sabotage access to them so if I take down the VPNs so yes can't access the data Haven support them but what the [ __ ] all your customers over and they all phone up at the same time to help desk and help desk before this course here you can tell the customers 20 sorry we've got other customers deal

with you can't deal with yours you're going to lose custom so not good so a conclusion we're getting a little tick and screw you over binding features it's not just about exploiting code you get caught doing this don't blame me and that's my information if you want to contact me or check out my website this information is up on my website now so yeah thanks