Securing services requires a broad range of knowledge of operating systems, networking, protocols and offensive capabilities. So I thought I would demonstrate some testing methods to show how a control is effective in blocking certain types of attack, so here’s some offensive and defensive guidance to limit RDP attacks. Please remember this is for educational purposes, do NOT break the law and only use these techniques where you have permission! #whitehat

Overview

This document provides a sample of the internal (white box) testing process and procedure for testing RDP controls against brute force attacks.

Test Objectives

  • Demonstrate only authorised users can access the service
  • Demonstrate Remote Desktop Services has a hardened configuration
  • Demonstrate a brute force attack

Method

  1. Scope Evaluation
  2. Testing
    1. Enumeration
    2. Vulnerably Assessment
    3. Exploitation
  3. Report Results

Tools Utilised

  1. Kali Linux
    1. NMAP – https://tools.kali.org/information-gathering/nmap
    2. HYDRA – https://tools.kali.org/password-attacks/hydra
    3. CROWBAR – https://github.com/galkan/crowbar
  2. Windows PowerShell

https://tools.kali.org/tools-listing

Scope Evaluation

Perspective

This control demonstration is being conducted from the perspective of a compromised internal network host. This configuration required disabling the distributed firewall control.

The testing is being conducted in a white box scenario where full system information and configurations are available to the tester.

Test Information

Test conducted by: Daniel Card

Test date: xx/xx/Xxxx

Test Scope

The following tests have been included/excluded:

Test Included
Configuration Audit Yes RDP Protocol Configuration
Authorised User Audit Yes HPA Group Audit – Powershell
Enumeration Yes NMAP Scan
Demonstrate Vulnerability/Attack on Vulnerable Host No Out of scope
Vulnerability Assessment Yes Nessus Scan Report (separate document)
Authorised Access Test Yes Demonstration of service
Compromised Credentials No Out of scope
Authentication Failure Yes Log in with incorrect password
Unauthorised Access No Demonstrated through brute force attack
Data in Transit Encrypted Yes Packet capture and configuration
Denial of Service Partial Account lockout testing via brute force
Brute Force Attack Yes HYDRA, CROWBAR
Man in the middle Attack (MitM) No Demonstrated through secure configuration and PCAP
Protocol/Encryption Downgrade No Demonstrated through secure configuration
Web Application Assessment (OWASP TOP 10) No N/A
Known Vulnerability Exploitation No Credential audit shows no known vulnerabilities
Privilege Escalation No Out of scope
Lateral Movement No N/A
Antimalware No Out of scope
Data Exfiltration No Out of scope

Security Testing

High Privilege Group Enumeration

Only administrator users can access Remote Desktop Services service.

Configuration Audit

The following screenshot demonstrates the security configuration of the remote desktop service protocol on an RDP enabled server in the Precise environment:

We can see from this configuration the following:

  • RDP Protocol is running “Microsoft RDP 8.0”
  • RDP Encryption is required (demonstrated by MinEncryptionLevel = 3)
  • User authentication is enabled (UserAuthenticationRequired = 1)

Enumeration

Nmap is utilised to enumerate the target:

We can see remote desktop services is open on port 3389

Demonstrate Service

Successful Authentication (Windows Client)

Successful Authentication (Kali Linux)

./xfreerdo /u:TESTDOMAIN\\admindc /p:[password] +nego /v:[targetIP]

Unauthorised Access Denied

Failed Authentication

Transport Encryption

As demonstrated in the below screenshot RDP traffic is encrypted during transit.

Exploitation

Brute Force Attack

Attack Tool: CrowBar

https://github.com/galkan/crowbar

Attack command:

./crowbar.py -b rdp -s 10.xx.xx.xx/32 -u [email protected] -C /root/Desktop/tests/hyda_rdp/rock.txt

Crowbar Attack

Target Event Log

The event log show’s account lockout after 10 unsuccessful attempts:

Result

The attack was unsuccessful the account was locked out.

Attack Tool: Hyrda

Attack Complexity: Moderate

This attack will leverage hydra to conduct a brute force attack against the RDP service using a known wordlist and secondly specific test credentials.

hydra -t 1 -V -f -l administrator -P rockyou.txt rdp://192.168.1.1

hdya = app

-t 1 = tasks value (1 for vm – higher for physical)

-V = Verbose

-f = quit if successfully login

-l administrator = username

-P rockyou.txt = the wordlist you want to use

Rdp://192.168.1.1 = target

-s 4000 = alternate TCP port e.g. TCP 4000

Result

A dictionary based attack was launched:

To save time (since we know the password of the account) we setup a concurrent test:

This test, even with the known credential fails.

This testing demonstrates that denial of service by account locket does not occur as demonstrated by the screenshot of the account properties post attack (denial of service prevented)

Security Testing Results

This test demonstrated the configuration of RDP has a hardened configuration.

  • Network Level Authentication is enabled
  • Unencrypted Brute force attacks fail even with known credentials
  • Brute force attacks are possible from a compromised foothold, however the attack surface in the environment is limited by use of jump boxes
  • Accounts lockout after ten failed attempts
  • The SSL Certificate is locally signed

Attack/Vulnerability Profile

CVSS Base Score 3.0 (Low)
Vector String CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:L/E:H/RL:W/RC:C/AR:L/MAV:N/MAC:H/MPR:H/MUI:R/MS:U/MC:N/MI:N/MA:H
Temporal Score 3.0 (Low)
Environment Score 2.3 (Low)

Residual Risks

  • ‘Low and Slow’ brute force attacks are possible if the attacker can gain a foothold and maintain connection to a command and control server; however, security monitoring and the range of layered controls reduces the probability and impact of the event occurring.

Recommendations

  • Use certificates issued by a certificate authority (internal or public CA)
    • This is in scope for design, however was not configured at time of testing
  • Consider using a nonstandard port for remote desktop services
  • Consider using RDP Gateway (not currently in scope of design)
  • Restrict access through firewalls to authorised endpoints (in design)
  • Restrict remote desktop groups to authorised users
  • Enforce strong passwords
  • Use good practise account lockout

Leave a Reply

Your email address will not be published. Required fields are marked *