Securing services requires a broad range of knowledge of operating systems, networking, protocols and offensive capabilities. So I thought I would demonstrate some testing methods to show how a control is effective in blocking certain types of attack, so here’s some offensive and defensive guidance to limit RDP attacks. Please remember this is for educational purposes, do NOT break the law and only use these techniques where you have permission! #whitehat
This document provides a sample of the internal (white box) testing process and procedure for testing RDP controls against brute force attacks.
- Demonstrate only authorised users can access the service
- Demonstrate Remote Desktop Services has a hardened configuration
- Demonstrate a brute force attack
- Scope Evaluation
- Vulnerably Assessment
- Report Results
- Kali Linux
- Windows PowerShell
This control demonstration is being conducted from the perspective of a compromised internal network host. This configuration required disabling the distributed firewall control.
The testing is being conducted in a white box scenario where full system information and configurations are available to the tester.
Test conducted by: Daniel Card
Test date: xx/xx/Xxxx
The following tests have been included/excluded:
|Configuration Audit||Yes||RDP Protocol Configuration|
|Authorised User Audit||Yes||HPA Group Audit – Powershell|
|Demonstrate Vulnerability/Attack on Vulnerable Host||No||Out of scope|
|Vulnerability Assessment||Yes||Nessus Scan Report (separate document)|
|Authorised Access Test||Yes||Demonstration of service|
|Compromised Credentials||No||Out of scope|
|Authentication Failure||Yes||Log in with incorrect password|
|Unauthorised Access||No||Demonstrated through brute force attack|
|Data in Transit Encrypted||Yes||Packet capture and configuration|
|Denial of Service||Partial||Account lockout testing via brute force|
|Brute Force Attack||Yes||HYDRA, CROWBAR|
|Man in the middle Attack (MitM)||No||Demonstrated through secure configuration and PCAP|
|Protocol/Encryption Downgrade||No||Demonstrated through secure configuration|
|Web Application Assessment (OWASP TOP 10)||No||N/A|
|Known Vulnerability Exploitation||No||Credential audit shows no known vulnerabilities|
|Privilege Escalation||No||Out of scope|
|Antimalware||No||Out of scope|
|Data Exfiltration||No||Out of scope|
Only administrator users can access Remote Desktop Services service.
The following screenshot demonstrates the security configuration of the remote desktop service protocol on an RDP enabled server in the Precise environment:
We can see from this configuration the following:
- RDP Protocol is running “Microsoft RDP 8.0”
- RDP Encryption is required (demonstrated by MinEncryptionLevel = 3)
- User authentication is enabled (UserAuthenticationRequired = 1)
Nmap is utilised to enumerate the target:
We can see remote desktop services is open on port 3389
./xfreerdo /u:TESTDOMAIN\\admindc /p:[password] +nego /v:[targetIP]
As demonstrated in the below screenshot RDP traffic is encrypted during transit.
Attack Tool: CrowBar
|./crowbar.py -b rdp -s 10.xx.xx.xx/32 -u [email protected] -C /root/Desktop/tests/hyda_rdp/rock.txt|
Target Event Log
The event log show’s account lockout after 10 unsuccessful attempts:
The attack was unsuccessful the account was locked out.
Attack Tool: Hyrda
Attack Complexity: Moderate
This attack will leverage hydra to conduct a brute force attack against the RDP service using a known wordlist and secondly specific test credentials.
hydra -t 1 -V -f -l administrator -P rockyou.txt rdp://192.168.1.1
|hdya = app
-t 1 = tasks value (1 for vm – higher for physical)
-V = Verbose
-f = quit if successfully login
-l administrator = username
-P rockyou.txt = the wordlist you want to use
Rdp://192.168.1.1 = target
-s 4000 = alternate TCP port e.g. TCP 4000
A dictionary based attack was launched:
To save time (since we know the password of the account) we setup a concurrent test:
This test, even with the known credential fails.
This testing demonstrates that denial of service by account locket does not occur as demonstrated by the screenshot of the account properties post attack (denial of service prevented)
This test demonstrated the configuration of RDP has a hardened configuration.
- Network Level Authentication is enabled
- Unencrypted Brute force attacks fail even with known credentials
- Brute force attacks are possible from a compromised foothold, however the attack surface in the environment is limited by use of jump boxes
- Accounts lockout after ten failed attempts
- The SSL Certificate is locally signed
|CVSS Base Score||3.0 (Low)|
|Temporal Score||3.0 (Low)|
|Environment Score||2.3 (Low)|
- ‘Low and Slow’ brute force attacks are possible if the attacker can gain a foothold and maintain connection to a command and control server; however, security monitoring and the range of layered controls reduces the probability and impact of the event occurring.
- Use certificates issued by a certificate authority (internal or public CA)
- This is in scope for design, however was not configured at time of testing
- Consider using a nonstandard port for remote desktop services
- Consider using RDP Gateway (not currently in scope of design)
- Restrict access through firewalls to authorised endpoints (in design)
- Restrict remote desktop groups to authorised users
- Enforce strong passwords
- Use good practise account lockout