![]() NET implementation of a RDP hijacking utility called SharpRDPHijack. Recently, a security researcher and pen-tester who prefers to go by the pseudonym Bohops also released his own open-source. So, you have full blown RDP session hijacking, with a single command,” Beaumont continued. “Attackers aren’t interested in playing, they’re interested in what they can do with techniques. This isn’t about SYSTEM - this is about what you can do with it very quickly, and quietly,” explained cybersecurity expert Kevin Beaumont in a blog post. That’s a long process compared to just running Tscon.exe with a session number, and instantly the desktop of said user - with no obvious trace, or external tools. You could, for example, dump out the server memory and get user passwords. “Now, you might be saying, ‘If you’re SYSTEM, you’re already root… You can already do anything.’ Yes, you can. The common denominator between all the accounts is the user “SYSTEM.” If Tscon.exe can be run as SYSTEM, it can switch between different user sessions in a credential-less manner. In a real-world scenario it could be the attacker incorporating such automated scripts in their malware programs, like the group behind WannaCry did. To automate the process, Rishabh Sharma of Network Intelligence has provided a simple batch script pen-testers can incorporate in their toolkits, along with explaining the above steps in detail. This is because while the user previously present at client 2 may have disconnected their RDP session, they did not explicitly log off from the server. Net start hijackedsession This will disconnect the current session of the attacker (ID 2) and “resume” the previously disconnected session 1 between the attacker and the RDP server without asking for a password (that was used by client 2) or leaving much of a forensic trace. Sc create hijackedsession binpath= “cmd.exe /k tscon 1 /dest:rdp-tcp#2” The attacker can then execute the following commands in the command prompt: Suppose the attacker at client 3 logs into the RDP server and is able to see all connected RDP users by simply running the command: query user. While an attacker could be an insider (unless they are using a compromised account of an employee), the seriousness of this technique lies in the fact it can form a part of a sophisticated, chained advanced persistent threat (APT) attack.Ĭompromising one system, such as via malware, can enable an attacker to exploit this RDP technique to reach into other users’ sessions and environments, without requiring a password. ![]() Therefore, this trick requires some prior level of access. To exploit hijacking another session, the attacker needs to be connected to the RDP host. Because of this behavior, you have to be careful when you use Tscon.exe so that you do not leave a previously locked server in an unlocked state.” CSO / IDG The Microsoft Knowledge Base warns though, “If a remotely owned console session is sent to the physical console of the computer by the use of Tscon.exe, the session is left unlocked. Running such a command on a server hosting the remote desktop session would connect the user to session with ID 2 and disconnect any existing sessions they are on. The syntax for the command is simple, with the Microsoft Knowledge Base explaining in detail what each parameter entails: It enables a user to connect to a different remote desktop session on a system or switch between different sessions. Let’s focus on the RDP hijacking technique leveraging the Tscon.exe utility, which comes with Windows. In 2017, Alexander Korznikov demonstrated how the same technique can be used for privilege escalation on later versions of Windows machines. The technique was originally discovered in 2011 by Benjamin Delpy, the author of the pen-testing utility mimikatz. ![]() There are multiple ways to resume an RDP session. Moreover, increasing work-from-home arrangements have meant a greater reliance on remote administration and management tools like RDP, which now form a part of the attack surface for malicious actors. Given how a vast majority of enterprise networks connect Windows and Windows Server systems, with sysadmins using RDP, it is vital to be aware of the risks and behavior of the RDP service. Rather than being a vulnerability, it is a decades-old “technique” that exploits a legitimate feature of the Windows RDP service. Once in the system, the attacker can gain lateral movement across the enterprise network while remaining undetected, because to an event monitor, they are effectively acting as the authorized user whose session they have hijacked.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |