RDP Restricted Admin Mode builds upon Kerberos. Taking a look at the network traffic, one can see that the RDP client requests a ticket on behalf of the impersonated user which is no problem since the hash is all we need to authenticate against Kerberos.
Passing the hash with native RDP client (mstsc.exe)
Inadvertently however, this new security feature actually enabled the use of a password hash for RDP authentication purposes, thereby giving many pentesters once again a reason to smile. To add to the validity of the research by Mark, the FreeRDP project has added native support for Pass-the-Hash authentication to the FreeRDP package, which is now in Kali repos. To enjoy this new feature, simply install freerdp-x11.
That is CrackMapExec being used to pass the hash. As you may already know, CrackMapExec under the hood is mostly impacket. The default execution method is using wmiexec.py, which can be ran standalone with impacket using the following syntax:
How: This can be done using a variety of tools including CrackMapExec, but right now I want to focus on evil-winrm as it contains a lot of other features. Passing the hash with evil-winrm is easy, and it looks like so:
Once you have the NT hash for the exchange server, you can authenticate to a domain controller using ldap3, and authenticate by passing the hash. From here you can do a lot, but a simple attack involves adding a user you control to the Domain Admins group. In this example you may of course also use the Exchange account to DCsync with secretsdump.py. In the case of compromising the NT hash of a member of the Account Operators group, you would not be able to DCsync however, you could use this method to add users to certain groups to expand access.
Now that you have a ticket you can use it with all of the impacket tools as an alternative to providing a password or NT hash. This will prove to be very useful in certain situations as you will see next. Do note that whenever using Kerberos authentication you will want to use DNS names of targets instead of IP addresses.
How: You cannot pass the hash to SSH, but you can connect with a Kerberos ticket (Which you can get by passing the hash!). First, try connecting using SSH and enable verbose messages.
In this article, we explain how to detect a Pass-The-Hash (PTH) attack using the Windows event viewer and introduce a new open source tool to aid in this detection. PTH is an attack technique that allows an attacker to start lateral movement in the network over the NTLM protocol, without the need for the user password. We evaluated a number of legitimate and illegitimate scenarios for (PTH) NTLM connections to see the differences and how each of these can be distinguished. Based on our findings, CyberArk Labs created a freely available tool (Ketshash) that detects live PTH attempts. (Note: Over-Pass-The-Hash (OPTH) is out of scope in this example, and it can be more accurately detected via other methods.)
The major difference between passing the hash to a legitimate NTLM connection is the use of a password. Searching for legitimate user logons, where the password was used prior to the NTLM connection, can help to filter out all the legitimate logons and leave only the suspicious one.
Checking that each NTLM connection had an interactive logon with the same account prior to the connection, based on the above logs, can help to distinguish between an attacker using the hash and a normative user using the password.
The demo in the video showcases how this approach (with the help of Ketshash) is effective in detecting PTH attacks utilized by PTH-winexe, Mimikatz, WCE and Invoke-SMBClient. In the coming weeks, we will publish the full research on this approach with all the technical details. Watch this space.
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft which provides a user with a graphical interface to connect to another computer over a network connection.[1] The user employs RDP client software for this purpose, while the other computer must run RDP server software.
Microsoft provides the client required for connecting to newer RDP versions for downlevel operating systems. Since the server improvements are not available downlevel, the features introduced with each newer RDP version only work on downlevel operating systems when connecting to a higher version RDP server from these older operating systems, and not when using the RDP server in the older operating system.[clarification needed]
This version was introduced with Windows XP Professional and included support for 24-bit color and sound. The client is available for Windows 2000, Windows 9x, Windows NT 4.0.[7] With this version, the name of the client was changed from Terminal Services Client to Remote Desktop Connection; the heritage remains to this day, however, as the underlying executable is still named mstsc.exe.
This version was introduced with Windows Vista and incorporated support for Windows Presentation Foundation applications, Network Level Authentication, multi-monitor spanning and large desktop support, and TLS 1.0 connections.[9] Version 6.0 client is available for Windows XP SP2, Windows Server 2003 SP1/SP2 (x86 and x64 editions) and Windows XP Professional x64 Edition. Microsoft Remote Desktop Connection Client for Macintosh OS X is also available with support for Intel and PowerPC Mac OS versions 10.4.9 and greater.
This version was released in February 2008 and is included with Windows Server 2008, as well as with Windows Vista Service Pack 1. The client is included with Windows XP SP3.[10] In addition to changes related to how a remote administrator connects to the "console",[11] this version has new functionality introduced in Windows Server 2008, such as connecting remotely to individual programs and a new client-side printer redirection system that makes the client's print capabilities available to applications running on the server, without having to install print drivers on the server[12][13] also on the other hand, remote administrator can freely install, add/remove any software or setting at the client's end. However, to start a remote administration session, one must be a member of the Administrators group on the server to which one is trying to get connected.[14]
This version was released to manufacturing in July 2009 and is included with Windows Server 2008 R2, as well as with Windows 7.[15] With this release, also changed from Terminal Services to Remote Desktop Services. This version has new functions such as Windows Media Player redirection, bidirectional audio, multi-monitor support, Aero glass support, enhanced bitmap acceleration, Easy Print redirection,[16] Language Bar docking. The RDP 7.0 client is available on Windows XP SP3 and Windows Vista SP1/SP2 through KB969084.[17] The RDP 7.0 client is not officially supported on Windows Server 2003 x86 and Windows Server 2003 / Windows XP Professional x64 editions.
This version was released with Windows 8.1 and Windows Server 2012 R2. A RDP 8.1 client update exists for Windows 7 SP1 as well, but unlike the RDP 8.0 update for Windows 7, it does not add a RDP 8.1 server component to Windows 7. Furthermore, if RDP 8.0 server function is desired on Windows 7, the KB 2592687 (RDP 8.0 client and server components) update must be installed before installing the RDP 8.1 update.[25][26]
In 2009, rdesktop was forked as FreeRDP, a new project aiming at modularizing the code, addressing various issues, and implementing new features. FreeRDP comes with its own command-line-client xfreerdp, which supports Seamless Windows in RDP6.[42] Around 2011, the project decided to abandon forking and instead rewrite under Apache License, adding more features like RemoteFX, RemoteApp, and NTLMv2.[43] A commercial distribution called Thincast was started in 2019.[44] A multi-platform client based on FreeRDP including Vulkan/H.264 support followed in summer 2020. There's a GTK-based client named Remmina also based on FreeRDP.
Proprietary RDP client solutions such as rdpclient are available as a stand-alone application or embedded with client hardware. A new access paradigm, browser-based access, has enabled users to access Windows desktops and applications on any RDP hosts, such as Microsoft Remote Desktop (RDS) Session Hosts (Terminal Services) and virtual desktops, as well as remote physical PCs.
There is also a VirtualBox Remote Display Protocol (VRDP) used in the VirtualBox virtual machine implementation by Oracle.[47] This protocol is compatible with all RDP clients, such as that provided with Windows but, unlike the original RDP, can be configured to accept unencrypted and password unprotected connections, which may be useful in secure and trusted networks, such as home or office LANs. By default, Microsoft's RDP server refuses connections to user accounts with empty passwords (but this can be changed with the Group Policy Editor[48]). External and guest authorization options are provided by VRDP as well. It does not matter which operating system is installed as a guest because VRDP is implemented on the virtual machine (host) level, not in the guest system. The proprietary VirtualBox Extension Pack is required.
By default, RD Session Host sessions use native RDP encryption. However, RDP does not provide authentication to verify the identity of an RD Session Host server. You can enhance the security of RD Session Host sessions by using Secure Sockets Layer (SSL) Transport Layer Security (TLS 1.0) for server authentication and to encrypt RD Session Host communications. The RD Session Host server and the client computer must be correctly configured for TLS to provide enhanced security. ( -us/library/ff458357.aspx)
Mimikatz (1) is a big-name tool in penetration testing used to dump credentials from memory on Windows. As a penetration tester, this method is invaluable for lateral and vertical privilege escalation in Windows Active Directory environments and is used on nearly every internal penetration test. Because of its popularity, the Mimikatz executable and PowerShell script are detected by the majority of Antivirus (AV) solutions out there. This post will cover several alternative methods to achieve the same goal without the need for modifying Mimikatz to evade AV, as well as some methods for preventing and detecting this attack. 2ff7e9595c
Comments