SlideShare ist ein Scribd-Unternehmen logo

Breaking out of restricted RDP

Security BSides London
Security BSides London

BSidesLondon 20th April 2011 - @wickedclownuk --------------------------------------------------- Lots of companies are using RDP to support their external users. The administrators lock down the servers via group policy believing it is all secure, I will demostrate how you can instantly bypass group policy and how to escalate your privileges with the use of Metasploit. ---f

Technologie
1 von 23
Breaking out of a restricted RDP session By Wicked Clown Bsides London 20 April 2011.
A little bit of crap about me :) I am Wicked Clown I regularly attend DC4420 (DefCON London) Working in the security arena for 3 years as a tech support engineer. Unhealthy interest in everything security related for 20 years :) Jack of all trades, other interests include. – Lock picking, Social Engineering, Exploit & Vulnerability Research, Pen testing. Anything security related!
Talk Outline *** THIS FOR EDUCATIONAL PURPOSE ONLY!! *** Extended version of my lighting talk I gave at BruCON 2010. I got video demo’s, I chicken out a live one! I am going to show how to fix it :( This is a bit of random talk (covers lots of things not just RDP)
So what have I discovered Any one who can connect to your Terminal Server, can run and execute pretty much anything. Bypassing your Group Policy settings!! Even if you think they are restricted! Note: Only tested on windows 2000 and 2003
Is this a security issue or not! Majority of people I have spoken to think this is an issue. Informed Microsoft – Don’t seem to care. This is OPEN BY DEFAULT!! I have seen this in the wild.
Lets pop a box! - Recon - Nmap scan the box - Port 3389 - Do we have an account and password? - If no, how do we get in! - If yes, AWESOME!!
Lets pop a box! - Username We don’t have a username. Most companies use the username in their email address i.e. JD@bar.com mostly the username will be ‘JD’
Lets pop a box! - Password * PASSWORD LOCK OUT POLICY!! * Brute Force or social engineer. Don’t need to just use TSCrack Check for FTP (21) or IMAP (143) services = Hydra Administrator DOESN’T LOCK OUT!! :) * PASSWORD LOCK OUT POLICY!! *
Lets pop a box! – Got details We have a valid username and password! We log in but restricted.. And now the cool bit!! :)
DEMO!! Lets all pray to the demo gods!! Show you the group policy Log in as user to show its restricted Show how to get command shell in about 5 seconds How to abuse this to escalate privileges Then how to prevent this happening
Demo Group Policy Setup
Demo Con’t Attack – The cool bit you want to see!
Demo Cont How to fix it – the boring bit!!
Now What!! Lets f*ck a network! Try the local admin password on other servers Check for other services running. VNC? Use Metasploit to route exploits through this box (Video on website) Upload ‘Cain & Able’ to sniff the network for logins / passwords
Game over man!!
Email Server Access anybodies email account Send an email from someone to their boss saying they are gay and have a crush on them. Search the emails for the word ‘Password’ Use it as a spam server
Internal / External Network Inject malicious code into your Intranet website Deface or Inject code into your external website Attack their external resources Turn their machines against them Modifying your backups
Accounts System Create a phantom employee who gets paid. Transfer money to me or an enemy Publish everybody’s payslips Change everybody's pay Over charge their customers
Your Customers Obtain access to their networks Steal there information Block / sabotage their access to support them Denial of services ALL their customers
Conclusion Forgetting a little tick can screw you over!! Finding ‘features’ is not just about exploiting code If you get caught doing this don’t blame me Web: www.tombstone-bbs.co.uk Email: Wicked.Clown@tombstone-bbs.co.uk

Empfohlen

Your money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialYour money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialSecurity BSides London
 
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reBSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reChandra Pratap
 
Passwords are so 1990
Passwords are so 1990Passwords are so 1990
Passwords are so 1990Sam Bellen
 
Clean code
Clean code Clean code
Clean code Achintya Kumar
 
DevFest Porto - Passwords are so 1990
DevFest Porto - Passwords are so 1990DevFest Porto - Passwords are so 1990
DevFest Porto - Passwords are so 1990Sam Bellen
 
Openbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - Craftworkz
Openbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - CraftworkzOpenbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - Craftworkz
Openbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - CraftworkzOpenbar
 
sthlm.js - Passwords are so 1990
sthlm.js - Passwords are so 1990sthlm.js - Passwords are so 1990
sthlm.js - Passwords are so 1990Sam Bellen
 
Clean code
Clean codeClean code
Clean codeDuc Nguyen Quang
 

Empfohlen

Your money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialYour money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialSecurity BSides London
 
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reBSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reChandra Pratap
 
Passwords are so 1990
Passwords are so 1990Passwords are so 1990
Passwords are so 1990Sam Bellen
 
Clean code
Clean code Clean code
Clean code Achintya Kumar
 
DevFest Porto - Passwords are so 1990
DevFest Porto - Passwords are so 1990DevFest Porto - Passwords are so 1990
DevFest Porto - Passwords are so 1990Sam Bellen
 
Openbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - Craftworkz
Openbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - CraftworkzOpenbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - Craftworkz
Openbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - CraftworkzOpenbar
 
sthlm.js - Passwords are so 1990
sthlm.js - Passwords are so 1990sthlm.js - Passwords are so 1990
sthlm.js - Passwords are so 1990Sam Bellen
 
Clean code
Clean codeClean code
Clean codeDuc Nguyen Quang
 
Joi ETech 2009 - Creative Commons
Joi ETech 2009 - Creative CommonsJoi ETech 2009 - Creative Commons
Joi ETech 2009 - Creative CommonsJoi Ito
 
Moving to PHP from Java
Moving to PHP from JavaMoving to PHP from Java
Moving to PHP from JavaIvo Roberto Batistela
 
Fall 2011 PHP Class - Session 1
Fall 2011 PHP Class - Session 1Fall 2011 PHP Class - Session 1
Fall 2011 PHP Class - Session 1jimbojsb
 
Extjs Howto
Extjs HowtoExtjs Howto
Extjs HowtoGreg Hendricks
 
Vim week
Vim weekVim week
Vim weekRookieOne
 
TagLoops
TagLoopsTagLoops
TagLoopstagloops
 
code review, style guides and tools for pythin
code review, style guides and tools for pythincode review, style guides and tools for pythin
code review, style guides and tools for pythinuniversité d'el jadida
 
Black Hat Protection - SEO Campixx 2011
Black Hat Protection - SEO Campixx 2011Black Hat Protection - SEO Campixx 2011
Black Hat Protection - SEO Campixx 2011Andre Alpar
 
Practical exploitation and social engineering
Practical exploitation and social engineeringPractical exploitation and social engineering
Practical exploitation and social engineeringTiago Henriques
 
Strategies for securing your banks & enterprises (from someone who robs bank...
Strategies for securing your banks & enterprises (from someone who robs bank... Strategies for securing your banks & enterprises (from someone who robs bank...
Strategies for securing your banks & enterprises (from someone who robs bank...ITCamp
 
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Positive Hack Days
 
Phd final
Phd finalPhd final
Phd finalPositive Hack Days
 
Things that go bump on the web - Web Application Security
Things that go bump on the web - Web Application SecurityThings that go bump on the web - Web Application Security
Things that go bump on the web - Web Application SecurityChristian Heilmann
 
UUUU
UUUUUUUU
UUUUyonny4103
 
Ferret - Data Seepage
Ferret - Data SeepageFerret - Data Seepage
Ferret - Data Seepageamiable_indian
 
Ferret
FerretFerret
Ferretyonny4103
 
Hacking with experts (by anurag dwivedi)
Hacking with experts (by anurag dwivedi)Hacking with experts (by anurag dwivedi)
Hacking with experts (by anurag dwivedi)Esteban Bedoya
 
Reverse Engineering .NET and Java
Reverse Engineering .NET and JavaReverse Engineering .NET and Java
Reverse Engineering .NET and JavaJoe Kuemerle
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsSecurity Innovation
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to knowEric Klein
 
Community dynamics
Community dynamicsCommunity dynamics
Community dynamicsDave Neary
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 

Weitere ähnliche Inhalte

Was ist angesagt?

Joi ETech 2009 - Creative Commons
Joi ETech 2009 - Creative CommonsJoi ETech 2009 - Creative Commons
Joi ETech 2009 - Creative CommonsJoi Ito
 
Fall 2011 PHP Class - Session 1
Fall 2011 PHP Class - Session 1Fall 2011 PHP Class - Session 1
Fall 2011 PHP Class - Session 1jimbojsb
 
code review, style guides and tools for pythin
code review, style guides and tools for pythincode review, style guides and tools for pythin
code review, style guides and tools for pythinuniversité d'el jadida
 

Was ist angesagt? (7)

Joi ETech 2009 - Creative Commons
Joi ETech 2009 - Creative CommonsJoi ETech 2009 - Creative Commons
Joi ETech 2009 - Creative Commons
 
Moving to PHP from Java
Moving to PHP from JavaMoving to PHP from Java
Moving to PHP from Java
 
Fall 2011 PHP Class - Session 1
Fall 2011 PHP Class - Session 1Fall 2011 PHP Class - Session 1
Fall 2011 PHP Class - Session 1
 
Extjs Howto
Extjs HowtoExtjs Howto
Extjs Howto
 
Vim week
Vim weekVim week
Vim week
 
TagLoops
TagLoopsTagLoops
TagLoops
 
code review, style guides and tools for pythin
code review, style guides and tools for pythincode review, style guides and tools for pythin
code review, style guides and tools for pythin
 

Ähnlich wie Breaking out of restricted RDP

Black Hat Protection - SEO Campixx 2011
Black Hat Protection - SEO Campixx 2011Black Hat Protection - SEO Campixx 2011
Black Hat Protection - SEO Campixx 2011Andre Alpar
 
Practical exploitation and social engineering
Practical exploitation and social engineeringPractical exploitation and social engineering
Practical exploitation and social engineeringTiago Henriques
 
Strategies for securing your banks & enterprises (from someone who robs bank...
Strategies for securing your banks & enterprises (from someone who robs bank... Strategies for securing your banks & enterprises (from someone who robs bank...
Strategies for securing your banks & enterprises (from someone who robs bank...ITCamp
 
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Positive Hack Days
 
Things that go bump on the web - Web Application Security
Things that go bump on the web - Web Application SecurityThings that go bump on the web - Web Application Security
Things that go bump on the web - Web Application SecurityChristian Heilmann
 
Hacking with experts (by anurag dwivedi)
Hacking with experts (by anurag dwivedi)Hacking with experts (by anurag dwivedi)
Hacking with experts (by anurag dwivedi)Esteban Bedoya
 
Reverse Engineering .NET and Java
Reverse Engineering .NET and JavaReverse Engineering .NET and Java
Reverse Engineering .NET and JavaJoe Kuemerle
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsSecurity Innovation
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to knowEric Klein
 
Community dynamics
Community dynamicsCommunity dynamics
Community dynamicsDave Neary
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
How to Fix the Incorrect Password Issue on RDP.pdf
How to Fix the Incorrect Password Issue on RDP.pdfHow to Fix the Incorrect Password Issue on RDP.pdf
How to Fix the Incorrect Password Issue on RDP.pdfHost It Smart
 
Protect Thy Computer and Thyself
Protect Thy Computer and ThyselfProtect Thy Computer and Thyself
Protect Thy Computer and ThyselfiLinkoln Meetup
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzDeepanshu Gajbhiye
 
Hack the book Mini
Hack the book MiniHack the book Mini
Hack the book MiniKhairi Aiman
 
#Data vault, irc warez (ty 4 moving x)
#Data vault, irc warez (ty 4 moving x)#Data vault, irc warez (ty 4 moving x)
#Data vault, irc warez (ty 4 moving x)Vishal Gurujuwada
 

Ähnlich wie Breaking out of restricted RDP (20)

Black Hat Protection - SEO Campixx 2011
Black Hat Protection - SEO Campixx 2011Black Hat Protection - SEO Campixx 2011
Black Hat Protection - SEO Campixx 2011
 
Practical exploitation and social engineering
Practical exploitation and social engineeringPractical exploitation and social engineering
Practical exploitation and social engineering
 
Strategies for securing your banks & enterprises (from someone who robs bank...
Strategies for securing your banks & enterprises (from someone who robs bank... Strategies for securing your banks & enterprises (from someone who robs bank...
Strategies for securing your banks & enterprises (from someone who robs bank...
 
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
 
Phd final
Phd finalPhd final
Phd final
 
Things that go bump on the web - Web Application Security
Things that go bump on the web - Web Application SecurityThings that go bump on the web - Web Application Security
Things that go bump on the web - Web Application Security
 
UUUU
UUUUUUUU
UUUU
 
Ferret - Data Seepage
Ferret - Data SeepageFerret - Data Seepage
Ferret - Data Seepage
 
Ferret
FerretFerret
Ferret
 
Hacking with experts (by anurag dwivedi)
Hacking with experts (by anurag dwivedi)Hacking with experts (by anurag dwivedi)
Hacking with experts (by anurag dwivedi)
 
Reverse Engineering .NET and Java
Reverse Engineering .NET and JavaReverse Engineering .NET and Java
Reverse Engineering .NET and Java
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection Flaws
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to know
 
Community dynamics
Community dynamicsCommunity dynamics
Community dynamics
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
 
How to Fix the Incorrect Password Issue on RDP.pdf
How to Fix the Incorrect Password Issue on RDP.pdfHow to Fix the Incorrect Password Issue on RDP.pdf
How to Fix the Incorrect Password Issue on RDP.pdf
 
Protect Thy Computer and Thyself
Protect Thy Computer and ThyselfProtect Thy Computer and Thyself
Protect Thy Computer and Thyself
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritz
 
Hack the book Mini
Hack the book MiniHack the book Mini
Hack the book Mini
 
#Data vault, irc warez (ty 4 moving x)
#Data vault, irc warez (ty 4 moving x)#Data vault, irc warez (ty 4 moving x)
#Data vault, irc warez (ty 4 moving x)
 

Mehr von Security BSides London

You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...Security BSides London
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itSecurity BSides London
 
The Funny Thing About Information Security
The Funny Thing About Information SecurityThe Funny Thing About Information Security
The Funny Thing About Information SecuritySecurity BSides London
 
Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications Security BSides London
 
Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programsSecurity BSides London
 

Mehr von Security BSides London (11)

Security YMCA
Security YMCASecurity YMCA
Security YMCA
 
Penetration testing must die
Penetration testing must diePenetration testing must die
Penetration testing must die
 
You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know it
 
The Funny Thing About Information Security
The Funny Thing About Information SecurityThe Funny Thing About Information Security
The Funny Thing About Information Security
 
Breaking, Entering and Pentesting
Breaking, Entering and Pentesting Breaking, Entering and Pentesting
Breaking, Entering and Pentesting
 
All your logs are belong to you!
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!
 
Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications
 
Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programs
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the name
 
Cloud computing due diligence WTF?
Cloud computing due diligence WTF?Cloud computing due diligence WTF?
Cloud computing due diligence WTF?
 

Kürzlich hochgeladen

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 

Kürzlich hochgeladen (20)

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 

Breaking out of restricted RDP

  • 1. Breaking out of a restricted RDP session By Wicked Clown Bsides London 20 April 2011.
  • 2. A little bit of crap about me :) I am Wicked Clown I regularly attend DC4420 (DefCON London) Working in the security arena for 3 years as a tech support engineer. Unhealthy interest in everything security related for 20 years :) Jack of all trades, other interests include. – Lock picking, Social Engineering, Exploit & Vulnerability Research, Pen testing. Anything security related!
  • 3. Talk Outline *** THIS FOR EDUCATIONAL PURPOSE ONLY!! *** Extended version of my lighting talk I gave at BruCON 2010. I got video demo’s, I chicken out a live one! I am going to show how to fix it :( This is a bit of random talk (covers lots of things not just RDP)
  • 4. So what have I discovered Any one who can connect to your Terminal Server, can run and execute pretty much anything. Bypassing your Group Policy settings!! Even if you think they are restricted! Note: Only tested on windows 2000 and 2003
  • 5. Is this a security issue or not! Majority of people I have spoken to think this is an issue. Informed Microsoft – Don’t seem to care. This is OPEN BY DEFAULT!! I have seen this in the wild.
  • 6. Lets pop a box! - Recon - Nmap scan the box - Port 3389 - Do we have an account and password? - If no, how do we get in! - If yes, AWESOME!!
  • 7. Lets pop a box! - Username We don’t have a username. Most companies use the username in their email address i.e. JD@bar.com mostly the username will be ‘JD’
  • 8. Lets pop a box! - Password * PASSWORD LOCK OUT POLICY!! * Brute Force or social engineer. Don’t need to just use TSCrack Check for FTP (21) or IMAP (143) services = Hydra Administrator DOESN’T LOCK OUT!! :) * PASSWORD LOCK OUT POLICY!! *
  • 9. Lets pop a box! – Got details We have a valid username and password! We log in but restricted.. And now the cool bit!! :)
  • 10. DEMO!! Lets all pray to the demo gods!! Show you the group policy Log in as user to show its restricted Show how to get command shell in about 5 seconds How to abuse this to escalate privileges Then how to prevent this happening
  • 11. Demo Group Policy Setup
  • 12.
  • 13. Demo Con’t Attack – The cool bit you want to see!
  • 14.
  • 15. Demo Cont How to fix it – the boring bit!!
  • 16.
  • 17. Now What!! Lets f*ck a network! Try the local admin password on other servers Check for other services running. VNC? Use Metasploit to route exploits through this box (Video on website) Upload ‘Cain & Able’ to sniff the network for logins / passwords
  • 19. Email Server Access anybodies email account Send an email from someone to their boss saying they are gay and have a crush on them. Search the emails for the word ‘Password’ Use it as a spam server
  • 20. Internal / External Network Inject malicious code into your Intranet website Deface or Inject code into your external website Attack their external resources Turn their machines against them Modifying your backups
  • 21. Accounts System Create a phantom employee who gets paid. Transfer money to me or an enemy Publish everybody’s payslips Change everybody's pay Over charge their customers
  • 22. Your Customers Obtain access to their networks Steal there information Block / sabotage their access to support them Denial of services ALL their customers
  • 23. Conclusion Forgetting a little tick can screw you over!! Finding ‘features’ is not just about exploiting code If you get caught doing this don’t blame me Web: www.tombstone-bbs.co.uk Email: Wicked.Clown@tombstone-bbs.co.uk