SlideShare ist ein Scribd-Unternehmen logo

Breaking out of restricted RDP

Security BSides London
Security BSides London

BSidesLondon 20th April 2011 - @wickedclownuk --------------------------------------------------- Lots of companies are using RDP to support their external users. The administrators lock down the servers via group policy believing it is all secure, I will demostrate how you can instantly bypass group policy and how to escalate your privileges with the use of Metasploit. ---f

Technologie
1 von 23
Breaking out of a restricted RDP session By Wicked Clown Bsides London 20 April 2011.
A little bit of crap about me :) I am Wicked Clown I regularly attend DC4420 (DefCON London) Working in the security arena for 3 years as a tech support engineer. Unhealthy interest in everything security related for 20 years :) Jack of all trades, other interests include. – Lock picking, Social Engineering, Exploit & Vulnerability Research, Pen testing. Anything security related!
Talk Outline *** THIS FOR EDUCATIONAL PURPOSE ONLY!! *** Extended version of my lighting talk I gave at BruCON 2010. I got video demo’s, I chicken out a live one! I am going to show how to fix it :( This is a bit of random talk (covers lots of things not just RDP)
So what have I discovered Any one who can connect to your Terminal Server, can run and execute pretty much anything. Bypassing your Group Policy settings!! Even if you think they are restricted! Note: Only tested on windows 2000 and 2003
Is this a security issue or not! Majority of people I have spoken to think this is an issue. Informed Microsoft – Don’t seem to care. This is OPEN BY DEFAULT!! I have seen this in the wild.
Lets pop a box! - Recon - Nmap scan the box - Port 3389 - Do we have an account and password? - If no, how do we get in! - If yes, AWESOME!!
Lets pop a box! - Username We don’t have a username. Most companies use the username in their email address i.e. JD@bar.com mostly the username will be ‘JD’
Lets pop a box! - Password * PASSWORD LOCK OUT POLICY!! * Brute Force or social engineer. Don’t need to just use TSCrack Check for FTP (21) or IMAP (143) services = Hydra Administrator DOESN’T LOCK OUT!! :) * PASSWORD LOCK OUT POLICY!! *
Lets pop a box! – Got details We have a valid username and password! We log in but restricted.. And now the cool bit!! :)
DEMO!! Lets all pray to the demo gods!! Show you the group policy Log in as user to show its restricted Show how to get command shell in about 5 seconds How to abuse this to escalate privileges Then how to prevent this happening
Demo Group Policy Setup
Demo Con’t Attack – The cool bit you want to see!
Demo Cont How to fix it – the boring bit!!
Now What!! Lets f*ck a network! Try the local admin password on other servers Check for other services running. VNC? Use Metasploit to route exploits through this box (Video on website) Upload ‘Cain & Able’ to sniff the network for logins / passwords
Game over man!!
Email Server Access anybodies email account Send an email from someone to their boss saying they are gay and have a crush on them. Search the emails for the word ‘Password’ Use it as a spam server
Internal / External Network Inject malicious code into your Intranet website Deface or Inject code into your external website Attack their external resources Turn their machines against them Modifying your backups
Accounts System Create a phantom employee who gets paid. Transfer money to me or an enemy Publish everybody’s payslips Change everybody's pay Over charge their customers
Your Customers Obtain access to their networks Steal there information Block / sabotage their access to support them Denial of services ALL their customers
Conclusion Forgetting a little tick can screw you over!! Finding ‘features’ is not just about exploiting code If you get caught doing this don’t blame me Web: www.tombstone-bbs.co.uk Email: Wicked.Clown@tombstone-bbs.co.uk

Empfohlen

Your money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialYour money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorial
Security BSides London
 
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reBSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
Chandra Pratap
 
Passwords are so 1990
Passwords are so 1990Passwords are so 1990
Passwords are so 1990
Sam Bellen
 
Clean code
Clean code Clean code
Clean code
Achintya Kumar
 
DevFest Porto - Passwords are so 1990
DevFest Porto - Passwords are so 1990DevFest Porto - Passwords are so 1990
DevFest Porto - Passwords are so 1990
Sam Bellen
 
Openbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - Craftworkz
Openbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - CraftworkzOpenbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - Craftworkz
Openbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - Craftworkz
Openbar
 
sthlm.js - Passwords are so 1990
sthlm.js - Passwords are so 1990sthlm.js - Passwords are so 1990
sthlm.js - Passwords are so 1990
Sam Bellen
 
Clean code
Clean codeClean code
Clean code
Duc Nguyen Quang
 

Empfohlen

Your money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialYour money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorial
Security BSides London
 
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reBSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
Chandra Pratap
 
Passwords are so 1990
Passwords are so 1990Passwords are so 1990
Passwords are so 1990
Sam Bellen
 
Clean code
Clean code Clean code
Clean code
Achintya Kumar
 
DevFest Porto - Passwords are so 1990
DevFest Porto - Passwords are so 1990DevFest Porto - Passwords are so 1990
DevFest Porto - Passwords are so 1990
Sam Bellen
 
Openbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - Craftworkz
Openbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - CraftworkzOpenbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - Craftworkz
Openbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - Craftworkz
Openbar
 
sthlm.js - Passwords are so 1990
sthlm.js - Passwords are so 1990sthlm.js - Passwords are so 1990
sthlm.js - Passwords are so 1990
Sam Bellen
 
Clean code
Clean codeClean code
Clean code
Duc Nguyen Quang
 
Joi ETech 2009 - Creative Commons
Joi ETech 2009 - Creative CommonsJoi ETech 2009 - Creative Commons
Joi ETech 2009 - Creative Commons
Joi Ito
 
Moving to PHP from Java
Moving to PHP from JavaMoving to PHP from Java
Moving to PHP from Java
Ivo Roberto Batistela
 
Fall 2011 PHP Class - Session 1
Fall 2011 PHP Class - Session 1Fall 2011 PHP Class - Session 1
Fall 2011 PHP Class - Session 1
jimbojsb
 
Extjs Howto
Extjs HowtoExtjs Howto
Extjs Howto
Greg Hendricks
 
Vim week
Vim weekVim week
Vim week
RookieOne
 
TagLoops
TagLoopsTagLoops
TagLoops
tagloops
 
code review, style guides and tools for pythin
code review, style guides and tools for pythincode review, style guides and tools for pythin
code review, style guides and tools for pythin
université d'el jadida
 
Black Hat Protection - SEO Campixx 2011
Black Hat Protection - SEO Campixx 2011Black Hat Protection - SEO Campixx 2011
Black Hat Protection - SEO Campixx 2011
Andre Alpar
 
Practical exploitation and social engineering
Practical exploitation and social engineeringPractical exploitation and social engineering
Practical exploitation and social engineering
Tiago Henriques
 
Strategies for securing your banks & enterprises (from someone who robs bank...
Strategies for securing your banks & enterprises (from someone who robs bank... Strategies for securing your banks & enterprises (from someone who robs bank...
Strategies for securing your banks & enterprises (from someone who robs bank...
ITCamp
 
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Positive Hack Days
 
Phd final
Phd finalPhd final
Phd final
Positive Hack Days
 
Things that go bump on the web - Web Application Security
Things that go bump on the web - Web Application SecurityThings that go bump on the web - Web Application Security
Things that go bump on the web - Web Application Security
Christian Heilmann
 
Ferret
FerretFerret
Ferret
yonny4103
 
UUUU
UUUUUUUU
UUUU
yonny4103
 
Ferret - Data Seepage
Ferret - Data SeepageFerret - Data Seepage
Ferret - Data Seepage
amiable_indian
 
Hacking with experts (by anurag dwivedi)
Hacking with experts (by anurag dwivedi)Hacking with experts (by anurag dwivedi)
Hacking with experts (by anurag dwivedi)
Esteban Bedoya
 
Reverse Engineering .NET and Java
Reverse Engineering .NET and JavaReverse Engineering .NET and Java
Reverse Engineering .NET and Java
Joe Kuemerle
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection Flaws
Security Innovation
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to know
Eric Klein
 
Community dynamics
Community dynamicsCommunity dynamics
Community dynamics
Dave Neary
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Shota Shinogi
 

Weitere ähnliche Inhalte

Was ist angesagt?

Fall 2011 PHP Class - Session 1
Fall 2011 PHP Class - Session 1Fall 2011 PHP Class - Session 1
Fall 2011 PHP Class - Session 1
jimbojsb
 

Was ist angesagt? (7)

Joi ETech 2009 - Creative Commons
Joi ETech 2009 - Creative CommonsJoi ETech 2009 - Creative Commons
Joi ETech 2009 - Creative Commons
 
Moving to PHP from Java
Moving to PHP from JavaMoving to PHP from Java
Moving to PHP from Java
 
Fall 2011 PHP Class - Session 1
Fall 2011 PHP Class - Session 1Fall 2011 PHP Class - Session 1
Fall 2011 PHP Class - Session 1
 
Extjs Howto
Extjs HowtoExtjs Howto
Extjs Howto
 
Vim week
Vim weekVim week
Vim week
 
TagLoops
TagLoopsTagLoops
TagLoops
 
code review, style guides and tools for pythin
code review, style guides and tools for pythincode review, style guides and tools for pythin
code review, style guides and tools for pythin
 

Ähnlich wie Breaking out of restricted RDP

Strategies for securing your banks & enterprises (from someone who robs bank...
Strategies for securing your banks & enterprises (from someone who robs bank... Strategies for securing your banks & enterprises (from someone who robs bank...
Strategies for securing your banks & enterprises (from someone who robs bank...
ITCamp
 
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Positive Hack Days
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection Flaws
Security Innovation
 
#Data vault, irc warez (ty 4 moving x)
#Data vault, irc warez (ty 4 moving x)#Data vault, irc warez (ty 4 moving x)
#Data vault, irc warez (ty 4 moving x)
Vishal Gurujuwada
 

Ähnlich wie Breaking out of restricted RDP (20)

Black Hat Protection - SEO Campixx 2011
Black Hat Protection - SEO Campixx 2011Black Hat Protection - SEO Campixx 2011
Black Hat Protection - SEO Campixx 2011
 
Practical exploitation and social engineering
Practical exploitation and social engineeringPractical exploitation and social engineering
Practical exploitation and social engineering
 
Strategies for securing your banks & enterprises (from someone who robs bank...
Strategies for securing your banks & enterprises (from someone who robs bank... Strategies for securing your banks & enterprises (from someone who robs bank...
Strategies for securing your banks & enterprises (from someone who robs bank...
 
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
 
Phd final
Phd finalPhd final
Phd final
 
Things that go bump on the web - Web Application Security
Things that go bump on the web - Web Application SecurityThings that go bump on the web - Web Application Security
Things that go bump on the web - Web Application Security
 
Ferret
FerretFerret
Ferret
 
UUUU
UUUUUUUU
UUUU
 
Ferret - Data Seepage
Ferret - Data SeepageFerret - Data Seepage
Ferret - Data Seepage
 
Hacking with experts (by anurag dwivedi)
Hacking with experts (by anurag dwivedi)Hacking with experts (by anurag dwivedi)
Hacking with experts (by anurag dwivedi)
 
Reverse Engineering .NET and Java
Reverse Engineering .NET and JavaReverse Engineering .NET and Java
Reverse Engineering .NET and Java
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection Flaws
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to know
 
Community dynamics
Community dynamicsCommunity dynamics
Community dynamics
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
 
How to Fix the Incorrect Password Issue on RDP.pdf
How to Fix the Incorrect Password Issue on RDP.pdfHow to Fix the Incorrect Password Issue on RDP.pdf
How to Fix the Incorrect Password Issue on RDP.pdf
 
Protect Thy Computer and Thyself
Protect Thy Computer and ThyselfProtect Thy Computer and Thyself
Protect Thy Computer and Thyself
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritz
 
Hack the book Mini
Hack the book MiniHack the book Mini
Hack the book Mini
 
#Data vault, irc warez (ty 4 moving x)
#Data vault, irc warez (ty 4 moving x)#Data vault, irc warez (ty 4 moving x)
#Data vault, irc warez (ty 4 moving x)
 

Mehr von Security BSides London

Mehr von Security BSides London (11)

Security YMCA
Security YMCASecurity YMCA
Security YMCA
 
Penetration testing must die
Penetration testing must diePenetration testing must die
Penetration testing must die
 
You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know it
 
The Funny Thing About Information Security
The Funny Thing About Information SecurityThe Funny Thing About Information Security
The Funny Thing About Information Security
 
Breaking, Entering and Pentesting
Breaking, Entering and Pentesting Breaking, Entering and Pentesting
Breaking, Entering and Pentesting
 
All your logs are belong to you!
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!
 
Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications
 
Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programs
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the name
 
Cloud computing due diligence WTF?
Cloud computing due diligence WTF?Cloud computing due diligence WTF?
Cloud computing due diligence WTF?
 

Kürzlich hochgeladen

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Kürzlich hochgeladen (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 

Breaking out of restricted RDP

  • 1. Breaking out of a restricted RDP session By Wicked Clown Bsides London 20 April 2011.
  • 2. A little bit of crap about me :) I am Wicked Clown I regularly attend DC4420 (DefCON London) Working in the security arena for 3 years as a tech support engineer. Unhealthy interest in everything security related for 20 years :) Jack of all trades, other interests include. – Lock picking, Social Engineering, Exploit & Vulnerability Research, Pen testing. Anything security related!
  • 3. Talk Outline *** THIS FOR EDUCATIONAL PURPOSE ONLY!! *** Extended version of my lighting talk I gave at BruCON 2010. I got video demo’s, I chicken out a live one! I am going to show how to fix it :( This is a bit of random talk (covers lots of things not just RDP)
  • 4. So what have I discovered Any one who can connect to your Terminal Server, can run and execute pretty much anything. Bypassing your Group Policy settings!! Even if you think they are restricted! Note: Only tested on windows 2000 and 2003
  • 5. Is this a security issue or not! Majority of people I have spoken to think this is an issue. Informed Microsoft – Don’t seem to care. This is OPEN BY DEFAULT!! I have seen this in the wild.
  • 6. Lets pop a box! - Recon - Nmap scan the box - Port 3389 - Do we have an account and password? - If no, how do we get in! - If yes, AWESOME!!
  • 7. Lets pop a box! - Username We don’t have a username. Most companies use the username in their email address i.e. JD@bar.com mostly the username will be ‘JD’
  • 8. Lets pop a box! - Password * PASSWORD LOCK OUT POLICY!! * Brute Force or social engineer. Don’t need to just use TSCrack Check for FTP (21) or IMAP (143) services = Hydra Administrator DOESN’T LOCK OUT!! :) * PASSWORD LOCK OUT POLICY!! *
  • 9. Lets pop a box! – Got details We have a valid username and password! We log in but restricted.. And now the cool bit!! :)
  • 10. DEMO!! Lets all pray to the demo gods!! Show you the group policy Log in as user to show its restricted Show how to get command shell in about 5 seconds How to abuse this to escalate privileges Then how to prevent this happening
  • 11. Demo Group Policy Setup
  • 12.
  • 13. Demo Con’t Attack – The cool bit you want to see!
  • 14.
  • 15. Demo Cont How to fix it – the boring bit!!
  • 16.
  • 17. Now What!! Lets f*ck a network! Try the local admin password on other servers Check for other services running. VNC? Use Metasploit to route exploits through this box (Video on website) Upload ‘Cain & Able’ to sniff the network for logins / passwords
  • 19. Email Server Access anybodies email account Send an email from someone to their boss saying they are gay and have a crush on them. Search the emails for the word ‘Password’ Use it as a spam server
  • 20. Internal / External Network Inject malicious code into your Intranet website Deface or Inject code into your external website Attack their external resources Turn their machines against them Modifying your backups
  • 21. Accounts System Create a phantom employee who gets paid. Transfer money to me or an enemy Publish everybody’s payslips Change everybody's pay Over charge their customers
  • 22. Your Customers Obtain access to their networks Steal there information Block / sabotage their access to support them Denial of services ALL their customers
  • 23. Conclusion Forgetting a little tick can screw you over!! Finding ‘features’ is not just about exploiting code If you get caught doing this don’t blame me Web: www.tombstone-bbs.co.uk Email: Wicked.Clown@tombstone-bbs.co.uk