RDP Bruteforce Attack - Why it is bad to expose RDP to the internet

It is essentially a Lockout Policy. To toggle this policy, we need to open the Local Security Policy window. It will open a window similar to the one shown below. To get to the particular policy we need to Account Policies under Security Settings. It contains 3 policies each working on an aspect of the Account Lockout.

The first one controls the duration of the lockout. This is the time that is required to be passed to log in again after the lockout. Then we have the Lockout Threshold. This controls the number of invalid attempts. Please toggle these as per your requirements. This should prevent the Bruteforce attack. After trying the Bruteforce attack using Hydra, it can be observed that it is not possible to extract the credentials as before.

Although there is still some risk that can be prevented by forcing the users to change the passwords frequently and enforcing good password policies. As we enabled a lockout policy, we will not be able to log in on the machine even with the correct password until the time passed that we toggled in the policy. You will be greeted with a Lockout message as shown in the image below.

Although it has been years since its introduction, the Metasploit Framework is still one of the most reliable ways to perform post-exploitation. In the image below, we have the meterpreter of the machine that has RDP disabled. We use the getgui command on meterpreter to create a user by the name of ignite with a password as After completion, we can log in on the machine as ignite user through RDP. This was the meterpreter command getgui. We provide the username and password for the user to be created and the session identifier.

It will create another user by the name of Pavan with a password as on the machine which then can be used for accessing the machine through RDP. After selecting the exploit, we need to provide a session identifier. In the image, it can be observed that the exploit was created successfully.

Since Sticky Keys can be initiated by pressing the Shift key 5 times, we connect to the target machine using RDP and then proceed to do so. This will open an elevated command prompt window as shown in the image below. Mimikatz can be used to perform this kind of attack. As the attacker was able to gain the session of the machine, they used Mimikatz and ran the mstsc function inside the ts module. Mstsc is a process that runs when the Remote Desktop service in use.

It then intercepts the RDP protocol communication to extract the stored credentials. It can be seen in the image below that Mimikatz can extract the credentials for the user raj. Session Hijacking is a type of attack where an attacker can gain access to an active session that is not directly accessible to the attacker. To demonstrate this kind of attacker we need to create a scenario.

Here we have a Windows Machine with Remote Desktop service enabled and running with two active users: raj and aarti. One of the most important factors to perform a Session Hijacking Attack is that another session that we are trying to hijack must be an active session.

Here, the raj user and aarti user both are active users with active sessions on the target machine. We log in to the raj user using the credentials that we were able to extract using the Mimikatz. Now we will need to run the Mimikatz again after logging in as raj user. We need to list all the active sessions. We use the sessions command from the ts module. Here we can see that there exists a Session 3 for aarti user that is active.

Back to the session output, we saw that the aarti user has session 3. We need to connect to that particular session using the remote command of the ts module. As we can see in the image that we were able to get the remote desktop session for the aarti user from the raj user access. This is the process that a Session Hijacking is possible for the Remote Desktop services. To discuss mitigation, we first need to detect the possibility of the attack.

As all the services on Windows, Remote Desktop also creates various logs that contains information about the users that are logged on, or the time when they logged on and off with the device name and in some case IP Address of the user connecting as well. There exist various types of logs regarding the Remote desktop service. While connecting to the client the authentication can either be successful or failure. With both these cases, we have different EventIDs to recognise.

The authentication logs are located inside the Security Section. EventID Authentication process was successful. EventID Authentication process was failure. Then we have the Logon and Logoff events. Logon will occur after successful authentication. Logoff will track when the user was disconnected from the system.

These particular logs will be located at the following:. At last, we have the Session Connection Logs. This category has the most Events because there are various reasons for disconnection and it should be clear to the user based on the particular EventID.

These logs are located at the following:. We can see that in the given image the aarti user was reconnected. This is a log entry from the time we performed the Session Hijacking demonstration. That means if an attacker attempts that kind of activity, you might be looking for this kind of logs. For Mitigation, we can set a particular time limit for disconnected sessions, idle Remote Desktop services that might be clogging up the memory usage and others.

These policies can be found at:. When implemented, these policies will restrict the one necessity required by the session hijacking i. Hence, mitigation the possibility of Session Hijacking altogether. One of the things to notice before getting on with the attack is that DoS Attacks through Remote Desktops are generally not possible.

In this demonstration, we will be using a Windows 7 machine. Before getting to the exploit, Metasploit has an auxiliary that can be used to scan the machine for this particular vulnerability. As it can be observed from the image below that the machine that we were targeting is vulnerable to a DoS attack.

Now that we have the confirmation for the vulnerability, we can use it to attack our target machine. This attack is named as max channel attack. This attack works in the following method. Firstly, it detects the target machine using the IP Address. Then it tries to connect to the machine through the RDP service. When the target machine responds that it is ready to connect, the exploit sends large size packets to the machine. The size of the packets is incremental until it becomes unresponsive.

In our demonstration, we can see that it starts with a bytes packet. It will continue to send packets until the target machine is unable to handle those packets. BlueKeep was a security vulnerability that was discovered in Remote Desktop Protocol implementation that can allow the attacker to perform remote code execution.

