Stealing credentials of all logged in users. (Hacking RDP Servers Part 2)

In the previous video we got a foot hold on the victim machine and managed to elevate ourselves to SYSTEM. At this point though a restart of the server, or a simple glitch will see us booted off the server losing our connection, and putting us back to square one. What if we can get some credentials for the rdp server? Then we could just login whenever we wanted with legitimate credentials and there would be no malware on the victim that might be flagged by the anti-virus…..perfect!

If you haven’t watched the previous video and you are not sure how we got to this point, I’d recommend watching it so you are up to speed.

We already have kiwi loaded so we run the help command to see what’s available, and we can dump the contents of the SAM file. The┬áSecurity Account Manager is a database file that stores the passwords for accounts which use the computer/server.

You can see we get 6 user names and their corresponding password hashes. We only need one weak password which we can crack and bingo we have an in.

We will cover cracking NTLM hashes in the next video of this series.

Next we migrate to a different process. On a system processes are continually opened and closed and so sometimes if you are running inside Word or Excel for example, you will lose your connection to the victim when they close that particular program or application. Therefore we want to run inside something which is much less likely to be closed.

Here we demonstrate how simple this is, especially if you already have SYSTEM level permissions. This is again why level privilege is so important, as it can mean the difference between an attacker being on a victim machine, but unable to do anything as the user account is locked down and they just simply get booted off when the computer is restarted. Or if with elevated permissions, they can easily migrate through running processes, further elevating their privileges easily as they go. (It takes 3 attempts in the video as I mess up and chose the wrong number value – whoops!)

The Meterpreter commands we run in this video are:

kiwi help; brings up the command menu for kiwi (mimikatz)

lsa_dump_sam; dumps the sam database file on screen.

ps ; lists running processes on the victim machine

migrate; state the PID number of the process you wish to migrate to and your malicious process will move from where it is currently running to the stated process.

Why “Least Privilege” is important. (Hacking RDP Servers Part 1)

Welcome back, this is a simple demo to show why you don’t use administrator rights with normal everyday accounts you use for email and web browsing. It’s something you may hear all the time, but it’s not easy to understand what the big deal is if you don’t know.

In the video we have the attacker on the left and the victim on the right.

We have used the metasploit framework to create a simple malicious .exe (we will cover creating this in a separate video), which we have uploaded to our web server which hosts the malicious file. We then start our metasploit framework listener which, when the malware is clicked will, connect to the victim machine.

The victim machine is running server 2008R2 and is a simple RDP server which is used by multiple users in our fake organisation for various different tasks.

What you will see is that when the victim user is NOT a member of the administrators group when the malware is clicked and the user clicks past the warning, it still fails to run as they do not have sufficient rights. We then run the same test with the same malware, but this time we add the user to the administrators group, and of course the malware runs and we get full access to the victim server. We will cover some of the things we can do once we have a foothold on the machine in the next video.

The Meterpreter commands we run in this video are:

sysinfo; this gives us the info of the infected system we are connected to.

shell; this launches a hidden Windows command prompt which allows you to run native Windows commands. Which we use to launch “notepad.exe” as a demonstration.

load kiwi; mimikatz (if you don’t know what this is go have a look online) has been ported into Metasploit and when you load the extension you can use it straight from the meterpreter session.

getuid; shows who we are currently running as on the victim server. This video shows us moving from Guest to SYSTEM.

getsystem; meterpreter tries a built in script of techniques to attempt to get SYSTEM level access. This means your malicious actions will now be run as SYSTEM.

Come back for the next video where we dump the hashed passwords of all the logged in users