Stealing credentials of all logged in users. (Hacking RDP Servers Part 2)

In the previous video we got a foot hold on the victim machine and managed to elevate ourselves to SYSTEM. At this point though a restart of the server, or a simple glitch will see us booted off the server losing our connection, and putting us back to square one. What if we can get some credentials for the rdp server? Then we could just login whenever we wanted with legitimate credentials and there would be no malware on the victim that might be flagged by the anti-virus…..perfect!

If you haven’t watched the previous video and you are not sure how we got to this point, I’d recommend watching it so you are up to speed.

We already have kiwi loaded so we run the help command to see what’s available, and we can dump the contents of the SAM file. The Security Account Manager is a database file that stores the passwords for accounts which use the computer/server.

You can see we get 6 user names and their corresponding password hashes. We only need one weak password which we can crack and bingo we have an in.

We will cover cracking NTLM hashes in the next video of this series.

Next we migrate to a different process. On a system processes are continually opened and closed and so sometimes if you are running inside Word or Excel for example, you will lose your connection to the victim when they close that particular program or application. Therefore we want to run inside something which is much less likely to be closed.

Here we demonstrate how simple this is, especially if you already have SYSTEM level permissions. This is again why level privilege is so important, as it can mean the difference between an attacker being on a victim machine, but unable to do anything as the user account is locked down and they just simply get booted off when the computer is restarted. Or if with elevated permissions, they can easily migrate through running processes, further elevating their privileges easily as they go. (It takes 3 attempts in the video as I mess up and chose the wrong number value – whoops!)

The Meterpreter commands we run in this video are:

kiwi help; brings up the command menu for kiwi (mimikatz)

lsa_dump_sam; dumps the sam database file on screen.

ps ; lists running processes on the victim machine

migrate; state the PID number of the process you wish to migrate to and your malicious process will move from where it is currently running to the stated process.