Why “Least Privilege” is important. (Hacking RDP Servers Part 1)

Welcome back, this is a simple demo to show why you don’t use administrator rights with normal everyday accounts you use for email and web browsing. It’s something you may hear all the time, but it’s not easy to understand what the big deal is if you don’t know.

In the video we have the attacker on the left and the victim on the right.

We have used the metasploit framework to create a simple malicious .exe (we will cover creating this in a separate video), which we have uploaded to our web server which hosts the malicious file. We then start our metasploit framework listener which, when the malware is clicked will, connect to the victim machine.

The victim machine is running server 2008R2 and is a simple RDP server which is used by multiple users in our fake organisation for various different tasks.

What you will see is that when the victim user is NOT a member of the administrators group when the malware is clicked and the user clicks past the warning, it still fails to run as they do not have sufficient rights. We then run the same test with the same malware, but this time we add the user to the administrators group, and of course the malware runs and we get full access to the victim server. We will cover some of the things we can do once we have a foothold on the machine in the next video.

The Meterpreter commands we run in this video are:

sysinfo; this gives us the info of the infected system we are connected to.

shell; this launches a hidden Windows command prompt which allows you to run native Windows commands. Which we use to launch “notepad.exe” as a demonstration.

load kiwi; mimikatz (if you don’t know what this is go have a look online) has been ported into Metasploit and when you load the extension you can use it straight from the meterpreter session.

getuid; shows who we are currently running as on the victim server. This video shows us moving from Guest to SYSTEM.

getsystem; meterpreter tries a built in script of techniques to attempt to get SYSTEM level access. This means your malicious actions will now be run as SYSTEM.

Come back for the next video where we dump the hashed passwords of all the logged in users