This tutorial is sended by our Guest Member <"Signal Sender" signalsender@gmail.com
If you want to do any MS Terminal Server cracking you basically haveyour choice of three tools that can do it for you; TSgrinder, TScrack,and a patched version of RDesktop. This article takes you step-by-step through the concepts, tools and usage.
TSGrinder is readily available from http://www.hammerofgod.com/download.html.
TSCrack you’ll have to google for as it is not readily available anymore.
Rdesktop v1.41 can be downloaded from http://www.rdesktop.org/ and you’ll need the patch from foofus.net http://www.foofus.net/jmk/rdesktop.html.
TSCrack you’ll have to google for as it is not readily available anymore.
Rdesktop v1.41 can be downloaded from http://www.rdesktop.org/ and you’ll need the patch from foofus.net http://www.foofus.net/jmk/rdesktop.html.
Part 1: MS Terminal Services Overview
Hacking Exposed Windows Server 2003 goes a great overview, I won’tplagiarize it all here, so check it out for me details and thereferences section of this paper for some MS references.Prior to Terminal Services, Windows did not provide the ability to runcode remotely in the processor space of the server. Another way to putthis is there was no way to have an “interactive” session on theserver. There were tools like wsremote or psexec or VNC. If an attackergot a non administrator level account on a remote machine they couldmap shares and copy files but had a difficult time running code on theserver. Now, with Terminal Services, an attacker can log on as a nonprivileged user and run exploit local exploit code via the TerminalServices GUI. These attacks used to be fairly limited to local physicalattacks or from users who actually logging into your domain but now ifthe server has Terminal Services (2000 server 2003 server) or RDP(Windows XP) running the attack vector increases.
Terminal Services by default listen on port 3389 (but can be changed by editing the registry).
If you want to change the listening port, edit this registry key:
\HKLM\System\CurrentControlSet\Control\Terminal Server\WinStationRDP-TCP Value : PortNUmber REG_DWORD=3389
To turn on Terminal Server/RDP, edit this registry key (or to turn it on via command line):
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
With this command you can enable the RDP Service.
Password Cracking Basics
There are three types of password attacks:Brute Force: A cryptanalysis technique or other kind of attackmethod involving an exhaustive procedure that tries all possibilities,one-by-one. [1] For example, the program might follow a sequence likethis:
"aaaaaaaa"
"aaaaaaab"
"aaaaaaac" ...
Until the password is found
Dictionary Attack: An attack that tries all of the phrases orwords in a dictionary, trying to crack a password or key. A dictionaryattack uses a predefined list of words compared to a brute force attackthat tries all possible combinations. [2]
Hybrid Attack: A hybrid attack is a mixture of a brute forceattach and a dictionary attack. There are many different ways a hybridattack can be performed, in it's simplest form a hybrid attack maysimply add a couple of numbers to the end of each dictionary wordtried, this increases the number of tested combinations without havingto resort to a true brute force attack. Cracking software will oftenuse a combination or selection of all three methods to try and guessyour password. [3]
Terminal Services Enumeration
You can google for “/TSWeb/default.htm”Figure 1.1: Output of a google search for /TSWeb/default.htm
You can nmap for port 3389
Figure 1.2: A Nmap scan looking for port 3389 open on the Class C.
Figure 1.3: Results on the Nmap Scan looking for open port 3389.
You can use ProbeTS (http://www.ziddu.com/download/13010137/probets.zip.html):
Figure 1.4: The output of probeTS.
Terminal Services Connections
Let’s see what a regular Terminal Services connection looks like.Figure 1.5: the Terminal Services/RDP Client on Windows 2000 Pro to a Windows 2000 Terminal Server.
Figure 1.6: Issuing a command over the Terminal Services Client.
Part 2: TSGrinder
From the TSGrinder website:“TSGrinder is the first production Terminal Server bruteforce tool. Themain idea here is that the Administrator account, since it cannot belocked out for local logons, can be brute forced. Also having anencrypted channel to the TS logon process sure helps to keep IDS fromcatching the attempts.
TSGrinder is a "dictionary" based attack tool, but it does have someinteresting features like "l337" conversion, and supports multipleattack windows from a single dictionary file. It supports multiplepassword attempts in the same connection, and allows you to specify howmany times to try a username/password combination within a particularconnection.
Also, the problem you describe can be exacerbated in that administratoraccount can be brute-forced without creating a log entry, by attempting5 logons and disconnecting before Windows disconnects and logs afterthe sixth failure.”
Let’s see TSGrinder in action. I had to use the Windows XP RDP clienton Windows2000 SP4 to get TSGrinder to work properly. I did not needroboclient.zip that it mentions on the website.
Figure 2.1: TSGrinder being run with no arguments.
Figure 2.2: TSGrinder using a dictionary attack against the administrator account.
Figure 2.3: A failed attempt.
Figure 2.4: if TSGrinder guesses the password it will log into the terminal services and immediately disconnect.
Figure 2.5: A successful attempt with TSGrinder.
Figure 2.6: TSGrinder supports 2 threads. Here you can see two threads running the attack.
Figure 2.7: A successful attempt with TSGrinder that used 2 threads to run the attack.
Part 3: TScrack
From the TScrack documentation:“The Windows Terminal Services facility offers graphical desktopsessions to remote clients. Terminal Services enables users to work ina windows session that exists on the server. The client functionalityis basically reduced to the functionality of a terminal, all it does isdisplay the session screen, and collect user input.
TScrack applies AI technology (Artificial Neural Networks) to scrapethe screen contents of the graphical logon, in order to enable a simpledictionary based cracking algorithm to perform efficiently against thegraphically presented logon dialogs and message boxes.
This is very similar to the technology used i.e. in Optical CharacterRecognition (OCR), Face- and Image recognition in general.
TScrack was written for two purposes:
a) To provide a tool to assess password security of MS RDP servers
b) As proof of concept code, to point out that graphical logons are byno means secure from automated cracking / password guessing tools
Figure 3.1: TScrack being run with no arguments.
Figure 3.2: TScrack being run against a Windows Server 2003 Terminal Server
Figure 3.3: TScrack successfully cracking the password
Figure 3.4: TScrack also does multithreading cracking, use the –t option for 2 connections
Figure 3.5: TScrack with two simultaneous connections running
Figure 3.6: TScrack successfully cracking the password
TScrack was updated to v2.1 to include brute force attacks (something TSGrinder does not do).
Figure 3.7: TScrack in Brute force mode (-B option & max word length of 6)
**Note 1: I attempted to use the –N (no logging option). WindowsServer 2003 still logged every failed attempt to log on (which isgood).
Figure 3.8: TScrack in Brute force mode with the –N (no logging) option
Figure 3.9: Even with –N enabled Windows Server 2003 logged theattempts. I did not test every configuration on every type of OS, Ijust noticed it was logging the attempt and shared the info.
**Note 2: I also had to drastically change the default password policyon Server 2003 to put an easy to crack password. I chose a password of“chrisg” as the password I wanted to brute force.
Figure 3.10: Here is the default password policy for Windows Server 2003
Figure 3.11: What I changed the password policy to, to allow “chrisg” as a password
**Note 3: I had to run TScrack 2.1 on windows 2000 machine; it wasn’tworking properly on Windows XP SP2. Also, If you are getting aMSRDP.OCX error, then uninstall TScrack using the “-U” option thenreinstalling by issuing TScrack.exe –h.
Part 4: Rdesktop & BruteForcing RDP with Rdesktop patch
Download rdesktop version 1.41 from the website:http://www.rdesktop.org/%20
http://prdownloads.sourceforge.net/rdesktop/rdesktop-1.4.1.tar.gz?download%20
Download the rdp-bruteforce patch from foofus.net:
http://www.foofus.net/jmk/rdesktop.html%20
http://www.foofus.net/jmk/tools/rdp-brute-force-r422.diff%20
Paste the patch into the source directory and apply the patch
SegFault:/Users/chrisgates/Desktop root# cd rdesktop-1.4.1
SegFault:/Users/chrisgates/Desktop/rdesktop-1.4.1 root# patch -p1 -i rdp-brute-force-r422.diff
patching file orders.c
patching file orders.h
patching file rdesktop.c
patching file rdesktop.h
patching file rdp.c
patching file secure.c
patching file xkeymap.c
compile and install rdesktop:
./configure
make
sudo make install
Start X-Windows/X-Darwin/X11(I used X-Darwin installed using fink usingMac OS X Tiger). Shouldn’t be an issue if you are using an linux flavorwith a GUI.
Now start Rdesktop with your passlist and user or userlist:
SegFault:~/Desktop/rdesktop-1.4.1 chrisgates$ rdesktop -u administrator -p pass.txt 192.168.0.105
**you'll need to run this from X-Darwin/X-Windows/X-11, if you run it from the command line it will say something like:
ERROR: Failed to open display:
If everything is working right you'll see it opening the Rdesktoptrying to log in and then exiting. Check your command line output tosee if you were able to guess the password.
Figure 4.1: Running Rdesktop with no parameters gives you the help menu.
Figure 4.2: Issuing the command line parameters to start Rdestop in *nix in XDarwin.
Figure 4.3: Rdestop brute forcing the accounts.
The following output was against an XP Pro SP2 host. With XP if theuser is currently logged in, they will be forced to log off if youconnect to the machine over RDP.
SegFault:~/Desktop/rdesktop-1.4.1 chrisgates$ rdesktop -u noone -p pass.txt 192.168.0.105
Starting dictionary attack against server 192.168.0.105
-------------------------------------------------------
Retrieved connection termination packet.
Account credentials are NOT valid.
Retrieved connection termination packet.
[failure] User "noone" Password "test"
Retrieved connection termination packet.
Account credentials are NOT valid.
Retrieved connection termination packet.
---SNIP---
[failure] User "noone" Password "admin"
Retrieved connection termination packet.
Account credentials are NOT valid.
Retrieved connection termination packet.
[failure] User "noone" Password "administrator"
Valid credentials, however, another user is currently logged on.
[success] User "noone" Password "noone"
SegFault:~/Desktop/rdesktop-1.4.1 chrisgates$
Figure 4.4: The command line output of the successful attack against XP SP2 but with the user logged in.
Let’s see Rdesktop against a Windows Server 2003.
Figure 4.5: Rdesktop against Windows Server 2003 against the “chris” account.
Figure 4.6: Rdesktop successfully cracking the password with a dictionary attack.
Thanks to Signal Sender...
0 comments:
Post a Comment