hackvault: Terminal Service Play Ground

Tutorial: MS Terminal Server Cracking

Note:
This article is from the Ethical Hacker Network. An excellent article was written by Chris Gates, more articles can be found under the collection of his columns. I took the liberty of adding additional info just like i do with all my blogs. None of my blog post are totally done. As I discover fixes and improvements, I will update them.

If you want to do any MS Terminal Server cracking you basically have your choice of three tools that can do it for you;
1. TSgrinder.
2. TScrack.
3. and a patched version of RDesktop.

Video: Terminal Server / RDP Password Cracking, takes you step-by-step through the concepts, tools and usage.

Tools:

1. TSGrinder is readily available from http://www.hammerofgod.com/download.html.
2. TSCrack you’ll have to google for as it is not readily available anymore.
3. Rdesktop v1.41 can be downloaded from http://www.rdesktop.org/ and you’ll need the patch from foofus.net http://www.foofus.net/jmk/rdesktop.html.

Part 1: MS Terminal Services Overview

Hacking Exposed Windows Server 2003 goes a great overview, I won’t plagiarize it all here, so check it out for me details and the references section of this paper for some MS references.
Prior to Terminal Services, Windows did not provide the ability to run code remotely in the processor space of the server. Another way to put this is there was no way to have an “interactive” session on the server. There were tools like wsremote or psexec or VNC. If an attacker got a non administrator level account on a remote machine they could map shares and copy files but had a difficult time running code on the server. Now, with Terminal Services, an attacker can log on as a non privileged user and run exploit local exploit code via the Terminal Services GUI. These attacks used to be fairly limited to local physical attacks or from users who actually logging into your domain but now if the server has Terminal Services (2000 server 2003 server) or RDP (Windows XP) running the attack vector increases.
Terminal Services by default listen on port 3389 (but can be changed by editing the registry).

If you want to change the listening port, edit this registry key:
\HKLM\System\CurrentControlSet\Control\Terminal Server\WinStationRDP-TCP Value : PortNUmber REG_DWORD=3389

To turn on Terminal Server/RDP, edit this registry key (or to turn it on via command line):
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
With this command you can enable the RDP Service.

Password Cracking Basics

There are three types of password attacks:

1. Brute Force: A cryptanalysis technique or other kind of attack method involving an exhaustive procedure that tries all possibilities, one-by-one. [1] For example, the program might follow a sequence like this:
"aaaaaaaa"
"aaaaaaab"
"aaaaaaac" ...
Until the password is found

2. Dictionary Attack: An attack that tries all of the phrases or words in a dictionary, trying to crack a password or key. A dictionary attack uses a predefined list of words compared to a brute force attack that tries all possible combinations. [2]

3. Hybrid Attack: A hybrid attack is a mixture of a brute force attach and a dictionary attack. There are many different ways a hybrid attack can be performed, in it's simplest form a hybrid attack may simply add a couple of numbers to the end of each dictionary word tried, this increases the number of tested combinations without having to resort to a true brute force attack. Cracking software will often use a combination or selection of all three methods to try and guess your password. [3]

Part 1: Terminal Services Enumeration

Fire up Google, https://enccrypted.google.com - always search encrypted

Search for “/TSWeb/default.htm”

Figure 1.1: Output of a google search for /TSWeb/default.htm

Pick a subject of your choise and fire up Nmap.
You can nmap for port 3389

Figure 1.2: A Nmap scan looking for port 3389 open on the Class C.

Figure 1.3: Results on the Nmap Scan looking for open port 3389.

You can use ProbeTS (http://www.hammerofgod.com/download/probets.zip):

Figure 1.4: The output of probeTS.

Terminal Services Connections

Let’s see what a regular Terminal Services connection looks like.

Figure 1.5: the Terminal Services/RDP Client on Windows 2000 Pro to a Windows 2000 Terminal Server.

Figure 1.6: Issuing a command over the Terminal Services Client.

Part 2: TSGrinder

From the TSGrinder website:
“TSGrinder is the first production Terminal Server bruteforce tool. The main idea here is that the Administrator account, since it cannot be locked out for local logons, can be brute forced. Also having an encrypted channel to the TS logon process sure helps to keep IDS from catching the attempts.
TSGrinder is a "dictionary" based attack tool, but it does have some interesting features like "l337" conversion, and supports multiple attack windows from a single dictionary file. It supports multiple password attempts in the same connection, and allows you to specify how many times to try a username/password combination within a particular connection.
Also, the problem you describe can be exacerbated in that administrator account can be brute-forced without creating a log entry, by attempting 5 logons and disconnecting before Windows disconnects and logs after the sixth failure.”
Let’s see TSGrinder in action. I had to use the Windows XP RDP client on Windows2000 SP4 to get TSGrinder to work properly. I did not need roboclient.zip that it mentions on the website.

Figure 2.1: TSGrinder being run with no arguments.

Figure 2.2: TSGrinder using a dictionary attack against the administrator account.

Figure 2.3: A failed attempt.

Figure 2.4: if TSGrinder guesses the password it will log into the terminal services and immediately disconnect.

Figure 2.5: A successful attempt with TSGrinder.

Figure 2.6: TSGrinder supports 2 threads. Here you can see two threads running the attack.

Figure 2.7: A successful attempt with TSGrinder that used 2 threads to run the attack.

Part 3: TScrack

From the TScrack documentation:
“The Windows Terminal Services facility offers graphical desktop sessions to remote clients. Terminal Services enables users to work in a windows session that exists on the server. The client functionality is basically reduced to the functionality of a terminal, all it does is display the session screen, and collect user input.
TScrack applies AI technology (Artificial Neural Networks) to scrape the screen contents of the graphical logon, in order to enable a simple dictionary based cracking algorithm to perform efficiently against the graphically presented logon dialogs and message boxes.
This is very similar to the technology used i.e. in Optical Character Recognition (OCR), Face- and Image recognition in general.
TScrack was written for two purposes:
a) To provide a tool to assess password security of MS RDP servers
b) As proof of concept code, to point out that graphical logons are by no means secure from automated cracking / password guessing tools

Figure 3.1: TScrack being run with no arguments.

Figure 3.2: TScrack being run against a Windows Server 2003 Terminal Server

Figure 3.3: TScrack successfully cracking the password

Figure 3.4: TScrack also does multithreading cracking, use the –t option for 2 connections

Figure 3.5: TScrack with two simultaneous connections running

Figure 3.6: TScrack successfully cracking the password
TScrack was updated to v2.1 to include brute force attacks (something TSGrinder does not do).

Figure 3.7: TScrack in Brute force mode (-B option & max word length of 6)
**Note 1: I attempted to use the –N (no logging option). Windows Server 2003 still logged every failed attempt to log on (which is good).

Figure 3.8: TScrack in Brute force mode with the –N (no logging) option

Figure 3.9: Even with –N enabled Windows Server 2003 logged the attempts. I did not test every configuration on every type of OS, I just noticed it was logging the attempt and shared the info.
**Note 2: I also had to drastically change the default password policy on Server 2003 to put an easy to crack password. I chose a password of “chrisg” as the password I wanted to brute force.

Figure 3.10: Here is the default password policy for Windows Server 2003

Figure 3.11: What I changed the password policy to, to allow “chrisg” as a password
**Note 3: I had to run TScrack 2.1 on windows 2000 machine; it wasn’t working properly on Windows XP SP2. Also, If you are getting a MSRDP.OCX error, then uninstall TScrack using the “-U” option then reinstalling by issuing TScrack.exe –h.

Part 4: Rdesktop & BruteForcing RDP with Rdesktop patch

Download rdesktop version 1.41 from the website:
http://www.rdesktop.org/%20
http://prdownloads.sourceforge.net/rdesktop/rdesktop-1.4.1.tar.gz?download%20
Download the rdp-bruteforce patch from foofus.net:
http://www.foofus.net/jmk/rdesktop.html%20
http://www.foofus.net/jmk/tools/rdp-brute-force-r422.diff%20
Paste the patch into the source directory and apply the patch
SegFault:/Users/chrisgates/Desktop root# cd rdesktop-1.4.1
SegFault:/Users/chrisgates/Desktop/rdesktop-1.4.1 root# patch -p1 -i rdp-brute-force-r422.diff
patching file orders.c
patching file orders.h
patching file rdesktop.c
patching file rdesktop.h
patching file rdp.c
patching file secure.c
patching file xkeymap.c
compile and install rdesktop:
./configure
make
sudo make install
Start X-Windows/X-Darwin/X11(I used X-Darwin installed using fink using Mac OS X Tiger). Shouldn’t be an issue if you are using an linux flavor with a GUI.
Now start Rdesktop with your passlist and user or userlist:
SegFault:~/Desktop/rdesktop-1.4.1 chrisgates$ rdesktop -u administrator -p pass.txt 192.168.0.105
**you'll need to run this from X-Darwin/X-Windows/X-11, if you run it from the command line it will say something like:
ERROR: Failed to open display:
If everything is working right you'll see it opening the Rdesktop trying to log in and then exiting. Check your command line output to see if you were able to guess the password.

Figure 4.1: Running Rdesktop with no parameters gives you the help menu.

Figure 4.2: Issuing the command line parameters to start Rdestop in *nix in XDarwin.

Figure 4.3: Rdestop brute forcing the accounts.
The following output was against an XP Pro SP2 host. With XP if the user is currently logged in, they will be forced to log off if you connect to the machine over RDP.
SegFault:~/Desktop/rdesktop-1.4.1 chrisgates$ rdesktop -u noone -p pass.txt 192.168.0.105
Starting dictionary attack against server 192.168.0.105
-------------------------------------------------------
Retrieved connection termination packet.
Account credentials are NOT valid.
Retrieved connection termination packet.
[failure] User "noone" Password "test"
Retrieved connection termination packet.
Account credentials are NOT valid.
Retrieved connection termination packet.
---SNIP---
[failure] User "noone" Password "admin"
Retrieved connection termination packet.
Account credentials are NOT valid.
Retrieved connection termination packet.
[failure] User "noone" Password "administrator"
Valid credentials, however, another user is currently logged on.
[success] User "noone" Password "noone"
SegFault:~/Desktop/rdesktop-1.4.1 chrisgates$

Figure 4.4: The command line output of the successful attack against XP SP2 but with the user logged in.
Let’s see Rdesktop against a Windows Server 2003.