Category: RDP

Sep 12 2017

Seth – RDP Man In The Middle Attack Tool

Seth – RDP Man In The Middle Attack Tool

Seth is an RDP Man In The Middle attack tool written in Python to MiTM RDP connections by attempting to downgrade the connection in order to extract clear text credentials.

It was developed to raise awareness and educate about the importance of properly configured RDP connections in the context of pentests, workshops or talks.

Usage of Seth RDP Man In The Middle Attack Tool

Run it like this:

$ ./seth.sh <INTERFACE> <ATTACKER IP> <VICTIM IP> <GATEWAY IP|HOST IP>

Unless the RDP host is on the same subnet as the victim machine, the last IP address must be that of the gateway.

Read the rest of Seth – RDP Man In The Middle Attack Tool now! Only available at Darknet.

Dec 13 2013

Hacked Via RDP: Really Dumb Passwords

Businesses spend billions of dollars annually on software and hardware to block external cyberattacks, but a shocking number of these same organizations shoot themselves in the foot by poking gaping holes in their digital defenses and then advertising those vulnerabilities to attackers. Today’s post examines an underground service that rents access to hacked PCs at organizations that make this all-too-common mistake.

Makost[dot]net is a service advertised on cybercrime forums which sells access to “RDPs”, mainly Microsoft Windows systems that have been configured (poorly) to accept “Remote Desktop Protocol” connections from the Internet. Windows ships with its own RDP interface built-in; to connect to another Windows desktop or server remotely, simply fire up the Remote Desktop Connection utility in Windows, type in the Internet address of the remote system, and enter the correct username and password for a valid user account on that remote system. Once the connection is made, you’ll see the remote computer’s desktop as if you were sitting right in front of it, and have access to all its programs and files.

Makhost[dot]net sells access to thousands of hacked RDP installations. Prices range from $3 to $10 based on a variety of qualities, such as the number of CPUs, the operating system version and the PC's upload and download speeds.


Makhost[dot]net sells access to thousands of hacked RDP installations. Prices range from $3 to $10 based on a variety of qualities, such as the number of CPUs, the operating system version and the PC’s upload and download speeds.

Makost currently is selling access to more than 6,000 compromised RDP installations worldwide. As we can see from the screen shot above, hacked systems are priced according to a combination of qualities of the server:

  • city, state, country of host;
  • administrative or regular user rights;
  • operating system version;
  • number and speed of computer processors;
  • amount of system memory;
  • network download and upload speeds;
  • NAT or direct

KrebsOnSecurity was given a glimpse inside the account of a very active user of this service, an individual who has paid more than $2,000 over the past six months to purchase some 425 hacked RDPs. I took the Internet addresses in this customer’s purchase history and ran WHOIS database lookups on them all in a bid to learn more about the victim organizations. As expected, roughly three-quarters of those addresses told me nothing about the victims; the addresses were assigned to residential or commercial Internet service providers.

But the WHOIS records turned up the names of businesses for approximately 25 percent of the addresses I looked up. The largest group of organizations on this list were in the manufacturing (21 victims) and retail services (20) industries. As I sought to categorize the long tail of other victim organizations, I was reminded of the Twelve Days of Christmas carol.

twelve healthcare providers;
ten education providers;
eight government agencies;
seven technology firms;
six insurance companies;
five law firms;
four financial institutions;
three architects;
two real estate firms;
and a forestry company (in a pear tree?)

How did these companies end up for sale on makost[dot]net? That is explained deftly in a report produced earlier this year by Trustwave, a company which frequently gets called in when companies experience a data breach that exposes credit card information. Trustwave looked at all of the breaches it responded to in 2012 and found — just as in years past — “IP remote access remained the most widely used method of infiltration in 2012. Unfortunately for victim organizations, the front door is still open.”

The report continues:

“Organizations that use third-party support typically use remote access applications like Terminal Services (termserv) or Remote Desktop Protocol (RDP), pcAnywhere, Virtual Network Client (VNC), LogMeIn or Remote Administrator to access their customers’ systems. If these utilities are left enabled, attackers can access them as though they are legitimate system administrators.”

Source: Trustwave 2013 Global Security Report

Source: Trustwave 2013 Global Security Report

“Would-be attackers simply scan blocks of Internet addresses looking for hosts that respond to queries on one of these ports. Once they have a focused target list of Internet addresses with open remote administration ports, they can move on to the next part of the attack: The number 2 most-exploited weakness: deafult/weak credentials.”

In case the point wasn’t clear enough yet, I’ve gathered all of the username and password pairs picked by all 430 RDP-enabled systems that were sold to this miscreant. As evidenced by the list below, the attackers simply needed to scan the Internet for hosts listening on port 3389 (Microsoft RDP), identify valid usernames, and then try the same username as the password. In each of the following cases, the username and password are the same.

Some of these credential pairs even give you an idea of the type of organization involved, the employee account that was compromised (“intern,” “techsupport,”); the purpose of the hacked system (“payroll”, “fax,” “scanner,” “timeclock”); even the geographic location of the compromised PC within the organization (e.g., “front desk,” “conference room,” “garage”). Incredibly, some of the systems appear to be named after actual security features or backup devices (“symantec,” “sonicwall,” “sophos”):

owner owner
showroom showroom
operations operations
train train
test test
colin colin
robert robert
install install
besadmin besadmin
tony tony
guest guest
symantec symantec
stacey stacey
stephanie stephanie
jessica jessica
install install
frontdesk frontdesk
sophos sophos
tim tim
lisa lisa
guest guest
guest guest
timeclock timeclock
dale dale
djohnson djohnson
john john
staff staff
student student
cw cw
guest guest
inventory inventory
aspnet aspnet
scanner scanner
tablet1 tablet1
timeclock timeclock
rsmith rsmith
tara tara
gary gary
user user
billing1 billing1
shipping1 shipping1
warehouse warehouse
scott scott
cnc cnc
training training
personnel personnel
template template
training training
faxserver faxserver
nicole nicole
sales sales
jbrown jbrown
driver driver
ksmith ksmith
sys sys
engineering engineering
gking gking
guest guest
kclark kclark
kwebb kwebb
guest1 guest1
robert robert
AdMiNiStRaToR AdMiNiStRaToR
ipad ipad
rae rae
canon canon
shipping shipping
fax fax
remote1 remote1
mission mission
reporter reporter
dispatch dispatch
guard guard
rm rm
marcia marcia
sales sales
makik makik
kbrown kbrown
kbrown kbrown
ray ray
jrobinson jrobinson
shop shop
remote remote
dharris dharris
user user
bkexec bkexec
cmm cmm
toolcrib toolcrib
test test
temp temp
sbrown sbrown
dispatch dispatch
carpet carpet
laura laura
techsupport techsupport
bkexec bkexec
ganderson ganderson
buexec buexec
twadmin twadmin
acs acs
acs acs
bkexec bkexec
testu testu
bookkeeper bookkeeper
rtcservice rtcservice
jcampbell jcampbell
mlee mlee
email email
owner owner
bethb bethb
sisadmin sisadmin
cmartinez cmartinez
beadmin beadmin
mattp mattp
conf conf
prod prod
ws ws
jackie jackie
tempadmin tempadmin
install install
support support
wendy wendy
ricoh ricoh
simmons simmons
agarcia agarcia
jens jens
prod prod
timeclock timeclock
specialist specialist
christine christine
training training
sqlexec sqlexec
production production
testuser testuser
garage garage
sms sms
ldap ldap
sharepoint sharepoint
epicor epicor
epicor epicor
sandy sandy
resource resource
carrie carrie
nancy nancy
remote remote
lisa lisa
sales sales
kristina kristina
facilities facilities
erika erika
seagate seagate
mmills mmills
checkout checkout
susan susan
peter peter
insurance insurance
Administrator Administrator
maureen maureen
mike mike
training training
av av
schedule schedule
brad brad
timeclock timeclock
awilson awilson
spadmin spadmin
cecilia cecilia
renee renee
fax fax
sonny sonny
joey joey
caroot caroot
xray xray
dallen dallen
triage triage
ewilliams ewilliams
djordan djordan
clerk clerk
danny danny
bkupexec bkupexec
bu bu
monroe monroe
mmiller mmiller
seagate seagate
mmurray mmurray
recruiting recruiting
jsmith jsmith
jwilson jwilson
buexec buexec
mikeg mikeg
jking jking
bobc bobc
caroot caroot
kronos kronos
jgreen jgreen
bkupexec bkupexec
lab lab
jaime jaime
davidf davidf
kronos kronos
xray xray
rbrown rbrown
bizhub bizhub
julie julie
bec bec
checkout checkout
tuser tuser
bjohnson bjohnson
jbox jbox
dataentry dataentry
itsupport itsupport
sharepoint sharepoint
pc pc
volunteer volunteer
mail mail
konica konica
mill mill
canon canon
volunteer volunteer
heidi heidi
carla carla
tracy tracy
frontdesk frontdesk
driver driver
operations operations
trainer trainer
accounts accounts
labuser labuser
production production
jsmith jsmith
sup890 sup890
installer installer
help help
intern intern
la la
timeclock timeclock
confrm confrm
assembly assembly
john john
spadmin spadmin
jdoe jdoe
bloomberg bloomberg
resume resume
attach attach
assembly assembly
faxes faxes
faxes faxes
aevans aevans
tjones tjones
dbagent dbagent
Scanner Scanner
frontoffice frontoffice
Billing Billing
Nurse Nurse
MS MS
buexec buexec
xray xray
joan joan
frontdesk frontdesk
bkupexec bkupexec
kjohnson kjohnson
marcia marcia
kbrown kbrown
str str
awilliams awilliams
lsmith lsmith
voicemail voicemail
lsmith lsmith
wilkerson wilkerson
wilkerson wilkerson
wilkerson wilkerson
faxadmin faxadmin
faxadmin faxadmin
faxadmin faxadmin
vismail vismail
aspuser aspuser
jh jh
pmartin pmartin
tammy tammy
melanie melanie
mfg mfg
dwright dwright
sharepoint sharepoint
mobile mobile
forms forms
conference conference
examroom examroom
insurance insurance
confroom confroom
archiver archiver
Production Production
restore restore
Email Email
export export
Payroll Payroll
schulung schulung
tablet tablet
temp temp
cci cci
michele michele
jimm jimm
techsupport techsupport
exadmin exadmin
randerson randerson
ecopy ecopy
triage triage
ecopy ecopy
pool pool
jcampbell jcampbell
labcorp labcorp
jtaylor jtaylor
dmartin dmartin
markd markd
rsvp rsvp
beadmin beadmin
ataylor ataylor
police police
backup backup
template template
presentation presentation
setup setup
jeffm jeffm
spiceworks spiceworks
labcorp labcorp
croom croom
vorlage vorlage
summit summit
exchange exchange
user2 user2
corpconf corpconf
exadmin exadmin
rrobinson rrobinson
tserver tserver
faxes faxes
faxes faxes
cmm cmm
west west
shipping shipping
SYSTRAY SYSTRAY
scanuser scanuser
besadmin besadmin
davidm davidm
labcorp labcorp
cnc cnc
faxes faxes
faxes faxes
assist assist
toshiba toshiba
labcorp labcorp
exadmin exadmin
tadmin tadmin
resumes resumes
resumes resumes
scan1 scan1
shipping shipping
adminsch adminsch
exchangeadmin exchangeadmin
debbie debbie
edi edi
kate kate
exam exam
exam2 exam2
workstation2 workstation2
trainer2 trainer2
scanner scanner
cs cs
books books
katie katie
Chief Chief
ricoh ricoh
konica konica
laurie laurie
classroom classroom
pt pt
mill mill
staff2 staff2
research research
frontdesk frontdesk
dispatch2 dispatch2
pete pete
smiller smiller
Office Office
conference conference
bookkeeper bookkeeper
sales1 sales1
router router
user1 user1
fax fax
exchadmin exchadmin
stacy stacy
oncall oncall
postgres postgres
toolroom toolroom
backups backups
ricoh ricoh
confroom confroom
production production
jake jake
kitchen kitchen
client2 client2
archive archive
ws ws
delia delia
qbdataserviceuser qbdataserviceuser
brac brac
spd spd
sonicwall sonicwall
rec rec
itadmin itadmin
pack pack
volunteer volunteer
mail mail
printer printer
south south
testing testing
testing testing
parts parts
conferenceroom conferenceroom
voicemail voicemail
reports reports
parts parts
voicemail voicemail
shipping shipping
scanner scanner
training training
watchdog watchdog
amanda amanda
user4 user4
student1 student1
lo lo
jackie jackie
scan scan
classroom classroom
client1 client1
client1 client1

If you’ve read this far, I hope it’s clear by now that the easiest way to get your systems hacked using RDP is to pick crappy credentials. Unfortunately, far too many organizations that end up for sale on services like this one are there because they outsourced their tech support to some third-party company that engages in this sort of sloppy security. Fortunately, a quick external port scan of your organization’s Internet address ranges should tell you if any RDP-equipped systems are enabled. Here are a few more tips on locking down RDP installations.

Readers who liked this story may also enjoy this piece — Service Sells Access to Fortune 500 Firms — which examined a similar service for selling hacked RDP systems.

Mar 19 2012

MS12-020 RDP Exploit Code In The Wild

The big news that erupted towards the end of last week was about the latest pretty serious vulnerability patched quietly by Microsoft, AKA MS12-020 (which plenty of people are using to bait skiddies into downloading dodgy code). The flaw is in the RDP (Remote Desktop Protocol) service – which is a pretty bad service to [...]

Read the full post at darknet.org.uk


Oct 21 2011

Satanbot Employs VBScript to Create Botnet

Malware is on the rise. At the beginning of 2008, our malware collection had 10 million samples. Today we have already surpassed 70 million. Most of the malicious samples are Trojans (backdoors, downloaders, fake alerts), but there are also a lot of viruses, worms, and bots that in a short time can infect many computers without user interaction. Usually the malicious code comes in a form of an executable or DLL, but sometimes malware authors opt to use alternate languages such as VBScript (Visual Basic Scripting Edition), a lightweight Active Scripting language that is installed by default in most Microsoft Windows versions since Windows 98. One example of this kind of malware is Satanbot: a fully functional VBScript botnet that uses the Remote Desktop Connection to connect to infected systems.

VBScript files are usually in clear text because they are interpreted at runtime, rather than being compiled previously by the author. However, for cases in which the user wants to avoid allowing others to view or modify the source code, Microsoft provides a command-line tool, Script Encoder, which will encode the final script by generating a .vbe file. This file looks like a normal executable, but it can be decoded to its original form. Once that file is decoded, we can look at the bot’s source code, which is divided by sections. Each section specifies a different function of Satanbot, most of which we’ve already seen in AutoRun worms like Xirtem. Here is a description of these functions:

  1.  Enable CMD and REGEDIT: To perform all the changes in the system (modify the registry and execute BAT files), the edition of the registry (regedit) or the use of the command line (cmd) will be enabled by changing the values “DisableRegistryTools” and “DisableCMD” to 0. In addition, one AutoRun feature is configured by creating the value “Update” in the “Run” key with the path of the script, along with hiding files and file extensions in the system.
  2. Disable UAC: The value “EnableLUA” is checked to verify whether it is necessary to disable the User Account Control in Windows Vista, Windows Server 2008 and Windows 7. If it is enabled, the script will create on the fly another script and a BAT file to disable UAC. Another modification in the registry is done to perform operations that require elevation of privileges without consent or credentials. At the end, all the temporary files used to do the modifications in the system will be deleted.
  3. Take ownership of folders: The command TAKEOWN (in Windows Vista and 7) runs to take ownership and enable the modification of folders including Application Data, Cookies, and Local Settings
  4. Self-Install and spread: Another BAT file in the %TEMP% path is created. It first changes the icon of .vbe files to the one used by Windows pictures so the user will think that it is a picture and not the malware. Also the original .vbe, along with a shortcut file, will be copied in several locations, including network shares and peer-to-peer shared folders from popular clients like eMule, LimeWire, and Ares. Another spreading vector this malware uses is infecting removable drives by creating autorun.inf files along with a copy of the original .vbe and a shortcut (.lnk) file.
  5. Worm test: This may seem a confusing term, but it is another spreading method. The original .vbe will be copied to other folders such as Startup and %Userprofile%\ Microsoft with the name “System File [Not Delete]” to trick the user to not delete the file.
  6. Worm.s@tan: Contains a loop that will trigger the execution of the code every 60 minutes
  7. Backdoor: Using another temporary BAT file, the malware will enable Remote Desktop Access by making the following changes to the system:
  • Allow unsolicited remote assistance and full control
  • Allow the use of blank passwords
  • Enable multiple concurrent remote desktop connections (with a maximum of five)
  • Automatically start the Terminal Service
  • Open port 3389 in the Windows firewall
  • Add an administrator user to the system
  • Start the Remote Desktop Services UserMode port redirector service
  • Create a file in the bot’s path with an “OK” inside
  • The foregoing commands execute on reboot while the message “Windows repare quelques fichiers, patientez …” (Windows is repairing some files, wait …) appears to the user at the command prompt.

 

Another interesting part of the code is the section Compt.Bot, from which the malware sends an HTTP POST request with a specific user agent to the URL of the botnet command server. With that request, the server can get the public IP address of the infected machine, which probably has Remote Desktop Access enabled with the required specifications so the bad guys can connect. By opening that URL in the browser, we can see the IP address of the machine that is connected to the control panel and the number of compromised machines, which can grow very quickly. Take a look at this 24-hour comparison:

Other functionalities of the botnet:

  • Delete browser and user histories of some common software: Internet Explorer, Firefox, Chrome, Thunderbird, and Skype
  • Terminate processes of security software by downloading and executing a batch file that can be easily updated with more processes
  • Download an .exe file from another URL (currently offline). We need to examine this file more thoroughly, but one of its purposes seems to be updating the malware by executing a different embedded .vbe.

 

Even if VBScript is not the best language to hide malicious activities (using encryption, obfuscation, packers, antidebuggers, or anti-virtual machine features), it is pretty effective when we take into account the rate of infection in just one day. In addition, those scripts can build a botnet of infected machines that can be controlled by using a Remote Desktop connection, which allows the attacker to perform any action in the system. The malicious files related to this threat are detected by McAfee products as VBS/Satanbot.