Wednesday, April 2, 2014

RDP Man-in-The-Middle attack

I wanted to try the following attack in my lab, described here: http://www.oxid.it/ca_um/topics/apr-rdp.htm

This seems to be a pretty old one, but works very well on Windows XP SP3, which is quite common today. I don't want to go into the details how this works, it's described very well in the article above, but the main point is that the private key used to sign the server's public key is know! so you can easily create your own signed key. Here are the steps how to try this:

You will need 3 Windows machines to reproduce it. One is the attacker, where you run Cain, and the other two are the client and server. As a preparation enable RDP access on one of the Windows machines, and setup a user with password.

Create new user via CLI:

net user /add username password

To enable RDP access on XP, go to My Computer -> Properties -> Remote tab, and select "Allow users to connect remotely to this computer"

Then start Cain, go to Sniffer, press the small NIC button to start sniffing, and press the "+" sign to add hosts. Add your network range to scan for available hosts.


Once the scan completes, you will see the hosts on the network.


Then go to the APR tab at the bottom, and press the blue "+" sign to add hosts. Select the two hosts (client, server), which you want to spoof.


After that we are ready, press the yellow radioactive button to start poisoning, and with this you are MiTM between the two hosts. There are plenty of stuff you can do this way, but I will look on the "APR-RDP" now.


Let's open an RDP connection. If you do it from a Windows 7 machine, you will get the following warning:


Ignore it, and login via the RDP session. Type in your username and password. You will see that Cain captured an RDP traffic, and it automatically performs MiTM.


Once we logged in, we can view the file created by Cain (on the right side of the columns). Look for "Key pressed", you can follow one by one, what the client was typing in, and thus recover its password.


That's it.

No comments: