Lab X : Remote Desktop Hacking and Security

Total Page:16

File Type:pdf, Size:1020Kb

Lab X : Remote Desktop Hacking and Security

ECE 4112 Internetwork Security Lab X : Remote Desktop Hacking and Security

Group Number:______

Member Names: ______

Date Assigned: December 06, 2007 Date Due: December 13, 2007 Last Edited: December 03, 2007

Lab Authored by: Raghav Chawla and Jon Ussery

Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions and be sure you turn in ALL materials listed in the Turn-in Checklist ON or BEFORE the Date Due.

Goal: This lab will introduce you to the remote desktop functionality in windows. RDP is extremely vulnerable and this makes it extremely easy to compromise the security of a PC through remote desktop. The lab will also talk about certain precautions and security measures that can be taken against these hacks.

Background and Theory: Remote Desktop is remote administration software which runs on a foreign host’s server and is displayed locally. The Terminal Services application by Microsoft allows users to access data and applications on a remote computer. This is different from application streaming, as computations are processed on the remote pc.

Terminal Services was introduced in Windows NT 4.0 but was vastly improved in Windows 2000. Vista has new developments as well such as clipboard and audio features. The difference between the client version and the server version of the Windows OS is that in client versions, only one user can be logged in at a time however, concurrent sessions are allowed in the server version.

The remote desktop protocol (RDP) runs on port 3389. Keyboard and mouse inputs are transmitted via TCP connections. Virtual channels allow other devices to work (such as printers, audio, etc.). RDP also includes ActiveX control.

There are various software distributions which allow for remote desktop functionality. Some of these are ‘Microsoft Remote Desktop Connection’, ‘Tight VNC’, ‘Apple

1 Remote Desktop’, and ‘GoToMyPC’ Different remote desktop software uses different security measures.

We will see how to exploit certain inherent vulnerabilities in the remote desktop protocol. We will also learn how to secure our PCs against such attacks.

Prelab Questions: None

Lab Equipment: This lab will be using two windows machines. The user can select one of the machines as the target and the other one as the local machine. Windows Remote Desktop and WINVNC are the two software distributions that will be used. Section 1: Hacking into Remote Desktop

Requires: Regini.exe (http://www.dynawell.com/reskit/microsoft/win2000/regini.zip) and VNC software (from realvnc.com). This section assumes you can transfer files to the remote pc.

From the local windows machine check if port 3389 is listening on the remote victim server (the second windows machine).

If the terminal services aren’t available, install Virtual Network Computing on the victim machine. Copy the VNC executable and necessary files (WINVNC.EXE, VNCHooks.DLL and OMNITHREAD_RT.DLL) to the target sever.

Question 1.1: Why would it be a “good idea” for a hacker to put the files in a systemroot folder?

One consideration is that newer versions of WINVNC add a small green icon to the system tray icon whenever the server is started. If started from the command line, versions equal or previous to 3.3.2 are more or less invisible to users interactively logged on.

Once WINVNC is copied over, the VNC password needs to be set. Additionally, we need to tell WINVNC to listen for incoming connections, also set via the GUI. We’ll have to create a file called WINVNC.INI and enter specific registry changes we want.

HKEY_USERS\ .DEFAULT\Software|ORL\WinVNC3 SocketConnect = REG_DWORD 0x00000001 Password = REG_BINARY 0x00000008 0x57bf2d2e 0x9e6cb06e

2 Then load these values into the registry by supplying the name of the file containing the above data (WINVNC.INI) as input to the regini tool:

C:\> regini –m \\ winvnc.ini HKEY_USERS\ .Default\Software\ORL\WinVNC3 SocketConnect = REG_DWORD 0x00000001 Password = REG_BINARY 0x00000008 0x57bf2d2e 0x9e6cb06e

Finally install WINVNC as a service and start it. The following remote command session shows the syntax for these steps (remember, this a command shell on the remote system)

C:\> winvnc –install

C:\> net start winvnc The VNC Server service is starting. The VNC Server service was started successfully

Congratulations! You have successfully setup a server on a remote pc.

Take a screenshot of successfully logging in to the target machine through the VNC [screenshot 1]

[Reference 1] Section 2: Connecting to remote desktop even when this functionality is disabled

What if the remote computer you are trying to hack into does not have the Remote Desktop option enabled? Is it possible to connect to a client machine remotely - even if the remote desktop option is disabled on the XP client?

The answer to this is yes!

Be sure to disable the Remote Desktop service on the target machine before carrying out the following steps.

Simply do the following on the local windows machine:

3 1. Open Regedit on the server. 2. Select File - Connect Network registry

3. Enter the name of the client machine and select "Check Name"

4. At the bottom of your servers registry tree you will now see 2 hives appear. 1. The Hkey_Local_Machine and the Hkey_Users under the client’s computer name. 5. Goto hklm\system\currentcontrolset\control\terminal server\FdenyTSConnection=1 6. Change the FdenyTSConnection to 0 7. Attempt to logon on again

Additional for Windows XP sp2:

The Firewall blocks access on port 3389.

Make sure to create/change the following Registry settings:

4 Hkey_Local_Machine\System\CurrentControlSet\Services\ SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List“ substring:"3389:tcp" parameter:"3389:tcp:*:enabled:@xpsp2res.dll,-22009"

Repeat the change in:"hkey_local_machine\system\currentcontrolset\services\ sharedaccess\parameters\firewallpolicy\standardprofile”

Question 2.1: How could you prevent something like this from happening?

[Reference 2] Section 3: Multiuser Remote Desktop Hack

Windows XP has several limitations. One of those being that it can only be controlled by one user at a time. Therefore only one physically present user, or one remote user, can be logged on at one time. Thus if someone logs into the computer from remote, the local user is disconnected. The following procedure deactivates this block and allows multiple persons to connect and to use a single computer remotely.

This is a great way for a malicious user to repeatedly

5 connect to a machine he has previously compromised without alerting the user of the compromised machine. The drawback to this hack, however, is that the hacker would require physical access to the machine to set it up at first. The hacker could also do this the first time he breaks into the machine using remote desktop.

Note: There is no way for XP to handle more than two concurrent users in one session.

Procedure (to be carried out on the target machine):

STEP 1 Start your Windows in Safe Mode (tap on F8 first of the Windows Loading Splash Screen); click on “My Computer” with right mouse button and choose “Properties”; go to “Remote” tab and uncheck “Allow users to connect remotely to this computer” (if it’s already unchecked, just do nothing); click OK.

STEP 2 Go to Start -> Control Panel; open “Administrative Tools” and then “Services”; double click “Terminal Services”, in the list; choose “Disabled” for “Startup Type” option; click OK.

STEP 3 Go to C:\windows\system32\dllcache; rename the termsrv.dll file to termsrv.original or another name you like; Replace with new file: http://www.orbitfiles.com/download/id20947665 go to C:\windows\system32 (the upper folder of the current one); do the same operation: rename termserv.dll also here, and put in another copy of the file

STEP 4 Click Start, then “Run…”, type “regedit” (without quotes) and press ENTER; navigate in the Windows Registry Tree to reach this path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core (see below)

6 click with right mouse button on blank space in the right part of the registry window, choose “New” > DWORD, name the new key “EnableConcurrentSessions” (without quotes), then edit it and set its value to 1; close the editor.

STEP 5 Click Start, then “Run…”, type “gpedit.msc” (without quotes) and press ENTER; open Computer Configuration > Administrative Templates > Windows Components > Terminal Services;

7 double click “Limit number of connections”, choose “Enabled” and set the maximum number of concurrent connections you want to allow (2 or more), then Restart Windows in normal mode.

STEP 6 Go back to Remote tab of My Computer’s properties (see step 1) and activate “Allow users to connect remotely to this computer”; Go back to “Terminal services” in “Services” (see step 2) and set its “Startup type” to “Manual”

Now restart Windows. Your operating system should now be ready to accept multiple remote desktop connections. User accounts configuration is reachable in the control panel, and the list of users that can connect to the PC is editable in the remote tab of My computer.

Question 3.1: Is there a way of knowing whether someone is logged on to your computer using remote desktop even after you have made these changes to his machine?

[Reference 3]

8 Section 4: Hacking remote Desktop Through Firewall

If the target computer has blocked the RDP port (port 3389), you could still hack into the machine using SSH tunneling.

In a nutshell, ssh tunneling allows you to connect to a port on another machine by forwarding traffic through an intermediary ssh server. Using an ssh tunnel, if you have access to an ssh server behind the firewall, you can connect to services on other machines behind the firewall, including remote desktop services.

First configure your firewall on the target machine to block port 3389.

Then Download the Putty SSH Client for Windows from- http://www.chiark.greenend.org.uk/%7Esgtatham/putty/download.html on to your local windows machine

9 Using Putty (a rockstar ssh client for Windows), you can easily set up a tunnel for accessing RDC on your firewalled server:

1. Configure a new ssh session for the ssh server that you have access to (128.62.109.197 in this example). . 2. In the connection/ssh/tunnels menu, add a new forwarded port. You'll need to set up a port on your own machine (this will be the virtual, forwarded connection to the remote RDC server), so use something unused, like 5800.

3. In the destination field, enter the ip address and RDC port for the firewalled machine, Ie. :3389 (3389 is what RDC listens on)

10 Now save your session and connect to the SSH server

At this point, you can connect to the remote server's RDC port via your local machine's port 5800. Everything that comes in and out of localhost:5800 will be transparently whisked away over the ssh connection, through the intermediary machine, to your destination server's port 3389. So instead of entering :3389 for your destination server in the remote desktop client, enter localhost:5800. It will go right through the firewall.

Take a screenshot showing that you successfully configured SSH tunneling [Screenshot 2]

Breaking Firewalls with OpenSSH and PuTTY - http://souptonuts.sourceforge.net/sshtips.htm

Question 4.1: How can you prevent against this?

[Reference 4]

11 Section 5: Remote Desktop Security Measures

Many people use the Windows XP Professional remote desktop feature to gain easy access to their home PCs. But opening up a connection to an administrator account on your system is very dangerous. As we have seen in the previous sections, it is very easy to take control of someone’s PC using Remote Desktop. Fortunately there are a few simple steps you can take to protect yourself:

1. Limit users who can log on remotely

First, only allow certain users remote desktop access. Go to the Control Panel, then system, then the Remote tab.

From there, enable "Allow users to connect remotely to this computer." Then, click "Select Remote Users."

12 Here, add only the users who you want to be able to log in remotely.

Unfortunately for you, that setting didn't do a thing! You will find that you can still log on as any administrator account. To make things complicated, Microsoft defaults to the least secure setting possible while hiding this fact from the user. You will need to go to another location to change the real list. Click Start - Programs - Administrative Tools - Local Security Policy. If you can't find it, you can also do Start - Run - enter "%SystemRoot%\system32\secpol.msc /s" - Ok.

13 Under Local Policies - User Rights Assignment, there is a line that says "Allow logon through Terminal Services." And just next to it is "Administrators, Remote Desktop Users." Aha! Too bad it didn't show "Administrators" in the other screen. Double-click this setting and remove "Administrators." If you want an administrator to have access, just add them explicitly through the other screen.

2. Set an account lockout policy

There are already tools that will use brute-force to guess passwords and log-on remotely. You cannot stop this, but it can be minimized by setting an account lockout policy. If someone tries to guess the password, then after a few guesses they will be locked out for a period of time. This can make hours or days of guessing become centuries. That makes it infeasable to brute-force into your system.

From the same Local Security Policy screen from before, go to Account Policies - Account Lockout Policy.

14 Account lockout threshhold: This is the number of failed logon attempts before the user is locked-out. Three is usually sufficient to indicate someone is trying to break in.

Reset account lockout counter after: For a typical home system, set this setting to be the same as the Account Lockout Duration below.

Account lockout duration: This is how long the user will be unable to logon after several failed attempts. Even a few minutes will significantly reduce the possibility of a remote brute-force attack. For a home system, any more than a few minutes can be frustrating. You may come home to find your account is locked-out because of some joker guessing passwords. Adjust the setting to your own tolerance. Setting this value to zero means to lock the account until it is manually unlocked.

Question 5.1: What value did you choose for the lockout duration? Why?

To manually unlock an account you must logon as another administrator user (preferably one without remote desktop access). Then go to Start - Programs - Administrative Tools - Computer Management - Local Users and Groups. Click on the individual user and uncheck the "account is disabled" check box. You may then log on as that user.

15 3. Require Passwords and 128-Bit Encryption

For compatibility with older, weaker, less-secure clients, Windows XP defaults to allowing minimal or no encryption on remote desktop connections. If you are connecting with older software, upgrade it. (If you were to connect with the PocketPC Terminal Services Client, then this setting wouldn’t work for you since that client does not support high encryption.)

Click Start - Run - "%SystemRoot%\system32\gpedit.msc /s" to get to the Group Policy Editor.

From here, go to Computer Configuration - Administrative Templates - Windows Components - Terminal Services - Encryption and Security.

16 You can change the "Set client connection encryption level" from "Not Configured" to "Enabled" and "High Level" to force the client to use 128-bit security. This protects your passwords as well as anything transmitted during your terminal service session.

Enabling "Always prompt client for password upon connection" prevents the remote user from saving the password on the client computer and avoiding the password prompt. Saving passwords is generally a dangerous setting since the password is now on another computer, and because it allows the user to forget it.

4. Change the RDP port number

The Event Viewer logs failed login attempts and account lockouts. You can periodically check this to see if anyone is trying to get in. If your firewall keeps logs (Windows Firewall does) then you can use these to see when someone tries to connect.

Opening TCP port 3389 from the Internet to your computer would probably be a bad idea as people aren’t necessarily looking for RDP connections on other ports. So, it is a good security measure to change the port RDP listens in on to a different port, then enabling connectivity to that port through the firewall

You can also move the terminal services port from 3389 to another port by changing the registry key at

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

17 from 3389 to something else. You will then need to specify the port when you connect to your system. Connect with something like "my.computerathome.com:3389" instead of "my.computerathome."

Take a screenshot after successfully changing the port number [Screenshot 3]

5. Security Limitations

Remote desktop is encrypted, which makes it more secure than many simplistic VNC implementations. However, Remote Desktop is vulnerable to a man-in-the-middle attack because it does not use a certificate to authenticate the server. That means that if you connect to a your system via remote desktop, there is no guarantee that the conversation is not recorded and your passwords are not guaranteed to be safe, even though the session is encrypted.

Question 5.2 How can you get rid of the vulnerability of Remote Desktop to man-in –the-middle attacks?

[Reference 5]

18 Answer Sheet Lab X

Group Number: ______

Member Names: ______

Section 1: Hacking into Remote Desktop

Question 1.1: Why would it be a “good idea” for a hacker to put the files in a systemroot folder?

Section 2: Connecting to remote desktop even when this functionality is disabled

Question 2.1: How could you prevent something like this from happening?

Section 3: Multiuser Remote Desktop Hack

Question 3.1: Is there a way of knowing whether someone is logged on to your computer using remote desktop even after you have made these changes to his machine?

19 Section 4: Hacking remote Desktop Through Firewall

Question 4.1: How can you prevent against this?

Section 5: Remote Desktop Security Measures

Question 5.1: What value did you choose for the lockout duration? Why?

Question 5.2 How can you get rid of the vulnerability of Remote Desktop to man-in –the-middle attacks?

How long did it take you to complete this lab? Was it an appropriate length lab?

20 What corrections and or improvements do you suggest for this lab? Please be very specific and if you add new material give the exact wording and instructions you would give to future students in the new lab handout. You may cross out and edit the text of the lab on previous pages to make minor corrections/suggestions. General suggestions like add tool xyz to do more capable scanning will not be awarded extras points even if the statement is totally true. Specific text that could be cut and pasted into this lab, completed exercises, and completed solutions may be awarded additional credit. Thus if tool xyx adds a capability or additional or better learning experience for future students here is what you need to do. You should add that tool to the lab by writing new detailed lab instructions on where to get the tool, how to install it, how to run it, what exactly to do with it in our lab, example outputs, etc. You must prove with what you turn in that you actually did the lab improvement yourself. Screen shots and output hardcopy are a good way to demonstrate that you actually completed your suggested enhancements. The lab addition section must start with the form “laboratory Additions Cover Sheet” which may be found on the class web site.

Turn-in Checklist

-Answer sheet

-Three Screenshots

-Any lab additions

21 Answer Sheet Lab X

Group Number: ___Answer Key______

Section 1: Hacking into Remote Desktop

Question 1.1: Why would it be a “good idea” for a hacker to put the files in a systemroot folder?

Answer: So that the user does not notice the files and suspect anything to be wrong or out of place. Section 2: Connecting to remote desktop even when this functionality is disabled

Question 2.1: How could you prevent something like this from happening?

Answer: Change passwords; make sure no one else can access your computer. Section 3: Multiuser Remote Desktop Hack

Question 3.1: Is there a way of knowing whether someone is logged on to your computer using remote desktop even after you have made these changes to his machine?

Answer: Logged in user’s processes can be found under the task manager. Usually one can also notice what files have been moved around or changed. Section 4: Hacking remote Desktop Through Firewall

Question 4.1: How can you prevent against this?

Answer: Block access to SSH via firewall.

22 Section 5: Remote Desktop Security Measures

Question 5.1: What value did you choose for the lockout duration? Why?

Answer: (depends on user preferences)

Question 5.2 How can you get rid of the vulnerability of Remote Desktop to man-in –the-middle attacks?

Answer: You could use SSH tunneling.

23 References

Reference 1 – Hacking Exposed – fifth edition

Reference 2 - http://blogs.technet.com/

Reference 3 - http://riccardo.raneri.it/

Reference 4 - http://www.hackszine.com/

Reference 5 - http://www.mobydisk.com/

24 TA Lab Setup Instructions

For this lab, the TA will need to ensure that the students have access to either two Windows computers connected on a network, or one pc with two windows virtual machines. Ensure ability to registry edit and access administrative features.

The software needed for the lab is located on the cd-rom that accompanies this lab. It includes the following files:

RegINI.exe (http://www.dynawell.com/reskit/microsoft/win2000/regini.zip) WinVNC install files (realvnc.com) Termsrv.dll (http://www.orbitfiles.com/download/id20947665) Putty (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html) Windows Remote Desktop (included in Win XP Professional)

25

Recommended publications