- #How to rdp to server without remote desktop services password#
- #How to rdp to server without remote desktop services windows#
The attacker can then execute the following commands in the command prompt: Suppose the attacker at client 3 logs into the RDP server and is able to see all connected RDP users by simply running the command: query user. While an attacker could be an insider (unless they are using a compromised account of an employee), the seriousness of this technique lies in the fact it can form a part of a sophisticated, chained advanced persistent threat (APT) attack.Ĭompromising one system, such as via malware, can enable an attacker to exploit this RDP technique to reach into other users’ sessions and environments, without requiring a password. Therefore, this trick requires some prior level of access. To exploit hijacking another session, the attacker needs to be connected to the RDP host. Because of this behavior, you have to be careful when you use Tscon.exe so that you do not leave a previously locked server in an unlocked state.” CSO / IDG The Microsoft Knowledge Base warns though, “If a remotely owned console session is sent to the physical console of the computer by the use of Tscon.exe, the session is left unlocked. Running such a command on a server hosting the remote desktop session would connect the user to session with ID 2 and disconnect any existing sessions they are on. The syntax for the command is simple, with the Microsoft Knowledge Base explaining in detail what each parameter entails: It enables a user to connect to a different remote desktop session on a system or switch between different sessions. Let’s focus on the RDP hijacking technique leveraging the Tscon.exe utility, which comes with Windows.
#How to rdp to server without remote desktop services windows#
In 2017, Alexander Korznikov demonstrated how the same technique can be used for privilege escalation on later versions of Windows machines.
The technique was originally discovered in 2011 by Benjamin Delpy, the author of the pen-testing utility mimikatz. There are multiple ways to resume an RDP session. Moreover, increasing work-from-home arrangements have meant a greater reliance on remote administration and management tools like RDP, which now form a part of the attack surface for malicious actors. Given how a vast majority of enterprise networks connect Windows and Windows Server systems, with sysadmins using RDP, it is vital to be aware of the risks and behavior of the RDP service. Rather than being a vulnerability, it is a decades-old “technique” that exploits a legitimate feature of the Windows RDP service. Once in the system, the attacker can gain lateral movement across the enterprise network while remaining undetected, because to an event monitor, they are effectively acting as the authorized user whose session they have hijacked.
#How to rdp to server without remote desktop services password#
For example, if an administrator remoted into a Windows Server machine a few days ago, it is much easier for the attacker to “resume” this very session, rather than attempting to obtain the administrator account’s password via social engineering. This allows the attacker to get into a privileged system without having to steal the user’s credentials. RDP hijacking attacks involve the attacker “resuming” a previously disconnected RDP session. In fact, the WannaCry ransomware is known to enumerate remote desktop sessions in an attempt to hijack RDP sessions and execute malware on each session.
RDP hijacking attacks often exploit legitimate features of the RDP service rather than purely relying on a vulnerability or password phishing. It provides a convenient way for system administrators to manage Windows systems and help users with troubleshooting an issue. One means of compromising systems cherished by malware authors is Remote Desktop Protocol (RDP).
0 kommentar(er)
