7.6 Microsoft Remote Desktop Protocol

Remote Desktop Protocol (RDP, also known as Microsoft Terminal Services) provides thin client access to the Windows desktop. The Windows 2000, XP, and 2003 Server platforms usually run these services. The RDP service runs by default on TCP port 3389, accessed using the remote desktop client as shown in Figure 7-2.

Figure 7-2. Connecting to RDP using the remote desktop client

The Microsoft RDP client is available at http://download.microsoft.com/download/whistler/tools/1.0/wxp/en-us/msrdpcli.exe.

7.6.1 RDP Brute-Force Password Grinding

After locating accessible RDP servers (by port scanning for TCP 3389) and performing enumeration through anonymous NetBIOS sessions (see Chapter 9) to identify potentially weak user accounts, an attacker can launch brute-force password-grinding attacks. The Administrator account is usually a good place to start because it can't be locked locally upon multiple failed logon attempts.

Tim Mullen (http://www.hammerofgod.com) put together a useful tool called tsgrinder for brute-forcing terminal services. tsgrinder (Version 2.03 at the time of writing) is available at http://www.hammerofgod.com/download.htm.

Example 7-16 shows the tsgrinder usage from a Win32 command prompt.

Example 7-16. Using tsgrinder

D:\tsgrinder> tsgrinder

tsgrinder version 2.03



Usage:

  tsgrinder [options] server



Options:

  -w dictionary file (default 'dict')

  -l 'leet' translation file

  -d domain name

  -u username (default 'administrator'

  -b banner flag

  -n number of simultaneous threads

  -D debug level (default 9, lower number is more output)



Example:

  tsgrinder -w words -l leet -d workgroup -u administrator -b

            -n 2 10.1.1.1

The tsgrinder tool takes advantage of two features within the terminal services security model. The first is that failed authentication attempts are only logged only if a user provides six incorrect username and password combinations within a given session. tsgrinder launches multiple parallel sessions and provides five sets of user credentials before disconnecting, and is thus not logged by the default terminal services configuration. The second feature is that the tool uses RDP encrypted channel options when attempting to log on, so that an IDS won't pick up on the attack.

7.6.2 RDP Vulnerabilities

A number of denial-of-service and memory-leak issues have been found in Microsoft Terminal Services over the last three years. At the time of writing, MITRE CVE lists two serious remotely exploitable issues within terminal services, as detailed in Table 7-6.

Table 7-6. Remotely exploitable Microsoft Terminal Services bugs
CVE name	Date	Notes
CVE-2000-1149	08/11/2000	RegAPI.DLL overflow in Windows NT 4.0 Terminal Server allows remote attackers to execute arbitrary commands via a long username.
CAN-2002-0863	18/09/2002	RDP Version 5.0 in Microsoft Windows 2000 and 5.1 in Windows XP don't encrypt the checksums of plaintext session data, which can allow a remote attacker to determine the contents of encrypted sessions via sniffing.