Pentester trick #9: exchanging files through RDP (without getting owned)

Remote access to the target system is sometimes limited to RDP protocol only (either Remote Desktop or Terminal Server access).

This is often the case with heavily firewalled systems, such as branch office servers exposed on the Internet with port TCP/3389 opened alone.

Previously gathered credentials might have allowed the pentester to break into such a system. However, how to get further without being able to access the Internet from the target ?

Locally available utilities (such as the NET command, VBScript-ing and the like) are invaluable in this case. But what about hardcore, process-injecting utilities ?

A pretty well-known trick in this case is the ability to mount through the RDP protocol many client-side resources, such as printers (NOT recommended), clipboard and ... hard drives.

At this point, the novice pentester got his C drive mounted on the remote server, and all his utilities wiped out by server antivirus.

Now it is time to call upon the forgotten lore of MS-DOS, namely the SUBST command which is still available on Windows XP SP3.

After having created a C:\TAZ directory on his laptop, the experienced pentester types at the CMD console prompt:

SUBST D: C:\TAZ

... and is now able to exchange with the remote target through a virtual "D:" drive, without getting owned.

Having compromised the remote network beyond hope, he now types:

SUBST D: /D

... and might have finished the assessment report by 5:00 PM, if he is wise enough NOT to use LaTeX.

Pentester trick #8: command-line sniffing made easy

(Preamble: this post applies to Windows operating system only. Linux has tcpdump, Solaris has snoop, etc.)

Sometimes sniffing the network from a compromised remote target might become handy.

For instance, it proved useful to me in the following pentest cases:

• Recovering POP/IMAP/SMTP passwords, when classical tools are blocked by antivirus software (use of POPS/IMAPS/SMTPS is still not widespread, especially on enterprise LANs).
• Gathering HTTP session cookies or even passwords.

But sometimes you have only command-line access to the remote target (through PSEXEC, Metasploit and such).

Getting access to the GUI (through VNC, Remote Desktop or DameWare Mini Remote Control) is not practical, since the targetted user is actively working on the console (there are workarounds for this situation, but I am not going to discuss them right now).

Installing network sniffing software, such as WireShark/Winpcap, is not practical because you have to setup the software (which makes change to the target system configuration) and you might end up in rebooting the system. Not to mention the x64 case, which requires signed drivers (latest x64 Winpcap drivers are signed, though).

A lot of people are pretending to offer "rebootless command line sniffers", but they are often unmaintained proof-of-concept tools, and professional pentesters cannot afford to crash a remote target.

The most reliable and lightweight tool I know is ... the one made by Microsoft, a.k.a. Microsoft Network Monitor. It relies on Windows built-in packet capture features, therefore leaving minimal footprint on the target system. It can run without install. It works on all Microsoft-supported Windows versions, in x86, x64 and even IA64 flavors.

How to use it ?

1. Download and install Microsoft Network Monitor on a standalone computer.
2. Upload nmconfig.exe and nmcap.exe on the target computer.
3. Enable the Microsoft Network Monitor Driver: nmconfig /install
4. Test: nmcap /displaynetworks
5. Sniff all TCP traffic on every local interface: nmcap /network * /capture tcp /File tcp.cap
6. Disable the Microsoft Network Monitor Driver: nmconfig /uninstall

(Caveat: the capture file format is not Winpcap-compatible. However, Wireshark (and others) know how to read it.)