Friday, August 28, 2009

Pentester trick #9: exchanging files through RDP (without getting owned)

Remote access to the target system is sometimes limited to RDP protocol only (either Remote Desktop or Terminal Server access).

This is often the case with heavily firewalled systems, such as branch office servers exposed on the Internet with port TCP/3389 opened alone.

Previously gathered credentials might have allowed the pentester to break into such a system. However, how to get further without being able to access the Internet from the target ?

Locally available utilities (such as the NET command, VBScript-ing and the like) are invaluable in this case. But what about hardcore, process-injecting utilities ?

A pretty well-known trick in this case is the ability to mount through the RDP protocol many client-side resources, such as printers (NOT recommended), clipboard and ... hard drives.



At this point, the novice pentester got his C drive mounted on the remote server, and all his utilities wiped out by server antivirus.

Now it is time to call upon the forgotten lore of MS-DOS, namely the SUBST command which is still available on Windows XP SP3.

After having created a C:\TAZ directory on his laptop, the experienced pentester types at the CMD console prompt:

SUBST D: C:\TAZ

... and is now able to exchange with the remote target through a virtual "D:" drive, without getting owned.

Having compromised the remote network beyond hope, he now types:

SUBST D: /D

... and might have finished the assessment report by 5:00 PM, if he is wise enough NOT to use LaTeX.

5 comments:

Francois said...

jolie astuce :)

Anonymous said...

If you happen to use Linux or other unixoid systems, you can also do this with rdesktop (http://www.rdesktop.org) which lets you share a directory of your choice to the remote host.

newsoft said...

@Anonymous: using Windows for pentesting Windows networks is recommended, in my experience. You will have lots of Microsoft-provided admin tools at hand.

I found Linux handy in network and/or WiFi pentesting only.

Anonymous said...

Je n'ai pas compris l'intérêt du subst... En quoi permet-il de transférer des données qu'on ne pouvais pas transférer avant ? Tu le fais sur l'ordinateur local ou distant ?

Merci.

newsoft said...

@anonymous: le problème (en bon français), c'est que monter ton disque C: sur la machine distante est très dangereux.

- L'antivirus distant peut scanner ton disque et détruire tes "outils".
- Tous les utilisateurs du système distant peuvent accéder à ton disque (moyennant quelques hacks).

Donc l'idée c'est d'utiliser SUBST pour ne rendre accessible à distance qu'un dossier de partage.

Bien sûr tu peux aussi obtenir le même résultat en partageant une clé USB :)