RDP MitM Exercise

1. Introduction

The Man-in-the-Middle (MitM) attack is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. This theory is discussing MitM for the rdp protocol

2. Goal

  • performing an rdp mitm proxy

  • play with username/password authentication

  • enable/disable NLA (Network Layer Authentication on the target RDP server)

3. Security Questions

As you can see, the RDP connection is protected against this kind of RDP main-in-the-middle attack by activating NLA (Network Level Authentication). Please do your research and respond to the following questions

  • Explain NLA?

  • Explain CredSSP?

  • Explain why NLA should protect against MitM?

  • Would 2FA fix the problem of this kind of MitM attack?

  • What is the difference between the two nmap outputs in the steps above (enabled/disabled NLA)?

4. Exercise

4.1 Pyrdp Mitm Docker

  1. Disable NLA for RDP on Client

2. Perform nmap scan to check if NLA is active on port 3389

nmap -P0 -p 3389 --script rdp-enum-encryption 192.168.71.150 192.168.71.159

3. Setup Pyrdp Docker

docker pull gosecure/pyrdp:latest docker run --rm -i -p 3389:3389 gosecure/pyrdp pyrdp-mitm.py x.x.x.x (IP Adress of RDP Server)

In my case the setup didn't work. I can see that the docker service is listening on localhost with port 3389, but for some reasons the forwarding to the destination server failed!

4. Enable NLA for RDP Client

5. Perform nmap scan to check NLA again

I'll stop here and use another tool to simulate an RDP mitm attack

4.2 Seth Mitm tool

Setup: 1 Kali Linux Box (Attacker), 1Win2k8 Server (Victim), 1 Win10 Box (Target)

https://github.com/SySS-Research/Seth

Attacker IP: 192.168.71.164 Victim IP: 192.168.71.166 Target IP: 192.168.71.150

./seth.sh eth1 192.168.71.{164,166,150}

Initialize RDP Connection from Server to Win10 Box

Victim needs to ignore the certificate warnings and proceed with yes!

Attacker catched credentials!

If NLA for RDP is enabled this attack won't work!

5. Answers

Network Level Authentication, or NLA as its commonly known, is a service/technology that is used in conjunction with Remote Desktop services and was rolled out with version 6.0 of RDP with initial support in MS Windows Vista.

NLA uses the Credential Security Support Provider (CredSSP) protocol to perform strong server authentication over SSL/TLS or Kerberos to protect against MITM attacks. Additionally, the NLA protects the remote client by completing user authentication before a full RDP connection is established.

2FA can be used for a better security, but won't fully prevent this kind of attack. The attacker will still be able to catch the second factor when the victim types it.

First output shows that downgrade to other type of weaker authentication is possible. With NLA activated only strong server authentication is allowed.

6. Further Readings

https://www.alternativesec.xyz/pentesting/2017/01/02/NLA-How-to/ https://www.gosecurity.ch/rdp-man-in-the-middle-angriff/

PreviousARP Cache poisoningNextWindows Hacking

Last updated