📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • 1. Introduction
  • 2. Goal
  • 3. Security Questions
  • 4. Exercise
  • 5. Answers
  • 6. Further Readings

Was this helpful?

  1. Man in the Middle

RDP MitM Exercise

1. Introduction

The Man-in-the-Middle (MitM) attack is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. This theory is discussing MitM for the rdp protocol

2. Goal

  • performing an rdp mitm proxy

  • play with username/password authentication

  • enable/disable NLA (Network Layer Authentication on the target RDP server)

3. Security Questions

As you can see, the RDP connection is protected against this kind of RDP main-in-the-middle attack by activating NLA (Network Level Authentication). Please do your research and respond to the following questions

  • Explain NLA?

  • Explain CredSSP?

  • Explain why NLA should protect against MitM?

  • Would 2FA fix the problem of this kind of MitM attack?

  • What is the difference between the two nmap outputs in the steps above (enabled/disabled NLA)?

4. Exercise

4.1 Pyrdp Mitm Docker

  1. Disable NLA for RDP on Client

2. Perform nmap scan to check if NLA is active on port 3389

nmap -P0 -p 3389 --script rdp-enum-encryption 192.168.71.150 192.168.71.159

3. Setup Pyrdp Docker

docker pull gosecure/pyrdp:latest docker run --rm -i -p 3389:3389 gosecure/pyrdp pyrdp-mitm.py x.x.x.x (IP Adress of RDP Server)

In my case the setup didn't work. I can see that the docker service is listening on localhost with port 3389, but for some reasons the forwarding to the destination server failed!

4. Enable NLA for RDP Client

5. Perform nmap scan to check NLA again

I'll stop here and use another tool to simulate an RDP mitm attack

4.2 Seth Mitm tool

Setup: 1 Kali Linux Box (Attacker), 1Win2k8 Server (Victim), 1 Win10 Box (Target)

https://github.com/SySS-Research/Seth

Attacker IP: 192.168.71.164 Victim IP: 192.168.71.166 Target IP: 192.168.71.150

./seth.sh eth1 192.168.71.{164,166,150}

Initialize RDP Connection from Server to Win10 Box

Victim needs to ignore the certificate warnings and proceed with yes!

Attacker catched credentials!

If NLA for RDP is enabled this attack won't work!

5. Answers

Network Level Authentication, or NLA as its commonly known, is a service/technology that is used in conjunction with Remote Desktop services and was rolled out with version 6.0 of RDP with initial support in MS Windows Vista.

NLA uses the Credential Security Support Provider (CredSSP) protocol to perform strong server authentication over SSL/TLS or Kerberos to protect against MITM attacks. Additionally, the NLA protects the remote client by completing user authentication before a full RDP connection is established.

2FA can be used for a better security, but won't fully prevent this kind of attack. The attacker will still be able to catch the second factor when the victim types it.

First output shows that downgrade to other type of weaker authentication is possible. With NLA activated only strong server authentication is allowed.

6. Further Readings

PreviousARP Cache poisoningNextWindows Hacking

Last updated 3 years ago

Was this helpful?

https://www.alternativesec.xyz/pentesting/2017/01/02/NLA-How-to/
https://www.gosecurity.ch/rdp-man-in-the-middle-angriff/