SecuriTreeHome

SecuriTree

  • Windows Security
    • Post-exploitation
      • Network Tunneling
        (Ligolo-ng, Chisel)
      • Reverse Shell
      • System Manipulation
      • File Transfer
    • Lateral Movement
      • Common Problems
        • Double Hop
        • Remote UAC
      • Techniques
        • Access Token Manipulation
          (RunAs, RunasCs)
        • Pass-the-Ticket (Kerberos)
          (Rubeus, getTGT)
      • Technologies
        • MS-RPC
          • MS-DCOM
          • MS-RRP
          • MS-SCMR
            (PsExec, SmbExec, ScExec)
          • MS-TSCH
          • MS-WMI
            (WmiExec)
        • RDP
        • WinRM
          (winrs, PS Remoting)
    • Domain Privesc
      • ACL Abuse
      • AD Delegation Abuse
        • Constrained Delegation
        • Resource-Based Constrained Delegation
        • Unconstrained Delegation
      • AS-Rep Roasting
      • Certificate Service Abuse
      • Credentials Dump
        • DCSync
        • LSASS Memory
        • Local SAM
        • Windows Vault
      • Group Policies
      • Information to steal
        (files, logs, processes, ...)
      • Kerberoasting
      • Local Admin Hunting
      • MSSQL Abuse
      • NTLM Hash Stealing
      • NTLM Relay
      • Password Spraying
      • RDP Hijacking
      • Tasks and Services Abuse
    • Reconnaissance
      • Active Directory
      • DNS
      • LDAP
      • NetBIOS
      • NFS
      • Port Scanning
      • RPC
      • SMB
      • SMTP
      • SNMP
#Windows Security #Domain Privesc #RDP Hijacking

RDP Session Hijacking

Requirements

Compromised SYSTEM user on Windows machine. Established RDP sessions of potential victims.

With NT AUTHORITY/SYSTEM privileges, we are able to take over the RDP session of any other user logged on to our system without providing any credentials. This attack can lead to the hijacking of a domain admin session.

There is a difference between logging off and disconnecting from RDP. If the user logs out, the RDP session is closed and it's over. If a user disconnects by, for example, closing an RDP window (a very common case), his session is still present on the system and he can return to it. With RDP Hijacking, we hunt for those disconnected (but still logged-in) sessions that we can take over.

It is also possible to take over the user's active session, (i.e. the one he is currently working on) but typically a user is notified when someone else is trying to steal their session.

# List all sessions with IDs
query user
 
# NOTE: State: DISC is the one we're looking for.
 
# Switch to session by ID
tscon $id

References

Children

RDP Hijacking