any other information security business bog

Method

Warning: only try this on a network and on computers which you own or have permission to do this. In most countries it is illegal to do this on a network you do not own without permission of the owner.

The RDP protocol prior to version 6 is vulnerable for man in the middle (mitm) attacks. A man in the middle attack can be done one several ways, for example with arp poisoning routing (APR), an eval twin access point, DNS spoofing. Today, we’ll choose APR. APR only works on the local subnet, so the attacker must be somewhere in between the victim and the RDP server. The RDP server can be a any Windows host with terminal services or remote control enabled. In most cases the attacker is on the same subnet as the victim.

More information about arp-spoofing can be found on the wikipedia:

http://en.wikipedia.org/wiki/ARP_spoofing

Tooling

Man in the middle attacks can be done by for example Ettercap, Dsniff, Yersina or Cain & Abel. For this howto we’ll use the excellent password recovery tool called Cain & Abel.

Cain & Abel combines can combines a middle attack and a RDP weakness: It splits up the encrypted channel between the rdp client and server. Then there are two encrypted channels, one between the client and the attacker, and one between the attacker and the server. Now we can sniff every keystroke between the victim and the rdp-server.

The attack using arp poisoning routing and Cain & Abel

1) stop your anti-virus software because some anti-virus programs marks it as a unwanted software.

1) Start Cain & Abel

2) Start the sniffer:

3) select the “Sniffer” tab and select the big plus (add to list):

4) a dialog window appear. Just select “Ok” to use the defaults:

Now Cain & Abel looks likes this:

Explanation:

192.168.2.1 is my Fritz!box 7170 router
192.168.2.22 is the XP workstation of my kids.
192.168.2.24 is my Linux Dreambox 7205 satellite reciever / nas / harddisk recorder
192.168.2.27 is a Windows 2003 terminal server on VMWare. Settings: high security, but without using client certifactes.
192.168.2.110 is  my Wii.

The plan is to do a ARP poisoning attack between when the Windows XP workstation (192.168.2.22) creates a RDP session to the Windows 2003 terminal server.

5) Now: use the APR tab click somewhere in the this area:

6) now press the bug plus (add to list). the following diaglog box will apear:

Now, select the two host which you want to sit in between. In this case we first choose the terminal server (192.68.2.27) and after that in the right pane the Windows XP workstation (192.168.2.22).

It is also possible to choose the default router (192.168.2.1 in my case) to do the attack on a terminal server which is located on another subnet.

7) After pressing “Ok”, you can start the apr poisoning routing attack with the APR button:

Now, the APR attack is running and we can wait till one of my kids  on the Windows XP workstation logins to the terminal server. Notice the Status “Poisoning”.

As soon as a RDP session is set-up, we see the session in our APR overview:

Note the details: RDP v4, high level encryption, a 128 bit key. Looks secure but….

9) now, select the APR line and press the right mouse-button. A menu appears an choose “view”. A notepad window will open with the unencrypted log of the session.

This is my log:

rdp-200938153120273

Now search for the phrase “Key pressed client-side” to reveal the password:

Key pressed client-side: 0x1f – ‘s’
Key pressed client-side: 0×12 – ‘e’
Key pressed client-side: 0x2e – ‘c’
Key pressed client-side: 0×13 – ‘r’
Key pressed client-side: 0×12 – ‘e’
Key pressed client-side: 0×14 – ‘t’

countermeasures

To prevent this attack, the only way is to implement a server certificate so the client can verify it is connected to the real server intead of the attacker. See this microsoft page:

http://technet.microsoft.com/en-us/library/cc782610.aspx

references

The Cain & Abel page about APR RDP

Tags: apr, arp poisoning, cain & abel, man in the middle, mitm, rdp

This entry was posted on Sunday, March 8th, 2009 at 17:03 and is filed under pentesting. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.