Time
7 hours 47 minutes
Difficulty
Advanced
CEU/CPE
10

Video Description

This lesson is about getting a list of useful files to download and copy. The commands are the same from machine to machine. This lesson focuses on the Remote Desktop Protocol, which is a Graphics User Interface (GUI) based tool. RDP is a relatively straightforward protocol. Participants learn step by step instructions in setting up the Windows Firewall and registry by using the netsh advanced firewall and sets it for group remote desktop. Participants learn step-by-step screen by screen programming instructions in turning on RDP and gathering information.

Video Transcription

00:04
Hello and welcome to this latest class and the persistence and continued access course. It's the post exploitation hacking
00:10
this class. We're going to start in on the back adoring and persistence portion of this class. It'll be a very interesting part. I think it's the part that a lot of people
00:18
enjoy. Um, it's the part that really makes you feel like a hacker. Gathering information is mostly just getting a list of useful files to download and copy, and it's the sort of thing that could be done pretty easily by anyone who knows where to look. Most of what we ran through in the actual information gathering was looking at specific commands rather than specific wiles.
00:38
There was a
00:39
method to that madness.
00:41
Specifically, the commands are typically going to be the same from machine to machine. Whereas the files were very off to be changed, it's easy to change a file name and hide. It
00:48
commands less so less commonly down. Anyway, This tool, this first we're going to discuss, is actually going to be the remote desktop protocol.
00:58
It's the best back door in my personal and not so humble opinion because it's a gooey and gooey is nice, Gooey lets us to a whole bunch of extra stuff. It's not uncommon for people to assume as they get access to a machine, and they're certain that it's not currently in use to set up a Road desktop listener
01:17
and then to connect from the outside and start doing gooey work because it really is just wonderful, practically impossible to. Well, not impossible, but it's actually very easy. Tell someone's doing it, but there's practically nothing that could be completely hidden when someone's got a remote desktop
01:33
is much easier for them to search through your files and go through and change things.
01:38
They really just owned your computer at that point.
01:40
Already, he's a pretty straightforward protocol. It's very least simple protocol, but it is still one that
01:47
the commands for setting it up by the command lander kind of tricky.
01:51
So again, we're starting from the assumption that we've already exploited our way in with
01:55
medicine Floyd or with some new O'Day or whatever it might be that we're using. We've broken into the machine, and now we're just sitting in a command prompt. Our next step is going to be to configure the Windows firewall to let us go through and then set up the registry,
02:08
which will allow us to actually do things or specifically, you know, do the r e p. But the registry in general just lets us do anything on a machine.
02:17
Ah, the first command we're going to use and I kind of cheated entered them earlier so that I could more easily
02:23
get it done is going to be the Net S H advanced firewall
02:28
A TV firewall. Fire will sit ruled.
02:30
Group equals remote desktop new enable equals, Yes, we're gonna go ahead and break this down. Ned s H is just the program that contains all this information. Advanced Firewall Tell that you're looking at the actual Windows advance fire will win those special firewall. This says your
02:47
setting a new firewall rule the firewall set rule and you're setting it specifically for group remote desktop. Which is, as you may remember from when we were doing our other information gathering. Remote desktop is a group on this machine
03:00
which is necessary for this to work. So after that, we just do new enable which says new connections are allowed. And yes,
03:08
we're gonna run it. Now, this command is sort of tricky, so I'll give you a second. So you composite copy it yourself,
03:17
all right. And this command is very persnickety. Any mistakes will pretty well just turn it off and not let it work, right? It could set weird rules. Create about group. There's all sorts of crazy things that could go wrong. It's always make sure you've entered this command correctly, and only on a machine that will actually allow it.
03:34
Yes,
03:36
takes a little bit, and then it updates a rule, and that's the whole output of it.
03:39
But it says it updated a rule. Correct. It says, Okay, updated the rule.
03:44
So hopefully the firewall is now allowing
03:49
new connections.
03:50
After that, we're gonna go to this monstrosity of a command.
03:54
Now Reggie Bad deals with the registry haIf. If you don't know about the registries and Windows, it's something really, really want to learn.
04:01
Um, we didn't really dig into it too heavily in any of the other videos, because
04:06
while the registry can give you an amazing amount of information, it's also very commonly logged,
04:13
and it's also sort of difficult for a new person to use. The registry is kind of a higher level gaining all of the information, but it's a stone. It's for people who were actually
04:21
have been doing this for a long time and have familiarity with the simpler tools that we've covered. In this course.
04:28
The Reg add function is a really handy one. It lets us change a registry key, modify one, or even just create a new one.
04:35
So we're gonna go ahead, type Reg RG ad on this name right here, which again you can pause the video at any time and copy over yourself H key local machine system, current control, set control terminal server. And there's a space between terminal and server.
04:55
Make sure that's all wrapped in quotes so that it resolves properly.
04:59
And then we're gonna use the Tak V option f deny T s connections. The tax T Reg D word
05:05
slash D zero slash f
05:11
and well, actually, in just a moment, go through these options because Reggie Dad can be very handy. But I wanted you to see the command itself first. Run it and it has completed successfully.
05:19
So we're gonna go ahead and do Reg ad
05:23
each
05:24
so I see the first head of V is the value name. It's the value under that key that we're creating or editing or whatever.
05:32
Ah, the slash t is the data type inside the registry.
05:38
I'm in this case. It's Reg D word. The slash D is the data. So the way keys work is you actually have a value and a data. Ah, data field that's assigned to it
05:50
and the value tells it what
05:54
it's actually doing. What is it affecting? And then the value field.
06:00
The data field, rather,
06:01
is the actual information. So very often a register key is used is a 1,000,000,000 which the value field says something is true or something exists. And then the data fields a zero for balls or one for true.
06:15
Um, redshirt keys could be used for all sorts of other things. But what we're doing right now is basically that so we're changing the f. D N I. T s connections, which is the field that controls and basically turns off
06:28
terminal servers or remote desktop, as it's more commonly known.
06:31
And then we're setting that data field to zero. We're saying that's pulse, and they're using the slash After say, we're forcing this over, right?
06:41
No prompt. Don't ask me if I want to do it. Just do it.
06:45
And so with that command, we've actually turned on our DP
06:48
and we are ready to go.
06:51
One important detail. The note before we go is that our DP is not enabled in. It's not possible with every single Windows machine.
07:00
Ah, Windows eight. If it's a non pro machine or and on enterprise machine actually doesn't have already, p enable doesn't have it capable of being enabled.
07:10
Um, so that is something you're gonna want to keep an eye out for it, but it always make sure that your target is a machine that has the capability of doing whatever you're trying to do to it.
07:19
That's really all we have for the Rdp video. It's a pretty straightforward process. Just a couple of commands your own and then got full access.
07:27
We won't really be going through and actually using already pee because frankly,
07:31
you don't need it. Gooey is pretty straightforward, and I think everyone watching this videos more than equipped to point and click
07:40
eso with that, we're gonna go ahead and then this one. I hope you've enjoyed learning how to use already P,
07:45
and I hope it's ser jewel

Up Next

Post Exploitation Hacking

In this self-paced online training course, you will cover three main topics: Information Gathering, Backdooring and Covering Steps, how to use system specific tools to get general information, listener shells, metasploit and meterpreter scripting.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor