Time
7 hours 47 minutes
Difficulty
Advanced
CEU/CPE
10

Video Description

This lesson focuses on Remote Desktop Protocol (RDP) in a Windows-based environment. RDP is a Graphics User Interface (GUI) based remote access mechanism. It was created by Windows for remote administration and allows computer problems to be fixed from far away. There are two types of RDP: - Windows Native RDP

  • Chrome RDP

Participants learn about the following steps in using a Windows RDP: - Setting up a Windows Firewall

  • Editing the registry key

Video Transcription

00:04
hello and welcome to remote desktop protocol. This is part of Part three in the persistence. Continue access course. This is the actual persistence part of the course
00:13
in this video. Obviously we'll be discussing remote desktop protocol on Lian Windows because it did not. Actually.
00:20
Well, it does exist for Lennox, but it's a natively created for Windows thing,
00:25
and it's more fully fledged for Windows.
00:28
So the description Remote desktop protocol is a gooey based remote access mechanism.
00:34
I'm going, by the way, being graphics user interface eso, unlike everything else we've done in this class and everything else we will do in this class. Remote desktop protocol actually lets you point and click.
00:45
Um, it's it's wonderful. For that reason, you could do a lot of things with already. You can't do effectively with a command line because Windows likes to throw up messages and error boxes and things like that
00:57
to make it harder for hackers to actually control the machine. So if you can create an rdp connection, you actually have a graphics, a graphical interface, and you can click those boxes you say okay, and you can say agree, etcetera, etcetera,
01:11
and it tends to work out very well. It was created by Windows by Microsoft for remote administration, and since then it's become everyone's best friend. When it comes to trying to fix the really complex computer problems, pretty much every corporate network will have our DP.
01:27
Um, simply because I T. Guys are lazy. We don't like getting up from our desks. We don't like having to walk from office to office.
01:34
And when you've got 100 calls in and there are three people in the I T office, we need to be able to work, go from one task to the next very quickly. So the solution to that problem the solution of the you know, overworked, undermanned problem
01:49
is to install already pee on every mission on the network and use it as a means to actually
01:53
just sort of tele work from your desk. You know, go to the user's computer, figure out what's going on, diagnose, you know,
02:04
fix everything, and you can. Also, the bright side of it is if you're actually teaching a user
02:08
like howto, for example, imports certificates for Firefox or how to,
02:15
you know, allow something through the firewall, although you should never teach users to do that. That's a very dangerous thing for them to know. Um, you can actually have them sit there and watch as you're using an already pee on their machine or they can watch is you're using some sort of similar program
02:29
and they'll be ableto hopefully at least follow those steps in the future. Downside RTP sort of. The weakness of our TV is that
02:37
it's
02:38
very, very noticeable. You can have it an S H connection into a target machine while someone's on that machine using it. No one's gonna know already. Pee, on the other hand, is very, very noisy. When we will actually show on their screen.
02:53
There are two possibilities. One is that it will boot them off and give you the the actual
03:00
console, which is obviously problematic and that they're going to start calling around and finding out what they just got kicked off the computer. Or
03:07
it's going to show them their mouths moving when they're not moving, their mouths and windows opening and everything happening, which could be a serious problem, obviously from our perspective.
03:15
So already P is really, really excellent, but it's also really, really dangerous there. Two primary types of RTP, at least for Windows. There's the Windows Native Rdp, which is the one we're actually gonna cover in this course. If you
03:30
have been watching the practical or about to watch the practical slides,
03:34
Um, we only really deal with Windows Native
03:37
because it's one that could be configured from the command line. It could be set up.
03:40
It's natively installed on almost every window operating system. That is very, very easy.
03:46
The only reason why you would want 1/3 party would necessarily or their two main reasons
03:52
is Windows A Standard and Windows eight for home use don't actually have already be on them. They took them out because, well, because of stuff like this,
04:01
ah, already be has a legitimate use case on corporate networks. It's not really
04:06
needed
04:09
on the home machine, which means the main people who were getting it on home machines, where people who are being hacked to add viruses, whatever
04:15
on those were the only people who are having it configured.
04:18
So when you're targeting the corporate network, you probably won't have to worry about it, or you might, but most likely not.
04:26
Ah, but that being said, depending on who you're going after you could be, you know, it's part of your pen test. You could have
04:30
been trying to get onto the CEO's PC that he got from work. That has when does a home or what doesn't standard or whatever.
04:38
Um, so it's not impossible that you'll find yourself in a case where
04:43
you can't use
04:44
the windows native Artie. And in those cases, the best thing to do is to find a way to get the third party here. The
04:51
Cromartie fee that we see right here installed. I use Cromartie few myself very often, just because I use Google for everything.
05:00
And ah, it's nice to have everything all in one place. But whatever rdp you use, whoever third party tool you use is fine.
05:06
The downside, obviously, is you have to install it from elsewhere. So sometimes to ftp will work. If you've got an installer taken your own completely from the command line.
05:15
Um, if you've got your tea ftp server set up, as I showed in the that practical video,
05:21
then you can actually use the t FTP pulled the installer over it right over the command line. Which case you're good to go.
05:28
Um,
05:29
it's obviously a little bit harder to get it on the target. Since you have to bring everything over, you have to find a tool which will let you actually install it without making lots of noise. Because obviously, you can't have a gooey to create your gooey.
05:42
Um, so you're gonna be doing it from a command lines if it pops up a message box and the only way to continues to select the message box, you're in trouble.
05:50
Um, obviously one of the great thing. Well, maybe not. Obviously, one of the great things about third party already pieces is you can actually use them through sshh.
06:00
Um,
06:02
and it's possible to do with windows as well, but it takes a little bit more configuration. But for, you know, for chrome or for any of the other third parties, most of the other three parties you can actually just set it up to by default connect over the SS H port, which is obviously a much more common traffic. And it's encrypted, which means that
06:19
the target systems can't open your packet and read it and see that it's in our D. P and turn it off.
06:26
So it's very, very handy to be able to travel to rest sage because no one's gonna bust you.
06:30
There's also the benefit. They're pretty version independent, so you can get him on. You have it work. It works on seven. It will probably work on eight. I can't say this for sure, but it'll probably work on 10 as well. Most of the Windows Application programming interface stays the same from one building the next. So a lot of it'll still work.
06:50
So here we actually get into setting up the windows firewall to allow us to use the windows. Uh, the Windows native already
06:58
So this
07:00
big hunk of text up here?
07:02
Ah, so this commander it here the Nets Aged Man's firewall, Firewall set Rule group equals remote desktop. New enable. Yes, Blais, that's a mouthful.
07:12
What this actually is doing is it's going to the firewall, and it's enabling and new, and we're gonna kind of break it down step by step to see what it's doing.
07:19
The first thing that we see here is Net S H
07:23
fairly straightforward. Ned S H is a network administration toe. They use for controlling certain of Windows.
07:30
Ah, native built in networking protocols and things like that
07:34
on network devices.
07:38
The second function or the second item we see right here.
07:41
Advanced Firewall
07:44
identifies that you're working with the Windows Advanced Firewall. Simple is that used to just be net S H firewall, but with the new windows they actually put in Advanced Firewall, which is sort of a rapper. It's a relatively thin wrapper around firewall itself, although it's a thick rapper and other things.
08:00
What I mean by that is that Advanced Firewall sort of acts to conglomerate lots of lots of different commands. Put him in a workplace,
08:05
Um, and then when you call Advanced Firewall, it calls the appropriate subheading or sub rule with relevance to that we have. The next is firewall. So telling Advanced firewall that, yes, we really are working on something specifically for the firewall. We're not, you know, using advanced firewall for some other networking protocol
08:24
that really shouldn't go under the heading of firewall,
08:26
which is painfully common. So nothing else discovered my advance, for we're actually using the firewall
08:33
and then set rule group
08:35
remote desktop.
08:37
This one is sort of similar to what we saw before in the Net group section.
08:43
Uh, this was a little while. You obviously.
08:46
But Net local group or that group
08:48
shows us what the group names are on a system.
08:52
So Set Rule Group on the firewall
08:54
is actually saying
08:56
for this specific group, which is remote desktop,
09:00
we're going to set a new rule where, But we have a value that we want to put in some rule for it. And we're going to go ahead and do that now firewalls or nothing but rules
09:11
that packets have toe by which packets have to abide. So if your firewall says, you know, nothing goes toe sssh,
09:18
all it really does it open the packet says, Are you going to S h? If the bank it says yes, it says, Okay, my value for that is no leave. And then the last item here, obviously is enable equals yes, which is just allow these connections. When you get a packet, the senses are already be. Just let it go through.
09:33
That's how you set up the actual firewall. The next thing we've got to do to actually set it up and this is the only it only takes two commands. They're just two gigantic commands to take. The fire will come in. And then this registry editing key or this registry editing command.
09:50
So the registry of command is Reggie ad H key local system, current control set control
09:56
terminal server
09:58
slash V after night E s connections slash T Reg d word slash d zero slash f
10:05
This is one of those commands that I'd put on a sticky note.
10:09
Uh, it's pretty much gonna be the same from machine to machine is on infiltrating window seven or earlier.
10:16
But it's not really
10:18
the easiest to remember where everything stored and
10:22
how you're actually gonna set it. People who are very familiar with the registry, they're gonna have an easier time with it, obviously, because it's a pretty straightforward command. It's just very long in the location, sort of
10:31
stealthy.
10:31
So what, this is doing well, dig into specifics when I finish my obsessive highlighting, eh? So what this is doing with the first part of the command is Reggie ad. So all it's doing is looking at the registry, looking the registry controller and saying, Hey,
10:46
I'm going to do a thing. I'm gonna put in a new key or a new value into this registry somewhere. So the question that it gets back from that or the next parameter asked masses. Okay, well, where is this key? What is this key
10:56
we come back with? Oh, well, it's an H key local machine, which is one of the 51 of the five primary hives.
11:03
They're actually more than five, but they're five that
11:07
most people know about and use. The rest are pretty much reserved for the computer.
11:11
So, you know these five primary hives out of the five primary hives? I'm using HP local machine
11:18
and then inside of that, the system file current control, set control, terminal server,
11:24
a terminal server is he service which actually allows connections in to create a new term Miller knew
11:31
connection for already? Be. So this is the key that we're going to be changing. The nice value is slash B, which is f and then f deny. T s connections
11:41
slash B is value in the registry key. I prefer to think of it as field simply because what we're gonna do later is much more logical in terms of calling it value. But when you're actually editing things in the registry, this is labeled its value. It's the name
11:56
so f deny t s connections were
12:00
essentially firewall deny terminal server connection where that's the value that we're creating
12:05
the data type for it, which could be Reggie Word Reg, you in't Reg as Z, which is a string, would be a bunch of different possible values.
12:16
We're using the word we were actually using a 1,000,000,000 which is just a true or false. Essentially,
12:22
we're saying the value correspondent to this field or the data correspondent to this value. If you want to be specific and follow the rules of the naming convention,
12:31
um is going to be a D word or a long imager.
12:35
For those of you who are more for mastering inclined,
12:39
they were due slash d zero, which is the data value or the data correspondent to the value
12:46
they say. I like to think of his value correspondent to the label,
12:48
but
12:50
whatever works for you sending it to zeros were saying false.
12:54
We're saying deny T s connections is false, which obviously means double negative means allow terminal server connections on when someone tries to connect with our DP, let him in there good to go and then f his force, which just basically saying do it no matter what.
13:09
So the big thing with this, the reason why we're doing it like this the two commands we ran Obviously we're setting up the Windows firewall, which is the external part of the the connection or the Rdp. The firewall is what your first going to hit on the outsider and you get there and it's going to say No, no RTP for you.
13:28
So we went in there and we changed that so that it could get the fire with fire would say, Oh, yeah, I already If he's good to go
13:33
and the next thing we go down to, the next thing we have to do is read it. The registry. The registry is the interior. When you get here and you know Windows Rdp asks permission to run. Basically, it calls the Registry of Penises. Hey,
13:48
am I good to run? Am I allowed to accept this connection, start doing something
13:52
and the registry key looks at it and says, Ah, yeah, you're good to go. Somebody put in a value of false for deny, so that means allow. So you let whoever is connecting connect. So by changing, you know, we changed with the external in the internal, and now we're capable of opening up a gooey shell or a gooey
14:11
connection to our target machine.
14:13
I want to take a moment to stress again. This gooey connection is super noticeable.
14:18
You're going to take over the actual machine. You're going to be right there.
14:22
So what does that mean? Well, one of the big things that means is you need to time your connections. This goes back to the information gathering.
14:30
You know, we looked at activity and how much was being done and when it was last time, a lot of that.
14:35
So if while you were building up the profile of whoever uses this machine and you're kind of profiling, getting a sense of how they work,
14:41
if you see that every day like clockwork for 45 they turn off their machine or they log off their machine and go home. If they turn off the machine, that's not going to have to much use to you. There's a long off their machine. They go home,
14:54
then
14:54
you know, every day at five, you can connect to it.
14:58
If, on the other hand, this you get under your first computer in the eye, comes in at 81 morning and then he leaves noon and the next day comes in. It's six in the morning. He leaves at seven that night as very inconsistent times. You're not gonna want to use our DP because the odds of him walking in and seeing his mouse moving around and his computer running's
15:18
It's not really something you want to risk. Or
15:20
even if you aren't actually displaying what you're doing, you have to him coming in and unintentionally and unknowingly booting you off. Purity.
15:28
Still a problem? You never know what you were in the middle of,
15:31
So because of that, you really, really have to build the user profile and know the system that you're going to be using Artie feel.
15:39
But once you do, you get control of a gooey and you've pretty much owned that box and can do whatever you want to it. So hey, there's a benefit.
15:46
This is the end of the Rdp
15:50
section of the course. I recommend getting out there is always getting out there and trying it already Piece kind of a fun one to install on. Ah, all the machines in your home.
15:58
I like to, you know,
16:00
have it on every computer I have in my house. Then whenever someone's using it to just kinda ghost and take over it. But
16:07
I'm a bad person. So
16:10
go out there, play with it, learn how to use it. Um, absolutely, You know, try it out. I don't really begin to already pee in terms of actually using our defeat to do any hacking in the practical video because it turns into just pointing and clicking. And essentially, if you can hack your own machine or if you can gather information off your own machine,
16:29
then you can do it off of a target machine would already be installed
16:30
until next time. I am your Smee, Joseph Perry. You're watching
16:36
persistence and continued access, the post exploitation hacking course, and you're watching on Cyber Reed. Thank you and have a great day

Up Next

Post Exploitation Hacking

In this self-paced online training course, you will cover three main topics: Information Gathering, Backdooring and Covering Steps, how to use system specific tools to get general information, listener shells, metasploit and meterpreter scripting.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor