Emmynet Posted May 29, 2018 Posted May 29, 2018 Hello house i need a tool or way i can crack RDPs for tutorial and educational purpose. I have downloaded several version of dubrute but not cracking any, dont know if any working software that can crack is available? Quote
0phoi5 Posted May 30, 2018 Posted May 30, 2018 (edited) The only (bodge-job) method I ever managed was; Create SendKeys based VBScript to press 'yes' on a Remote Desktop Connection approval pop up Copy VBScript to target machine Create Scheduled Task on target machine, to run as logged in user, using PSEXEC, to run the above VBScript. Send a Remote Desktop Connection request just before the above runs. Profit. This does require some pre-requisites, such as an admin account credentials. Edited May 30, 2018 by haze1434 Quote
PoSHMagiC0de Posted May 31, 2018 Posted May 31, 2018 HTC-Hydra can do a bruteforce on RDP. Of course if common practice is used there shouldn't be an exposed RDP unless behind a RDP gateway. Even if still if they follow some security, you will most likely lock the account out which will ruin the rest of your attack. If not, Hydra can brute it with a wordlist, you will have to follow the examples and lower the thread count though or you will DOS the service. Other than that if they did not apply a cert you can use the self signed cert you see to get the machine name inside the network and domain name. If CredSSPSupport is off you can get the graphical desktop and see what Windows they are running. Quote
jOte- Posted June 11, 2018 Posted June 11, 2018 :: "Unknown publisher" REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\LocalDevices" /v "%HOSTNAME%;%RDGATEWAY%" /t "REG_DWORD" /d 109 /f >NUL 2>&1 :: "The identity of the remote computer cannot be verified. Do you want to connect anyway?" REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client" /v "AuthenticationLevelOverride" /t "REG_DWORD" /d 0 /f >NUL 2>&1 :: Delete old credentials from Micro$oft vault CMD /Q /D /C cmdkey /delete:"%RDGATEWAY%" >NUL 2>&1 CMD /Q /D /C cmdkey /delete:"%HOSTNAME%" >NUL 2>&1 :: Store credentials to Micro$oft vault CMD /Q /D /C cmdkey /add:"%RDGATEWAY%" /user:"%RDUSERNAME%" /pass:"%RDPASSWORD%" >NUL 2>&1 CMD /Q /D /C cmdkey /generic:"%HOSTNAME%" /user:"%USERNAME%" /pass:"%PASSWORD%" >NUL 2>&1 Quote
jOte- Posted June 11, 2018 Posted June 11, 2018 (edited) See spoiler: @ECHO OFF :: @jOte- 2059 :: CONNECT RDP/RDGATEWAY and cleanup ... :: SETTINGS SET RDGATEWAY=remote.bla.com SET RDUSERNAME=BASE\admin SET RDPASSWORD=whatthefuck SET HOSTNAME=TS01 SET USERNAME=BASE\admin SET PASSWORD=whatthefuck SET RDPFILE=%TMP%\~bb%RANDOM%.tmp :: END SETTINGS @ECHO OFF CLS :: "Unknown publisher" REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\LocalDevices" /v "%HOSTNAME%;%RDGATEWAY%" /t "REG_DWORD" /d 109 /f >NUL 2>&1 :: "The identity of the remote computer cannot be verified. Do you want to connect anyway?" REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client" /v "AuthenticationLevelOverride" /t "REG_DWORD" /d 0 /f >NUL 2>&1 :: Delete old credentials from Micro$oft vault CMD /Q /D /C cmdkey /delete:"%RDGATEWAY%" >NUL 2>&1 CMD /Q /D /C cmdkey /delete:"%HOSTNAME%" >NUL 2>&1 :: Store credentials to Micro$oft vault CMD /Q /D /C cmdkey /add:"%RDGATEWAY%" /user:"%RDUSERNAME%" /pass:"%RDPASSWORD%" >NUL 2>&1 CMD /Q /D /C cmdkey /generic:"%HOSTNAME%" /user:"%USERNAME%" /pass:"%PASSWORD%" >NUL 2>&1 :: Create tmpfile CALL :createFile %HOSTNAME% %USERNAME% :: Start tmpfile REM START mstsc /admin %RDPFILE% START mstsc %RDPFILE% :: Wait 20 seconds and cleanup TIMEOUT /NOBREAK 30 >NUL CALL :cleanup GOTO :EOF :cleanup :: Delete stored credentials from Micro$oft vault CMD /Q /D /C cmdkey /delete:"%RDGATEWAY%" >NUL 2>&1 CMD /Q /D /C cmdkey /delete:"%HOSTNAME%" >NUL 2>&1 :: Restore "Unknown publisher" REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client" /v "AuthenticationLevelOverride" /f >NUL 2>&1 :: Restore "The identity of the remote computer cannot be verified. Do you want to connect anyway?" REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\LocalDevices" /v "%HOSTNAME%;%RDGATEWAY%" /f >NUL 2>&1 :: Delete tmpfile DEL /F /Q %RDPFILE% >NUL 2>&1 GOTO :EOF :createFile ( ECHO screen mode id:i:2 ECHO use multimon:i:0 ECHO desktopwidth:i:1920 ECHO desktopheight:i:1080 ECHO session bpp:i:32 ECHO winposstr:s:0,3,0,0,800,600 ECHO compression:i:1 ECHO keyboardhook:i:2 ECHO audiocapturemode:i:0 ECHO videoplaybackmode:i:1 ECHO connection type:i:7 ECHO networkautodetect:i:1 ECHO bandwidthautodetect:i:1 ECHO displayconnectionbar:i:1 ECHO enableworkspacereconnect:i:0 ECHO disable wallpaper:i:0 ECHO allow font smoothing:i:0 ECHO allow desktop composition:i:0 ECHO disable full window drag:i:1 ECHO disable menu anims:i:1 ECHO disable themes:i:0 ECHO disable cursor setting:i:0 ECHO bitmapcachepersistenable:i:1 ECHO full address:s:%1 ECHO audiomode:i:0 ECHO redirectprinters:i:0 ECHO redirectcomports:i:0 ECHO redirectsmartcards:i:1 ECHO redirectclipboard:i:1 ECHO redirectposdevices:i:0 ECHO autoreconnection enabled:i:1 ECHO authentication level:i:2 ECHO prompt for credentials:i:0 ECHO negotiate security layer:i:1 ECHO remoteapplicationmode:i:0 ECHO alternate shell:s: ECHO shell working directory:s: ECHO gatewayhostname:s:%RDGATEWAY% ECHO gatewayusagemethod:i:2 ECHO gatewaycredentialssource:i:4 ECHO gatewayprofileusagemethod:i:1 ECHO promptcredentialonce:i:0 ECHO gatewaybrokeringtype:i:0 ECHO use redirection server name:i:0 ECHO rdgiskdcproxy:i:0 ECHO kdcproxyname:s: ECHO username:s:%2 )>%RDPFILE% GOTO :EOF :END EXIT 1 Edited June 12, 2018 by Foxtrot Add spoiler tags for large content Quote
jOte- Posted June 11, 2018 Posted June 11, 2018 bruteforcing rdp is stupid... gpo would lock u out as PoSHMagiC0de is mentioning... Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.