Jump to content

Recommended Posts

Posted

Hello house i need a tool or way i can crack RDPs for tutorial and educational purpose. I have downloaded several version of dubrute but not cracking any, dont know if any working software that can crack is available?

Posted

I think try crowbar.

  • Upvote 1
Posted (edited)

The only (bodge-job) method I ever managed was;

  • Create SendKeys based VBScript to press 'yes' on a Remote Desktop Connection approval pop up
  • Copy VBScript to target machine
  • Create Scheduled Task on target machine, to run as logged in user, using PSEXEC, to run the above VBScript.
  • Send a Remote Desktop Connection request just before the above runs.
  • Profit.

This does require some pre-requisites, such as an admin account credentials.

Edited by haze1434
Posted

HTC-Hydra can do a bruteforce on RDP.  Of course if common practice is used there shouldn't be an exposed RDP unless behind a RDP gateway.  Even if still if they follow some security, you will most likely lock the account out which will ruin the rest of your attack.  If not, Hydra can brute it with a wordlist, you will have to follow the examples and lower the thread count though or you will DOS the service.

Other than that if they did not apply a cert you can use the self signed cert you see to get the machine name inside the network and domain name.  If CredSSPSupport is off you can get the graphical desktop and see what Windows they are running.

  • 2 weeks later...
Posted

:: "Unknown publisher"
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\LocalDevices" /v "%HOSTNAME%;%RDGATEWAY%" /t "REG_DWORD" /d 109 /f >NUL 2>&1

:: "The identity of the remote computer cannot be verified. Do you want to connect anyway?"
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client" /v "AuthenticationLevelOverride" /t "REG_DWORD" /d 0 /f >NUL 2>&1

:: Delete old credentials from Micro$oft vault
CMD /Q /D /C cmdkey /delete:"%RDGATEWAY%" >NUL 2>&1
CMD /Q /D /C cmdkey /delete:"%HOSTNAME%" >NUL 2>&1

:: Store credentials to Micro$oft vault
CMD /Q /D /C cmdkey /add:"%RDGATEWAY%" /user:"%RDUSERNAME%" /pass:"%RDPASSWORD%" >NUL 2>&1
CMD /Q /D /C cmdkey /generic:"%HOSTNAME%" /user:"%USERNAME%" /pass:"%PASSWORD%" >NUL 2>&1

Posted (edited)

See spoiler:

 

@ECHO OFF
:: @jOte- 2059
:: CONNECT RDP/RDGATEWAY and cleanup ...


:: SETTINGS

SET RDGATEWAY=remote.bla.com
SET RDUSERNAME=BASE\admin
SET RDPASSWORD=whatthefuck

SET HOSTNAME=TS01
SET USERNAME=BASE\admin
SET PASSWORD=whatthefuck

SET RDPFILE=%TMP%\~bb%RANDOM%.tmp

:: END SETTINGS

@ECHO OFF
CLS

:: "Unknown publisher"
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\LocalDevices" /v "%HOSTNAME%;%RDGATEWAY%" /t "REG_DWORD" /d 109 /f >NUL 2>&1

:: "The identity of the remote computer cannot be verified. Do you want to connect anyway?"
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client" /v "AuthenticationLevelOverride" /t "REG_DWORD" /d 0 /f >NUL 2>&1

:: Delete old credentials from Micro$oft vault
CMD /Q /D /C cmdkey /delete:"%RDGATEWAY%" >NUL 2>&1
CMD /Q /D /C cmdkey /delete:"%HOSTNAME%" >NUL 2>&1

:: Store credentials to Micro$oft vault
CMD /Q /D /C cmdkey /add:"%RDGATEWAY%" /user:"%RDUSERNAME%" /pass:"%RDPASSWORD%" >NUL 2>&1
CMD /Q /D /C cmdkey /generic:"%HOSTNAME%" /user:"%USERNAME%" /pass:"%PASSWORD%" >NUL 2>&1

:: Create tmpfile
CALL :createFile %HOSTNAME% %USERNAME%

:: Start tmpfile
REM START mstsc /admin %RDPFILE% 
START mstsc %RDPFILE%

:: Wait 20 seconds and cleanup
TIMEOUT /NOBREAK 30 >NUL
CALL :cleanup
GOTO :EOF

:cleanup
:: Delete stored credentials from Micro$oft vault
CMD /Q /D /C cmdkey /delete:"%RDGATEWAY%" >NUL 2>&1
CMD /Q /D /C cmdkey /delete:"%HOSTNAME%" >NUL 2>&1

:: Restore "Unknown publisher"
REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client" /v "AuthenticationLevelOverride" /f >NUL 2>&1

:: Restore "The identity of the remote computer cannot be verified. Do you want to connect anyway?"
REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\LocalDevices" /v "%HOSTNAME%;%RDGATEWAY%" /f >NUL 2>&1

:: Delete tmpfile
DEL /F /Q %RDPFILE% >NUL 2>&1
GOTO :EOF

:createFile
(
ECHO screen mode id:i:2
ECHO use multimon:i:0
ECHO desktopwidth:i:1920
ECHO desktopheight:i:1080
ECHO session bpp:i:32
ECHO winposstr:s:0,3,0,0,800,600
ECHO compression:i:1
ECHO keyboardhook:i:2
ECHO audiocapturemode:i:0
ECHO videoplaybackmode:i:1
ECHO connection type:i:7
ECHO networkautodetect:i:1
ECHO bandwidthautodetect:i:1
ECHO displayconnectionbar:i:1
ECHO enableworkspacereconnect:i:0
ECHO disable wallpaper:i:0
ECHO allow font smoothing:i:0
ECHO allow desktop composition:i:0
ECHO disable full window drag:i:1
ECHO disable menu anims:i:1
ECHO disable themes:i:0
ECHO disable cursor setting:i:0
ECHO bitmapcachepersistenable:i:1
ECHO full address:s:%1
ECHO audiomode:i:0
ECHO redirectprinters:i:0
ECHO redirectcomports:i:0
ECHO redirectsmartcards:i:1
ECHO redirectclipboard:i:1
ECHO redirectposdevices:i:0
ECHO autoreconnection enabled:i:1
ECHO authentication level:i:2
ECHO prompt for credentials:i:0
ECHO negotiate security layer:i:1
ECHO remoteapplicationmode:i:0
ECHO alternate shell:s:
ECHO shell working directory:s:
ECHO gatewayhostname:s:%RDGATEWAY%
ECHO gatewayusagemethod:i:2
ECHO gatewaycredentialssource:i:4
ECHO gatewayprofileusagemethod:i:1
ECHO promptcredentialonce:i:0
ECHO gatewaybrokeringtype:i:0
ECHO use redirection server name:i:0
ECHO rdgiskdcproxy:i:0
ECHO kdcproxyname:s:
ECHO username:s:%2
)>%RDPFILE%

GOTO :EOF

:END
EXIT 1

Edited by Foxtrot
Add spoiler tags for large content

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...