Hey you,

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:

Hijack Windows Server 2012 Session With Few Simple Commands

Few days ago a video appeared on the web linking to a blog post on how to use an RDP Session to hijack an administrator account with few simple commands in Windows server that allow a creation of a service. What is interesting is that the finding is nothing new and has been existing since 2011, but nobody did nothing to fix it.

How Does It Work?

All that the attacker must have to hijack the server is access to the command prompt. From there, the attacker can check if the account belongs to the administrator by typing the command:

→ >whoami

After this, if the account of the server belongs to an administrator, the attacker can what is the domain related to the computer with the following command:

→ >wmic computersystem get domain

If the administrative user has an enabled password, the attacker will use the following command to get the SESSIONNAME of the current session with the server. The command is as follows:

→ >query user

After this, the attacker is presented a table with the state of the sessions (Active and Disconnected sessions), idle times, login times and the user names corresponding to them. From there, the attacker can take advantage of the SESSIONNAME which usually looks like the following – rdp-tcp#80. The hijacking process itself is done by the following command which is used to take over an active session:

→ >sc create sesshijack binpath= “cmd.exe /k tscon /dest:rdp-tcp#80”

(the rdp-tcp is the session name which is variable)

Then the net start command is used:

→ >net start sesshijack

And then the new session has started, this time from the administrator account, directly bypassing the need to enter administrative password. From there, on the new session when the >whoami command is typed, the user should be able to witness that now the account is administrative. From there, the password itself can be changed by typing the following command:

→ >net user nopernik {new password} /add /dom

At this point the password is changed and the net group command can be used to modify the domain administrators.

What is interesting is that the questionable hacker who is doing those, named Alexander Korznikov has also performed other session hijacking features on his YouTube channel and explained in his blog(http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html) that this is active for even the newest Windows Server versions. Here are the versions in which this RDP hijacking sessions can occur:

  • Windows 2008
  • Windows 7
  • Windows 2012 R2
  • Windows 10
  • Windows 2016

What Is the Real-Life Impact of This

In reality, the researcher explains that if someone has the access to the server can take advantage of various users on the server. These can be employees who are on a lunch break and have locked their computers temporarily. If there is a system for financial management, like PoS or other billing systems, the sysadmin can modify those and control them with commands that are usually pre-embedded. And what is worse that no malware is needed by the attacker, only simple commands for Windows. The researcher has also finally pointed out that this is only one scenario and there may be many many other scenarios where user profiles can be spied on and manipulated externally and the attack is very difficult to be detected.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.