HF 2022 - Call for Papers

Purple RDP: Red and Blue Tradecraft around Remote Desktop Protocol
2022-10-30, 10:00–10:50, Track 1

Remote Desktop Protocol (RDP) is the de facto standard for remoting in Windows environments. It grew in popularity over the last couple of years due to the pandemic. In addition to system administrators, many remote workers are now relying on it to perform duties on remote systems. RDP is secure when well deployed but, unfortunately, that’s rarely the case and thus clicking through warnings is common. We have spent the last 3 years working on and reimplementing parts of RDP in PyRDP, our open-source RDP library. This presentation is about what we have learned and can be applied to attack and defend against RDP attacks.

From an attacker’s perspective, we will cover conventional RDP attacks such as Monster-in-the-Middle (MITM) of RDP connections, capture of NetNTLMv2 hashes and techniques to bypass conventional defense mechanisms such as Network Level Authentication (NLA). Case in point: Did you know that by default all clients allow server-side NLA downgrades right now? Additionally, we will present scenarios where RDP is used to lure targets by sending specifically crafted “.rdp” files via phishing and performing client-side exploitation. This will enable us to understand and identify the risks with RDP.

From the Blue Team’s perspective, we will provide techniques and tools to detect all attacks showcased previously. Additionally, we will demonstrate the risks of using 3rd party RDP clients. Finally, we will provide playbooks to install hardened RDP configurations for both clients and servers through GPO and to deploy a corporate-wide RDP public key infrastructure (PKI): the most efficient way of getting rid of most of the RDP attacks for good.

  • Intro to RDP (protocol layers, security), 5m
  • Attack: MITM RDP, 15m
  • Risks/Impact (clipboard and file stealing, session takeover with video demo)
  • How to detect it?
  • Mitigation: Network Level Authentication (NLA)
  • How does NLA work?
  • Attacks on NLA: downgrade, client redirection to non-NLA, NLA Bypass
  • Details about NLA Bypass, more on mitigation later
  • Attack: Net-NTLMv2 Hash Capture, 5m
  • Protocol details that make it possible
  • How to crack it
  • Just how bad it is: hash stolen before certificate prompt, case opened with Microsoft
  • Mitigation advice
  • Mitigation: Certificates with RDP, 5m
  • Using Let’s Encrypt: Defensively and Attackers
  • Corporate deployment
  • Attack: Credential theft, 5m
  • Special case: server is compromised, lateral movement or priv esc through clients
  • Extract plaintext passwords from memory
  • Mitigation: Restricted Admin, Remote Credential Guard and Smart Card, 3m
  • How do they work
  • Which applies in which context
  • Attack: Rogue RDP, 3m
  • Sending .rdp files preconfigured to a rogue RDP service prepared for client-side exploitation
  • Stealing credentials, dropping files (DLL sideloading)
  • Mitigation: Block .rdp files
  • Risk: How badly is attacked an exposed RDP today?, 1m
  • Numbers from our honeypots
  • Mitigation: Hardened RDP configuration, 3m
  • Powershell and/or GPO playbooks for secure client and server configuration
  • Instructions for Domain PKI

Are you releasing a tool? – no Was this talk already given? – yes