The Remote Desktop Protocol (RDP) helps administrators manage Windows systems and assist users with problems. However, RDP is also very popular with criminal hackers: The attack technique RDP Hijacking allows them to gain access and control over IT systems as a supposedly legitimate user.
As remote administration and management, such as that enabled by RDP for Windows devices, has become much more important to companies in all industries in the wake of the Corona crisis, the risk of falling victim to RDP hijacking attacks is increasing. Not to mention the current developments: Simply due to the fact that in the majority of corporate networks, Windows and Windows server systems are interconnected and admins use RDP, it is imperative to be aware of the risks involved.
Read how RDP compromise happens and how you can defend against it.
RDP Hijacking – Definition
RDP hijacking is not a very new phenomenon. Rather, it is a technique that has been around for a few years and is often not based on common vulnerability exploitation – such as via phishing – but exploits completely legitimate features of the RDP service under Windows.
In RDP hijacking, an attacker continues a previously terminated RDP connection. This gives him access to privileged systems without having to steal the login credentials. For example, if an administrator has configured a Windows server via RDP a few days ago, it is much easier for an attacker to "resume" this session, instead of using social engineering to try to get the admin’s password.
Once inside the system, the attacker can move laterally through the corporate network and remain undetected – after all, Monitoring Software is dealing with a supposedly authorized user.
RDP Hijacking – Proof of Concept
There are several ways to continue an RDP session. Originally, the approach was discovered in 2011 by Benjamin Delpy, developer of the pentesting tool mimikatz. In 2017, security specialist Alexander Korznikov demonstrated how the same approach can be used for privilege escalation attacks on Windows systems.
We focus in this article on the RDP hijacking method, which uses the Windows on-board tool Tscon.exe makes use of. The utility allows users to switch to a new remote desktop session or switch between different sessions.
The syntax of the command is simple – the Microsoft Knowledge Base provides information on what each parameter entails:
The simplest example would be tscon 2 : this command – executed on a host server – would connect the user with session ID 2 and disconnect all pre-existing connections. Microsoft itself, however, warns: "You must use Tscon.exe exercise caution not to accidentally leave a previously inaccessible server open."
To take over a remote desktop session, the attacker must be connected to the RDP host. To accomplish this, "groundwork" is required necessary: Insofar as the hacker is not an inside perpetrator, he needs appropriate credentials. This type of hacker attack is particularly dangerous because it is also regularly used in APT attacks.
Diagram: Passwordless Hijacking in detail.
Photo: CSO / IDG
If a system is compromised – for example by malware – this technique enables attackers to take over the sessions and environments of other users without requiring a password. With reference to the diagram, the malicious user would log in to the RDP server at client 3 and would be able to see all connected RDP users. It only needs the following command: query user .
Afterwards, the following entries in the command line are sufficient to terminate the running session of the attacker (ID 2) and to resume the previously interrupted session 1 between attacker and RDP server:
sc create hijackedsession binpath="cmd.exe /k tscon 1 /dest:rdp-tcp#2"
net start hijackedsession
No password is requested, nor are any traces left behind that could be analyzed by IT forensics. The reason: The user who was previously active on client 2 has terminated his RDP session, but has not explicitly logged out of the server.
RDP Hijacking – Defensive Measures
For the reasons mentioned above, a monitoring solution is no remedy against RDP hijacking. Even an operating system upgrade does not remedy the situation, because the attack technique affects almost all versions of Windows Server. However, there are two main defenses you can take against RDP hijacking:
Enforce group policies: Instead of "disconnected to keep remote desktop sessions idle for longer, the settings in Group Policy should be changed so that users are logged off either immediately or shortly after disconnecting from an RDP session. This prevents Passwordless Hijacking.
Reduce the attack surface: It makes no sense to keep RDP services and ports open to anyone on the Internet. However, restrictions in the case of RDP can quickly lead to remote administration reaching its limits. At this point, if access via the Internet is required, Microsoft Remote Desktop Gateway or Azure Multi-Factor Authentication Server is recommended as a low-cost solution for multi-factor authentication. (fm)