Playbook for RDP scanning
Remote Desktop Protocol (RDP) provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software.
Microsoft RDP includes the following features and capabilities: Encryption, Bandwidth reduction features, Roaming disconnect, Clipboard mapping, Print redirection, Virtual channels, Remote control, Network load balancing.
Technical Details
By default, the server listens on TCP port 3389 and UDP port 3389.
Analysis
Attacks related to RDP included ransomware, corporate theft, installation of backdoors, pivoting, and launching of additional attacks. The sales of RDP accounts also became available including identities and login credentials for little price in the black market.
In this brute force attack, a malicious actor will scan a range of IP addresses, look for open ports used by RDP (e.g. 3389), and finally utilize a brute force method such as a dictionary attack to attempt to determine the password. This brute force attack may serve as a denial of service against the operating system’s memory or storage due to the filling.
Though RDP is encrypted by default through TLS, an attacker may still utilize a man in the middle attack to gain RDP credentials. As with any man in the middle attack, the attacker places himself in a broadcast domain shared with either the client or the RDP server. One such methodology uses a python-based tool called Seth to leverage ARP spoofing to redirect traffic through an RDP proxy. This allows the attacker to downgrade the encryption of the connection and extract clear text credentials.
Mitigation
It is recommended to disable this service as part of system hardening before plugging into the network if the service is not required. If your server is one of the many that requires remote desktop to function, it is paramount to know the types of attacks that may be levied against this protocol and the various methods at an engineer’s disposal to prevent these attacks.
Defending Against RDP Attacks:
- Passwords and Lockouts
- Use an Alternative Port for RDP
- Install Latest Windows and Security Updates
- Restrict RDP Sessions by IP address with Windows Firewall
- Turn on Network Level Authentication
- Limit Remote Desktop Users
- Use RDP Gateways
- Tunnel Remote Desktop Connections through IPSec or SSH
References
References
https://thebackroomtech.com/2019/03/11/defending-against-remote-desktop-protocol-attacks/
http://etutorials.org/Networking/network+security+assessment/Chapter+4.+IP+Network+Scanning/4.7+Network+Scanning+Countermeasures/
https://www.bleepingcomputer.com/news/security/dos-exploit-poc-released-for-critical-windows-rdp-gateway-bugs/
http://etutorials.org/Networking/network+security+assessment/Chapter+4.+IP+Network+Scanning/
https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/infosec-guide-remote-desktop-protocol-rdp
https://www.ic3.gov/media/2018/180927.aspx
https://www.us-cert.gov/sites/default/files/recommended_practices/RP_Managing_Remote_Access_S508NC.pdf
https://isc.sans.edu/forums/diary/Increase+in+RDP+Scanning/25994/
https://docs.microsoft.com/en-us/windows/win32/termserv/remote-desktop-protocol
Revisions
March 13, 2020: Initial Version