1
00:00:00,950 --> 00:00:06,960
‫The Enable RTP module under the managed group enables the remote desktop service RTP.

2
00:00:07,820 --> 00:00:13,190
‫It provides the options to create an account and configure it to be a member of the local administrators

3
00:00:13,550 --> 00:00:15,500
‫and Remote Desktop Users Group.

4
00:00:16,340 --> 00:00:20,990
‫It can also forward the Target Port 389 DCP.

5
00:00:22,400 --> 00:00:27,950
‫The module makes the value of the left and its connections registry key.

6
00:00:27,980 --> 00:00:28,400
‫One.

7
00:00:29,500 --> 00:00:34,660
‫Plus, if it's closed, the module opens the port, which is going to be used by RTP.

8
00:00:36,800 --> 00:00:42,460
‫So in this demo, we have a Windows eight as a victim with the IP address two, two three.

9
00:00:43,190 --> 00:00:44,960
‫And here is the attacker calling.

10
00:00:46,580 --> 00:00:50,930
‫Now, let's start MSF console and open an interpreter session first.

11
00:00:51,770 --> 00:00:56,270
‫We've done it several times and the subject of this demo is not exploiting, so I'll just open the session

12
00:00:56,270 --> 00:00:57,170
‫as far as I can.

13
00:01:02,090 --> 00:01:05,060
‫OK, I have interpreter session on Windows eight now.

14
00:01:06,320 --> 00:01:11,930
‫First, I want to know whether the remote desktop connection is allowed on the victim or not.

15
00:01:12,860 --> 00:01:18,440
‫I can learn it by looking at the value of the EFT, deny its connections registry key.

16
00:01:19,520 --> 00:01:25,370
‫Thankfully, I have a reg command interpreter who let's create the appropriate reg command and look

17
00:01:25,370 --> 00:01:25,790
‫at the key.

18
00:01:26,790 --> 00:01:32,250
‫Reg, is the command itself query Val parameter is our intention.

19
00:01:32,700 --> 00:01:34,590
‫We just want to query the value.

20
00:01:35,550 --> 00:01:43,770
‫Now is the key path with K Parameter H HKEYLOCALMACHINE System CurrentControlSet.

21
00:01:46,940 --> 00:01:49,250
‫Control terminal server.

22
00:01:51,050 --> 00:01:56,240
‫And now the value with the V parameter f deny PTS connections.

23
00:01:57,510 --> 00:01:58,510
‫And here is a result.

24
00:01:59,220 --> 00:02:05,220
‫The data of the value is one, which means the remote desktop connection is not allowed on the vector

25
00:02:05,230 --> 00:02:07,260
‫machine at this time.

26
00:02:08,380 --> 00:02:13,570
‫So let's go to the Windows eight system to check the configuration of the remote desktop.

27
00:02:14,410 --> 00:02:15,700
‫I want to verify our finding.

28
00:02:16,850 --> 00:02:20,540
‫So in the Start menu, I'll search for the remote word.

29
00:02:20,690 --> 00:02:25,850
‫Select settings from the results I say like allow remote access to your computer.

30
00:02:27,370 --> 00:02:30,540
‫Now we are under the remote tab of system properties.

31
00:02:32,030 --> 00:02:37,190
‫As you can see in the remote desktop frame, remote connections to this computer is not allowed.

32
00:02:37,280 --> 00:02:38,660
‫So our finding is correct.

33
00:02:40,020 --> 00:02:44,160
‫But now let's enable remote desktop connection on the victim.

34
00:02:44,970 --> 00:02:52,440
‫We can run the post module directly under the interpreter session using the run command type, run post

35
00:02:52,440 --> 00:02:56,430
‫windows, manage, enable, RDP and hit enter.

36
00:02:58,390 --> 00:03:01,150
‫And it's finished to learn if it succeeded.

37
00:03:01,630 --> 00:03:05,260
‫I'd like to query the denied T-S connections again.

38
00:03:06,160 --> 00:03:10,330
‫Now remember, you can call the previous commands by using the Arrow keys.

39
00:03:12,340 --> 00:03:15,040
‫And yes, the data of the value is zero now.

40
00:03:15,930 --> 00:03:19,600
‫That means remote desktop is no longer denied.

41
00:03:20,410 --> 00:03:25,000
‫So once again, I will want to double check it with our victim.

42
00:03:25,570 --> 00:03:28,810
‫And again, I search for remote in the start menu.

43
00:03:29,050 --> 00:03:33,370
‫Select settings and select Allow Remote Access to your computer.

44
00:03:34,060 --> 00:03:34,720
‫And here it is.

45
00:03:35,020 --> 00:03:37,930
‫As you see, the remote connection is allowed now.

46
00:03:38,680 --> 00:03:41,140
‫We succeeded to enable RDP.

47
00:03:41,740 --> 00:03:42,300
‫Well done.

48
00:03:44,050 --> 00:03:48,250
‫But I am not comfortable unless I see the result with my own eyes.

49
00:03:49,060 --> 00:03:51,550
‫I just want to make a remote connection to the victim.

50
00:03:52,930 --> 00:04:00,130
‫So now I'm on my host system, which is a Mac now to be able to make a remote connection.

51
00:04:00,430 --> 00:04:03,640
‫I'll go to the App Store to download Microsoft Remote Desktop.

52
00:04:06,190 --> 00:04:06,910
‫I found it.

53
00:04:08,710 --> 00:04:10,930
‫And it looks like it is installing.

54
00:04:12,310 --> 00:04:14,290
‫When the installation is finished.

55
00:04:16,270 --> 00:04:16,990
‫I'll open the app.

56
00:04:18,820 --> 00:04:25,930
‫Now I click new and create a new remote connection IP address of the Windows eight machine is two to

57
00:04:25,930 --> 00:04:26,440
‫three.

58
00:04:29,360 --> 00:04:32,960
‫I'll assume that we already know a valid username, password, pair.

59
00:04:34,960 --> 00:04:37,660
‫And I'll leave the other setting with the default values.

60
00:04:38,790 --> 00:04:41,460
‫Now, I'll double click the connection set up.

61
00:04:44,280 --> 00:04:44,700
‫OK.

62
00:04:45,150 --> 00:04:47,880
‫I verify the certificate and continue.

63
00:04:48,980 --> 00:04:53,600
‫And that's done, we have a remote desktop connection to the Windows eight machine.

64
00:04:54,600 --> 00:04:59,880
‫We enabled the remote connection and connected the module is working like a charm.

65
00:05:02,440 --> 00:05:04,330
‫Now I want to show you something more.

66
00:05:05,290 --> 00:05:08,590
‫Let's go back to the victim system, the Windows eight p.m..

67
00:05:09,520 --> 00:05:15,820
‫Now, have a look at this when we connect remotely, the current user is logged out because parallel

68
00:05:15,820 --> 00:05:17,530
‫sessions are restricted by default.

69
00:05:18,640 --> 00:05:24,190
‫So if you don't want to tip off the user of the Viking machine, you'd better carry out the remote desktop

70
00:05:24,190 --> 00:05:26,140
‫connection when he or she is away.

71
00:05:26,890 --> 00:05:33,640
‫So to understand if the user of the computer is away or not, that's when we can use the idle time interpreter

72
00:05:33,640 --> 00:05:35,800
‫command before the remote connection.

73
00:05:36,400 --> 00:05:41,770
‫If the system is idle for a long time, then it's probably safe to assume that the user is away.

74
00:05:43,590 --> 00:05:47,730
‫Well, in fact, there is a way to have parallel sessions on Windows systems.

75
00:05:48,960 --> 00:05:50,400
‫So let's have a look.

76
00:05:51,270 --> 00:05:55,290
‫The current is not logged out when you connect remotely to the system.

77
00:05:55,770 --> 00:05:58,380
‫I'll just show you the method now and you can try for yourself later.

78
00:05:59,980 --> 00:06:07,030
‫So what I do is I'll open the Web browser and Google for enable parallel sessions in Windows eight.

79
00:06:09,960 --> 00:06:11,340
‫And click the first link.

80
00:06:13,240 --> 00:06:16,450
‫How to enable concurrent sessions explained here.

81
00:06:17,080 --> 00:06:24,100
‫Now, briefly, you should change the terms Arviat deal with an appropriate one.

82
00:06:30,850 --> 00:06:35,890
‫And add the f single session per user value and set it to zero.

83
00:06:36,940 --> 00:06:42,880
‫I have to warn you here, though, do not download and use any file unless you trust the website 100

84
00:06:42,880 --> 00:06:43,450
‫percent.

85
00:06:43,450 --> 00:06:50,170
‫So if I were you, I wouldn't download the modified DLL file from this site because I just don't know

86
00:06:50,170 --> 00:06:50,800
‫the user's.