Purple RDP: Red and Blue Tradecraft Around Remote Desktop Protocol

Tech 2 (718B) October 6, 2022 1:30 pm - 2:30 pm Feedback     

Bookmark and Share

Olivier Bilodeau

Remote Desktop Protocol (RDP) is the de facto standard for remoting in Windows environments. It grew in popularity over the last couple of years due to the pandemic. In addition to system administrators, many remote workers are now relying on it to perform duties on remote systems. RDP is secure when well deployed but, unfortunately, that’s rarely the case and thus clicking through warnings is common. We have spent the last 3 years working on and reimplementing parts of RDP in PyRDP, our open-source RDP library. This presentation is about what we have learned and can be applied to attack and defend against RDP attacks.

From an attacker’s perspective, we will cover conventional RDP attacks such as Monster-in-the-Middle (MITM) of RDP connections, capture of NetNTLMv2 hashes and techniques to bypass conventional defence mechanisms such as Network Level Authentication (NLA). Case in point: Did you know that by default all clients allow server-side NLA downgrades right now? Additionally, we will present scenarios where RDP is used to lure targets by sending specifically crafted “.rdp” files via phishing and performing client-side exploitation. This will enable us to understand and identify the risks with RDP.

From the Blue Team’s perspective, we will provide techniques and tools to detect all attacks showcased previously. Additionally, we will demonstrate the risks of using 3rd party RDP clients. Finally, we will provide playbooks to install hardened RDP configurations for both clients and servers through GPO and to deploy a corporate-wide RDP public key infrastructure (PKI): the most efficient way of getting rid of most of the RDP attacks for good.