The Setup
I conducted some phishing for a pentest this past week. My ulterior motive was to have an opportunity to familiarize myself with Empire, so I decided to go with a pretext which would allow me to use the macro stager and a malicious Excel sheet attachment to drop agents onto victim boxes. After some initial hiccups, a handful of (elevated!) agents started calling back.
First things first, I ran mimikatz. It returned a domain administrator’s password. So job done, right?
Wrong! It’s time for pillaging.
Now, Empire is awesome and all, but it relies on beaconing rather than a constant connection, so to expedite the pwnage, I went loaded the code_execution/shellcode_inject module, which sent a meterpreter session to my waiting handler.
After dumping hashes from the DC, I started poking around the rest of the network. Both meterpreter and Empire have some wonderful tools to make share enumeration straightforward, but sometimes, it’s nice to have a big GUI to peruse. RDP is obviously not a great service to have exposed externally especially from servers potentially serving up sensitive information. Fortunately, there are ways to mitigate the risks while getting the access you want.
Setup
Here were the conditions with which I had to work (they’re fairly standard for a pentest):
- SSH’d from local vm to an externally facing box without a GUI.
- My internal access was routed through a meterpreter session on a compromised machine.
- RDP was not enabled on the target server.
First things first, I had to get RDP running on the target and make sure there was corresponding exception through the firewall. First, I attempted to make use of the metasploit post-module, but I didn’t have any luck. And so I turned my attention to Empire.
Meterpreter-to-Empire Agent
We’ve gone from Empire to Meterpreter. Now we’ll go back in the opposite direction. Since I had compromised the target box in this case using the psexec_psh Metasploit exploit, I didn’t have an Empire agent running on it.
From within the context of an active Empire listener, use the “launcher” command.
Note: As there is always more than one way to do something in Empire, you can also make use of the “usestager” command (once again, from within your desired listener), set specific options, and then type “generate” or “execute.”
From within your meterpreter session, drop to shell, and copy, paste, and run the generated PowerShell command. Empire will give you notification that a new agent has called back to your listener.
Once you have an agent running, you can interact with that agent. Use the enable_rdp module in Empire. Make sure your agent is set, type “execute,” and hit enter. Using the following command from within a shell to show whether or not remote desktop is up and running:
netstat -anop tcp | find “3389”
In my case, it was!
Protecting the Exposure
Once RDP is enabled, it’s best to set up a tunnel through which to route RDP. That way, RDP isn’t just hanging out on the Internet waiting for a legitimate attacker.
The first step is to return to our meterpreter session and enable port forwarding appropriately.
portfwd add -L 127.0.0.1 -l 33891 -r <remote IP> -p 3389
After that, I had to edit my host’s .ssh/config file to include “LocalForward 127.0.0.1:33891 127.0.0.1:33891” under the host to which I was connecting. After that, running “rdesktop 127.0.0.1:33891” from my host, I was finally able to get a RDP session off of that box!
It’s takes a little bit of work (and tunneling/port forwarding aren’t always the most intuitive concepts), but this is a great way to partner the best of Metasploit and Empire to pwn boxes and get data.
Enjoy and Happy Hunting!
