gentilkiwi
commented
3 years ago 
What version do you use ?
Open byehack opened 3 years ago
gentilkiwi
commented
3 years ago
What version do you use ?
byehack
commented
3 years ago 
gentilkiwi
commented
3 years ago yep, no reaseon, it's a recent version.
before building a special one, could you send output of ts::mstsc /verbose ?
byehack
commented
3 years ago i think the problem is from my system, i tested on other systems it worked.
mimikatz # ts::mstsc /verbose
!!! Warning: false positives can be listed !!!
| PID 22568 mstsc.exe (module @ 0x00000000012DFD60)
| 00007FFD5204C4C8 - 00007FFD52163390 - 0xdbcaabcd - 3 - 0000022978277678 - 45 - 00007FFD521F6310 - 00000229765C8590 - 198
ServerName [wstring] '123.x.x.x'
ServerNetBiosName [wstring] ''
ServerFqdn [wstring] ''
ServerAddressesToConnect [unk - 7] 0x0000000000000000
UserSpecifiedServerName [wstring] '123.x.x.x'
UserName [wstring] 'us'
Domain [wstring] 'DATASERVER'
Password [protect]
AlternateShell [wstring] 'notepad.exe'
WorkingDir [wstring] ''
ColorDepthID [ dword ] 5 (0x00000005)
AutoReconnectEnabled [ bool ] TRUE
MaxAutoReconnectAttempts [ dword ] 5 (0x00000005)
SasSequence [ dword ] 43523 (0x0000aa03)
EncryptionEnabled [ bool ] TRUE
MCSPort [ dword ] 3389 (0x00000d3d)
EnableMouse [ bool ] TRUE
DisableCTRLAltDel [ bool ] TRUE
EnableWindowsKey [ bool ] TRUE
DoubleClickDetect [ bool ] FALSE
ConnectToAdministerServer [ bool ] FALSE
Compress [ bool ] TRUE
MaxRdpCompressLevel [ dword ] 3 (0x00000003)
SmartCardReaderName [wstring] ''
ContinueOnArcFailure [ bool ] TRUE
MultiFragUpdateMaxPayloadSize [ word? ] 18475 (0x482b)
ShadowBitmapEnabled [ bool ] TRUE
MaximizeShell [ bool ] TRUE
AudioRedirectionMode [ dword ] 0 (0x00000000)
AudioCapture [ bool ] FALSE
AudioEnforcePCM [ bool ] FALSE
VideoPlayback [ dword ] 1 (0x00000001)
AudioQualityMode [ dword ] 0 (0x00000000)
AutoLogon [ bool ] FALSE
PerformanceFlags [ dword ] 384 (0x00000180)
PublicMode [ bool ] FALSE
PasswordContainsSCardPin [ bool ] FALSE
RemoteSessionId [ dword ] 21 (0x00000015)
BitmapCacheSize [ dword ] 1500 (0x000005dc)
BitmapPersistenceEnabled [ bool ] TRUE
BitmapPersistencePath [wstring] ''
BitmapCacheSize8bpp [ dword ] 10 (0x0000000a)
BitmapCacheSize16bpp [ dword ] 20 (0x00000014)
BitmapCacheSize24bpp [ dword ] 30 (0x0000001e)
BitmapCacheSize32bpp [ dword ] 40 (0x00000028)
ScaleBmpCacheByBpp [ bool ] TRUE
ShutdownTimeout [ dword ] 5 (0x00000005)
ConnectionTimeout [ dword ] 900 (0x00000384)
SingleConnectionTimeout [ dword ] 8 (0x00000008)
MaxEventCount [ dword ] 100 (0x00000064)
KeepAliveInterval [ dword ] 0 (0x00000000)
ConnectModeString [wstring] 'TCP'
LoopbackConnection [ bool ] FALSE
ConnectedSocketHandle [unk - 5] 0xFFFFFFFFFFFFFFFF
UseRedirectionUserName [ bool ] FALSE
RedirectionUserName [wstring] ''
RedirectionUseSCardLogon [ bool ] FALSE
UseRedirectionServerName [ bool ] FALSE
RedirectionClientRedirected [ bool ] FALSE
PKEncryptedPassword [wstring] ''
RedirectionGuid [wstring] ''
TargetCertificate [wstring] ''
ClientUpdateLocation [wstring] ''
UseLogonCertificate [ bool ] FALSE
IsOOBClient [ bool ] FALSE
IsWorkspaceRDmiSubscription [ bool ] FALSE
UseFIPS [ bool ] FALSE
AuthenticationLevel [ dword ] 0 (0x00000000)
IgnoreAuthenticationLevel [ bool ] FALSE
AuthServiceClass [wstring] 'TERMSRV'
UseRdpSecurityLayer [ bool ] FALSE
EnableCredSspSupport [ bool ] TRUE
UseRdsTls [ bool ] FALSE
ServerCertificate [unk - 5] 0x0000000000000000
RedirectAuthRequestAltContext [unk - 5] 0xFFFFFFFFFFFFFFFF
FedAuth [wstring] ''
EncryptionCoveragePercentage [ dword ] 100 (0x00000064)
ForcedEncryptionHeader [ dword ] 0 (0x00000000)
FastPathExSupported [ bool ] FALSE
DeltaEncoderEnabled [ bool ] FALSE
DeltaEncoderCacheFrames [ dword ] 0 (0x00000000)
SuppressWhenMinimized [ bool ] TRUE
RailMode [ bool ] FALSE
RemoteApplicationName [wstring] ''
RemoreApplicationProgram [wstring] ''
RemoreApplicationArgs [wstring] ''
RemoteDesktopName [wstring] ''
NegotiateSecurityLayer [ bool ] TRUE
CredSspIsPresent [ bool ] TRUE
CredentialsAuthenticationBlob [unk - 7] 0x0000000000000000
TscSslFilter [unk - 7] 0x0000000000000000
RemoteDesktop_SuppressWhenMinimized [ dword ] 1 (0x00000001)
EnableSslWithUserAuth [ bool ] FALSE
SuppressOrders [ bool ] FALSE
UseSSLSecurityLayer [ bool ] FALSE
LastSSLDisconnectReason [ dword ] 0 (0x00000000)
LastSSLErrorCode [ dword ] 0 (0x00000000)
PCB [wstring] ''
SecLayerNegCompleteEvent [unk - 7] 0x00000229782A9EB8
TransportUIMessaging [unk - 7] 0x00000229782820C0
UsingSavedCreds [ bool ] TRUE
SSLReconnectAttempted [ bool ] FALSE
DisableCredentialsDelegation [ bool ] FALSE
UseMcsMsgChannel [ bool ] TRUE
McsMsgChannelID [ dword ] 1008 (0x000003f0)
UseMultimon [ bool ] FALSE
SelectedMonitors [unk - 7] 0x00000229782882B0
UseMultiTransports [ bool ] TRUE
MultiTransportServerFlag [ dword ] 769 (0x00000301)
ExternalStream [unk - 7] 0x0000000000000000
ServerNameUsedForAuthentication [wstring] '123.x.x.x'
ExtendedGccUserDataSupported [ bool ] TRUE
DynVcGfxProtocolServerSupported [ bool ] TRUE
LiveIdSupported [ bool ] TRUE
LastCredsAction [ dword ] 2 (0x00000002)
WorkspaceSSOEnabled [ bool ] FALSE
AppContainerID [wstring] ''
WorkspaceDisplayName [wstring] ''
NetworkConnectionType [ dword ] 1 (0x00000001)
DisableCodecCaps [ bool ] FALSE
AllowPromptingForCredentials [ bool ] TRUE
GraphicsController [unk - 7] 0x0000022978289AC8
RequestSessionId [ bool ] FALSE
DisableGfxDecoding [ bool ] FALSE
DisableAutoReconnect [ bool ] FALSE
CachedCompressor [unk - 7] 0x0000000000000000
NSCCachedCompressor [unk - 7] 0x0000000000000000
CACCachedCompressor [unk - 7] 0x0000000000000000
RDGIsKDCProxy [ bool ] FALSE
KDCProxyName [wstring] ''
SessionPresentationTime [unk - 7] 0x0000000000000000
SideTransportType [ dword ] 1 (0x00000001)
VideoRemotingFrameDebugEnabled [ bool ] FALSE
RestartGfxSoftware [ bool ] FALSE
SaveGfxSurfacesPath [wstring] ''
VideoRemotingAudioDelay [ word? ] 0 (0x0000)
ConnectToChildSession [ bool ] FALSE
PhysicalDesktopWidth [ dword ] 0 (0x00000000)
PhysicalDesktopHeight [ dword ] 0 (0x00000000)
DesktopOrientation [ dword ] 4294967295 (0xffffffff)
DesktopScaleFactor [ dword ] 0 (0x00000000)
DeviceScaleFactor [ dword ] 0 (0x00000000)
ServerSupportsEdgeActions [ bool ] FALSE
ServerSupportsEdgeActions2 [ bool ] TRUE
SurfaceFactory [unk - 7] 0x000002297829F210
BandwidthAutodetect [ bool ] TRUE
DisableUDPTransport [ bool ] FALSE
DisableSoftSyncExtensions [ bool ] FALSE
SetClientProtocolSpecMode [ dword ] 0 (0x00000000)
GraphicsCapsVersion [ dword ] 655872 (0x000a0200)
AVCDecodeCapability [wstring] 'Hardware'
RdpAllowTestRecording [ bool ] FALSE
RdpSetRecorderDLLName [wstring] ''
RdpPerfLogger [unk - 7] 0x0000000000000000
IgnoreCursors [ bool ] FALSE
RedirectorAuthInfo [unk - 7] 0x0000000000000000
DynamicTimeZoneSupported [ bool ] TRUE
EnableHardwareResources [ bool ] TRUE
EnableHardwareMode [ bool ] TRUE
DisableH264HardwareDecode [ bool ] FALSE
EnableH264CPUDecode [ bool ] TRUE
EnableH264CPUDecodeMF [ bool ] TRUE
ForceCapsVersion [ dword ] 0 (0x00000000)
SendCorrelationId [ bool ] FALSE
CorrelationId [wstring] '{6294869E-3DFA-42AC-870C-2E1D0A750000}'
ConnectionCorrelationId [wstring] '{6294869E-3DFA-42AC-870C-2E1D0A750000}'
CorrelationIdIsStatic [ bool ] FALSE
DiagnosticsInfo [wstring] ''
RemoteApplicationHiDefSession [ bool ] FALSE
RemoteApplicationHiDefSupportedByClient [ bool ] TRUE
UseURCPSupported [ bool ] FALSE
HiDefRemoteAppMode [ dword ] 0 (0x00000000)
HiDefRemoteAppContainerGUID [wstring] ''
RestrictedLogon [ bool ] FALSE
RedirectedAuthentication [ bool ] FALSE
SaveDecodedImgToFile [ bool ] FALSE
DecodedImgFileNameBase [wstring] ''
PersistWorkspaceCredential [ bool ] FALSE
FrameAckAlwaysOn [ bool ] FALSE
RDmiUsername [wstring] 'us'
RDmiDiagnosticsUrl [wstring] ''
ClientBuild [ dword ] 19041 (0x00004a61)
LegacyServerRDPVersion [ dword ] 524295 (0x00080007)
LegacyServerCodecIDBitmask [ dword ] 16 (0x00000010)
EnableServerRedirectionPduProcessing [ bool ] TRUE
PrintingProgressMode [ dword ] 1 (0x00000001)
ClientDeviceName [wstring] ''
SuspendHeartbeatCheck [ bool ] FALSE
MultiTransportCookie0 [ dword ] 2050055522 (0x7a315d62)
MultiTransportCookie1 [ dword ] 954647436 (0x38e6c38c)
MultiTransportCookie2 [ dword ] 4069665662 (0xf2922b7e)
MultiTransportCookie3 [ dword ] 1201862707 (0x47a2f833)
MultiTransportCookie4 [ dword ] 3010028054 (0xb3696216)
MultiTransportCookie5 [ dword ] 3132447569 (0xbab55b51)
MultiTransportCookie6 [ dword ] 1621917143 (0x60ac7dd7)
MultiTransportCookie7 [ dword ] 4076086184 (0xf2f423a8)
HvsiEnabled [ bool ] FALSE
EnableVailMonitorConfig [ bool ] FALSE
| 00007FFD52061270 - 00007FFD52163390 - 0xdbcaabcd - 3 - 00000229782791D8 - 26 - 00007FFD521F4050 - 00000229765CC810 - 138
FullScreen [ bool ] FALSE
HorizontalScrollBarVisible [ bool ] FALSE
VerticalScrollBarVisible [ bool ] FALSE
StartFullscreen [ bool ] FALSE
DesktopWidth [ dword ] 1024 (0x00000400)
DesktopHeight [ dword ] 768 (0x00000300)
FullScreenTitle [wstring] ''
ContainerHandlesFullScreen [ bool ] TRUE
KeyboardLayoutString [wstring] '0xffffffff'
EnableSmartSizing [ bool ] FALSE
GrabFocusOnConnect [ bool ] TRUE
DisableSCRIPTVC [ bool ] FALSE
DisablePasswordSaving [ bool ] FALSE
DisableRDPSNDSVC [ bool ] FALSE
AcceleratorCheckState [ bool ] TRUE
UseShadowBitmapInFullScreen [ bool ] TRUE
KeyboardHookMode [ dword ] 1 (0x00000001)
ShowRedirectionWarningDialog [ bool ] TRUE
RedirectionWarningType [ dword ] 3 (0x00000003)
ShellMarkRdpSecure [ bool ] FALSE
PublisherCertificateChain [unk - 5] 0x0000000000000000
HostedInWebPage [ bool ] FALSE
WarnAboutSendingCreds [ bool ] FALSE
WarnAboutClipboard [ bool ] FALSE
WarnAboutPrinters [ bool ] FALSE
WarnAboutDirectX [ bool ] FALSE
ConnectionBarText [wstring] ''
LaunchedViaClientShellInterface [ bool ] FALSE
TrustedZoneSite [ bool ] FALSE
ForceDisableDriveRedirection [ bool ] FALSE
EnablePrinterRedirection [ bool ] TRUE
ForceDisablePrinterRedirection [ bool ] FALSE
EnablePortRedirection [ bool ] FALSE
ForceDisablePortRedirection [ bool ] FALSE
EnableSCardRedirection [ bool ] TRUE
ForceDisableSCardRedirection [ bool ] FALSE
EnableClipboardRedirection [ bool ] TRUE
ForceDisableClipboardRedirection [ bool ] FALSE
DisableFileClipboard [ bool ] FALSE
EnableManualClipboardSync [ bool ] FALSE
ManualClipboardSyncInterface [unk - 7] 0x0000000000000000
DisableRDPDR [ bool ] FALSE
EnableDynamicDeviceRedirection [ bool ] FALSE
EnableDynamicDriveRedirection [ bool ] FALSE
ForceDisablePnPDeviceRedirection [ bool ] FALSE
DeviceCollection [unk - 7] 0x0000022978290530
DynamicRedirectDeviceClasses [unk - 7] 0x00000229782887B8
DynamicRedirectDeviceInterfaces [unk - 7] 0x0000022978288678
EnableTsRedirectFlag [ bool ] TRUE
DriveCollection [unk - 7] 0x00000229782932A0
EnablePOSDeviceRedirection [ bool ] FALSE
EnableDirectXRedirection [ bool ] FALSE
ForceDisableDirectXRedirection [ bool ] TRUE
EnableLocationRedirection [ bool ] FALSE
EventsAtOnce [ dword ] 10 (0x0000000a)
MinSendInterval [ dword ] 100 (0x00000064)
AllowBackgroundInput [ bool ] FALSE
MinutesToIdleTimeout [ dword ] 0 (0x00000000)
HotKeyFullScreen [ dword ] 3 (0x00000003)
HotKeyCtrlEsc [ dword ] 36 (0x00000024)
HotKeyAltEsc [ dword ] 45 (0x0000002d)
HotKeyAltTab [ dword ] 33 (0x00000021)
HotKeyAltShiftTab [ dword ] 34 (0x00000022)
HotKeyAltSpace [ dword ] 46 (0x0000002e)
HotKeyCtrlAltDelete [ dword ] 35 (0x00000023)
HotKeysAxToContainerLeft [ dword ] 37 (0x00000025)
HotKeysAxToContainerRight [ dword ] 39 (0x00000027)
HotKeysAxToContainerUp [ dword ] 38 (0x00000026)
HotKeysAxToContainerDown [ dword ] 40 (0x00000028)
HotKeysEnabled [ bool ] TRUE
BBarLoadBBar [ bool ] TRUE
BBarEnabled [ bool ] TRUE
BBarPinned [ bool ] FALSE
BBarShowMinimizeBtn [ bool ] TRUE
BBarShowRestoreBtn [ bool ] TRUE
BBarShowPinBtn [ bool ] TRUE
BBarShowCloseBtn [ bool ] TRUE
BBarShowQualityBtn [ bool ] TRUE
EnableRemoteEdgeBar [ bool ] TRUE
DisableSeamlessLanguageBar [ bool ] FALSE
ClxCmdLine [wstring] ''
EnableRelativeMouse [ bool ] FALSE
ClipMouseToVisible [ bool ] TRUE
AllowCaptureMouse [ bool ] TRUE
AllowSmartResize [ bool ] TRUE
CollabSession [ bool ] FALSE
PromptForCredentials [ bool ] FALSE
AllowCredentialSaving [ bool ] FALSE
PromptForCredsOnClient [ bool ] FALSE
DisableWindowsPresentationFrameworkPipe [ bool ] FALSE
SuperPanEnabled [ bool ] FALSE
SuperPanAccelFactor [ dword ] 1 (0x00000001)
DisableRemoteAppCapsCheck [ bool ] FALSE
CertErrorDialogDisplayed [ bool ] FALSE
TaskbarInterface [unk - 7] 0x00000229765E2810
WorkspaceName [wstring] ''
WorkspaceID [wstring] ''
EnableWorkspaceReconnect [ bool ] FALSE
AudioPlaybackDevice [wstring] 'default'
AudioCaptureDevice [wstring] 'default'
EnableMediaOptimizations [ bool ] FALSE
IgnoreServerGeneratedMouseMoves [ bool ] FALSE
IgnoreClientSideMouseInput [ bool ] FALSE
GfxContentType [ dword ] 4 (0x00000004)
UseClxMirrorSurface [ bool ] FALSE
AutodetectedNetworkRTTInt [ word? ] 375 (0x0177)
AutodetectedNetworkBandwidthInt [ word? ] 292 (0x0124)
ConnectionHealthState [ word? ] 0 (0x0000)
NetworkMetricsUpdatedTick [ word? ] 16730 (0x415a)
UsbRedirectionActivated [ bool ] FALSE
EnableMediaOptimizations [ bool ] FALSE
MinSendIntervalOverride [ dword ] 10 (0x0000000a)
RenderCodecOverlay [ bool ] FALSE
RenderCacheHitOverlay [ bool ] FALSE
RenderLastFrameId [ dword ] 28 (0x0000001c)
RenderVisualizationEnabled [ bool ] FALSE
VideoOverlayEnabled [ bool ] FALSE
ShowSessionDiagnostics [ bool ] FALSE
ShowGatewayInformation [ bool ] FALSE
UseSurfacePresenter [ bool ] FALSE
UseNewOutput [ bool ] TRUE
ShowAppContClientDialogs [ bool ] FALSE
EnableFBR [ bool ] FALSE
FBRPresenter [unk - 7] 0x0000000000000000
DisableFullScreenHotkey [ bool ] FALSE
EnableRemoteTouchVisuals [ bool ] FALSE
DisableTouchRemoting [ bool ] FALSE
DisplayViewOrientation [ dword ] 0 (0x00000000)
CounterRotateTopLandscapeDisplay [ bool ] FALSE
MonitorGapWidth [ dword ] 0 (0x00000000)
ZoomLevel [ dword ] 250 (0x000000fa)
IsCollabScenario [ bool ] FALSE
EnableZoom [ bool ] FALSE
TouchDevicePresent [ bool ] FALSE
MaxTouchContacts [ dword ] 0 (0x00000000)
MultipenRemotingSupported [ bool ] FALSE
AllowSasSequenceTransmission [ bool ] TRUE
UiaRemoteMachineId [wstring] ''
mimikatz #
Could you connect to this target without using a RDP file (do you use one ?), just by using: mstsc /v:1.2.3.4 ? and test again?
byehack
commented
3 years ago i tried with mstsc -v: 123.x.x.x and mstsc -v: 123.x.x.x /F -console. same results.
gentilkiwi
commented
3 years ago You don't have AutoLogon to true, because your AuthenticationLevel is 0 (not NLA at all, it's like typing your password on the Windows login screen)
mstsc is not really aware of your creds, cause no NLA.
byehack
commented
3 years ago but i used saved creds to connect rdp.
gentilkiwi
commented
3 years ago If so, there are so many ways to get it :') But my prefered is by dpapi ;)
You can start by exploring with vault::cred
But more fun by using files in: %localappdata%\Microsoft\Credentials with dpapi::cred : https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials
byehack
commented
3 years ago i know i can get it using dpapi.(which i tried and get it.) but i suprised why mstsc dumping doesn't working. btw it is because No NLA. i will try using NLA on to connect rdp.
byehack
commented
3 years ago it worked with NLA. I have another proposal that add MCSPort to main result list.
gentilkiwi
commented
3 years ago Yeah, I think about AutoLogon and AuthenticationLevel too now ;)
discussed in https://github.com/skelsec/pypykatz/pull/89.