1
00:00:00,950 --> 00:00:08,600
‫The enable RTP module under the managed group enables the remote desktop service RTP, it provides the

2
00:00:08,600 --> 00:00:14,300
‫options to create an account and configure it to be a member of the local administrators and remote

3
00:00:14,300 --> 00:00:15,530
‫desktop users group.

4
00:00:16,310 --> 00:00:21,020
‫It can also forward the target's port 389 DCP.

5
00:00:22,370 --> 00:00:28,400
‫The module makes the value of the F tonight's Connections Registry key one.

6
00:00:29,500 --> 00:00:34,690
‫Plus, if it's closed, the module opens the port, which is going to be used by RTP.

7
00:00:36,770 --> 00:00:43,940
‫So in this demo, we have a Windows eight is a victim with the IP address, two to three, and here's

8
00:00:43,940 --> 00:00:44,960
‫the attacker, Colly.

9
00:00:46,550 --> 00:00:50,930
‫Now, let's start MSF console and open an interpreter session first.

10
00:00:51,770 --> 00:00:56,300
‫We've done it several times and the subject of this demo is not exploiting, so I'll just open the session

11
00:00:56,300 --> 00:00:57,190
‫as fast as I can.

12
00:01:02,060 --> 00:01:05,090
‫OK, I have interpretor session on Windows eight now.

13
00:01:06,320 --> 00:01:13,190
‫First, I want to know whether the remote desktop connection is allowed on the victim or not, I can

14
00:01:13,190 --> 00:01:16,240
‫learn it by looking at the value of the F Dinni T.

15
00:01:16,250 --> 00:01:18,440
‫S connections register key.

16
00:01:19,490 --> 00:01:25,370
‫Thankfully, I have a Regg command and interpreter, let's create the appropriate Regg command and look

17
00:01:25,370 --> 00:01:25,820
‫at the key.

18
00:01:26,820 --> 00:01:32,260
‫Reg is the command itself, query val parameter is our intention.

19
00:01:32,700 --> 00:01:34,570
‫We just want to query the value.

20
00:01:35,550 --> 00:01:43,800
‫Now is the key path with K parameter, each key local machine system, current control set.

21
00:01:46,940 --> 00:01:49,280
‫Control terminal server.

22
00:01:50,990 --> 00:01:56,270
‫And now the value with the V parameter F deny it's Connexions.

23
00:01:57,510 --> 00:02:03,780
‫And here is a ResultSet, the data of the value is one, which means the remote desktop connection is

24
00:02:03,960 --> 00:02:07,260
‫not allowed on the machine at this time.

25
00:02:08,350 --> 00:02:14,710
‫So let's go to the Windows eight system to check the configuration of the remote desktop, I want to

26
00:02:14,710 --> 00:02:15,730
‫verify our finding.

27
00:02:16,820 --> 00:02:24,080
‫So in the start menu, I'll search for the remote word select settings from the results I select, allow

28
00:02:24,080 --> 00:02:25,880
‫remote access to your computer.

29
00:02:27,370 --> 00:02:30,550
‫Now we are under the remote tab of system properties.

30
00:02:32,030 --> 00:02:37,250
‫As you can see in the remote desktop frame, remote connections to this computer is not allowed.

31
00:02:37,280 --> 00:02:38,650
‫So our finding is correct.

32
00:02:39,990 --> 00:02:44,170
‫But now let's enable remote desktop connection on the victim.

33
00:02:44,970 --> 00:02:53,100
‫We can run the post module directly under the maternity section using the run command, I run post windows,

34
00:02:53,100 --> 00:02:56,430
‫manage, enable our DP and hit enter.

35
00:02:58,360 --> 00:03:01,150
‫And it's finished to learn if it succeeded.

36
00:03:01,600 --> 00:03:05,290
‫I'd like to query the F denied its connections again.

37
00:03:06,100 --> 00:03:10,360
‫Now remember, you can call the previous commands by using the Arrow Keys.

38
00:03:12,310 --> 00:03:15,040
‫And yes, the data of the value is zero now.

39
00:03:15,890 --> 00:03:19,630
‫That means remote desktop is no longer denied.

40
00:03:20,410 --> 00:03:25,020
‫So once again, I will want to double check it with our victim.

41
00:03:25,540 --> 00:03:32,620
‫And again, I search for remote in the start menu, select settings and select allow remote access to

42
00:03:32,620 --> 00:03:33,390
‫your computer.

43
00:03:34,030 --> 00:03:34,780
‫And here it is.

44
00:03:35,020 --> 00:03:37,680
‫As you see, the remote connection is allowed.

45
00:03:37,690 --> 00:03:41,140
‫Now, we succeeded to enable our DP.

46
00:03:41,770 --> 00:03:42,340
‫Well done.

47
00:03:44,050 --> 00:03:48,280
‫But I am not comfortable unless I see the result with my own eyes.

48
00:03:49,060 --> 00:03:51,580
‫I just want to make a remote connection to the victim.

49
00:03:52,900 --> 00:04:00,670
‫So now I'm on my whole system, which is a matter now to be able to make a remote connection, I'll

50
00:04:00,670 --> 00:04:03,700
‫go to the App Store to download Microsoft remote desktop.

51
00:04:08,650 --> 00:04:10,960
‫And it looks like it's installing.

52
00:04:12,250 --> 00:04:14,320
‫When the insulation is finished.

53
00:04:16,210 --> 00:04:17,080
‫I'll open the app.

54
00:04:18,820 --> 00:04:25,960
‫Now I click new and create a new remote connection IP address of the Windows eight machine is two to

55
00:04:25,960 --> 00:04:26,440
‫three.

56
00:04:29,330 --> 00:04:32,960
‫I'll assume that we already know a valid username password Perre.

57
00:04:34,930 --> 00:04:37,690
‫And I'll leave the other setting with the default values.

58
00:04:38,790 --> 00:04:41,490
‫Now, I'll double click the connection set up.

59
00:04:44,220 --> 00:04:47,910
‫OK, I verify this certificate and continue.

60
00:04:49,010 --> 00:04:53,660
‫And that's done, we have a remote desktop connection to the Windows eight machine.

61
00:04:54,570 --> 00:04:59,910
‫We enabled the remote connection and connected the module is working like a charm.

62
00:05:02,440 --> 00:05:04,330
‫Now, I want to show you something more.

63
00:05:05,290 --> 00:05:08,590
‫Let's go back to the victim system that Windows eight VM.

64
00:05:09,520 --> 00:05:15,820
‫Now, have a look at this, when we connect remotely, the current user is logged out because parallel

65
00:05:15,820 --> 00:05:17,560
‫sessions are restricted by default.

66
00:05:18,610 --> 00:05:24,190
‫So if you don't want to tip off the user of the victim machine, you'd better carry out the remote desktop

67
00:05:24,190 --> 00:05:26,150
‫connection when he or she is away.

68
00:05:26,890 --> 00:05:33,670
‫So to understand if the user of the computer is away or not, that's when we can use the idle time interpreter

69
00:05:33,670 --> 00:05:35,800
‫command before the remote connection.

70
00:05:36,400 --> 00:05:41,770
‫If the system is idle for a long time and it's probably safe to assume that the user is away.

71
00:05:43,590 --> 00:05:50,400
‫Well, in fact, there is a way to have parallel sessions on Windows systems, so let's have a look

72
00:05:50,640 --> 00:05:55,290
‫at the current users not logged out when you connect remotely to the system.

73
00:05:55,770 --> 00:05:58,400
‫I'll just show you the method now and you can try it for yourself later.

74
00:05:59,950 --> 00:06:07,060
‫So what I do is I'll open the Web browser and Google for enable parallel sessions and when Windows eight.

75
00:06:09,930 --> 00:06:11,370
‫And click the first link.

76
00:06:13,210 --> 00:06:23,140
‫How do enable concurrent sessions explained here now briefly, you should change the terms RV deal with

77
00:06:23,140 --> 00:06:24,130
‫an appropriate one.

78
00:06:30,850 --> 00:06:35,870
‫And add the F single session per user value and set it to zero.

79
00:06:36,910 --> 00:06:42,910
‫I have to warn you here, though, do not download and use any file unless you trust the website 100

80
00:06:42,910 --> 00:06:43,480
‫percent.

81
00:06:43,510 --> 00:06:50,170
‫So if I were you, I wouldn't download the modified DSL file from this site because I just don't know

82
00:06:50,170 --> 00:06:50,830
‫the user's.