Black Hat USA 2003 Briefings and Training
Las Vegas July 28-31, 2003
Timothy M. Mullen Timothy M. Mullen AnchorIS.Com, Inc. AnchorIS.Com, Inc. Ryan L Russell Ryan L Russell
Welcome to BlackHat!
Welcome to BlackHat!
TSGrinder
TSGrinder
Terminal Server brute force Terminal Server brute force
password guessing tool password guessing tool
Need
Need
n
n Penetration testers do not have a good automated tool forPenetration testers do not have a good automated tool for testing Terminal Services authentication
testing Terminal Services authentication n
n Should work with a variety of RDP versionsShould work with a variety of RDP versions
n
n Should allow password permutationsShould allow password permutations
n
n Should use as many simultaneous channels as the serverShould use as many simultaneous channels as the server allows
allows n
n Every authentication protocol should have a brute forceEvery authentication protocol should have a brute force guessing tool
Possible ways to
Possible ways to
accomplish
accomplish
n
n Reverse engineer the RDP protocolReverse engineer the RDP protocol
from scratch from scratch
n
n Use Use rdesktop rdesktop from from rdesktoprdesktop.org.org n
n Use Use smclient smclient from Win2K Serverfrom Win2K Server
Resource Kit Resource Kit
n
Reversing engineering
Reversing engineering
the RDP protocol
the RDP protocol
n
rdesktop
rdesktop
.org
.org
n
n Portable, independently-created RDPPortable, independently-created RDP
client implementation. client implementation.
n
n Fairly functionalFairly functional n
n Closest thing to public documentationClosest thing to public documentation
of the RDP protocol of the RDP protocol
n
n DoesnDoesn’’t deal with text, it deals witht deal with text, it deals with
glyphs (
Smclient
Smclient
n
n Looks almost exactly like what weLooks almost exactly like what we
want want
n
n Allows limited scripting of input andAllows limited scripting of input and
output output
n
n Allows multiple simultaneous clientsAllows multiple simultaneous clients n
n Always tries each (bad) password 6Always tries each (bad) password 6
times. Why would it do that? times. Why would it do that?
Hooking
Hooking
mstsc
mstsc
.exe
.exe
n
n Turns out, thatTurns out, that’’s exactly how s exactly how smclientsmclient
works. works.
n
n At least back to Win2K, At least back to Win2K, mstscmstsc.exe has.exe has
an
an undocumented APIundocumented API..
n
/
/
clxdll
clxdll
n
n MstscMstsc.exe has a command-line option.exe has a command-line option
to use a
to use a dll dll with callback functions towith callback functions to hook the client.
hook the client.
n
n Command-line looks like:Command-line looks like:
mstsc
mstsc.exe /CLXDLL=CLXTSHAR.DLL.exe /CLXDLL=CLXTSHAR.DLL /CLXCMDLINE=
/CLXCMDLINE=hSMChSMC=(=(hWndhWnd)) smclient
tclient
tclient
.
.
dll
dll
n
n SmclientSmclient.exe is a simple front-end to.exe is a simple front-end to
tclient
tclient..dlldll
n
n TclientTclient..dll dll appears to expose enoughappears to expose enough
public functions to do what we want public functions to do what we want
n
n Problem is, the Problem is, the SCConnect SCConnect functionfunction
has a hard-coded 6 attempts per has a hard-coded 6 attempts per
password. This also limits it to one password. This also limits it to one
Some notes on logging
Some notes on logging
n
n You get 5 bad password attempts, andYou get 5 bad password attempts, and
the sixth attempt cuts your connection the sixth attempt cuts your connection
n
n A log entry is created only if you makeA log entry is created only if you make
6 bad attempts
6 bad attempts on the sameon the same connection
connection
n
n If you make 5 attempts, and thenIf you make 5 attempts, and then
disconnect, no log. disconnect, no log.
Performance
Performance
n
n We want to try multiple passwords perWe want to try multiple passwords per
connection (up to 5) connection (up to 5)
n
n We want to have multiple clientsWe want to have multiple clients
attempting simultaneously, with attempting simultaneously, with
coordination about who is doing which coordination about who is doing which
passwords. passwords.
Solution
Solution
n
n Write our own connect functionWrite our own connect function n
n Can use the rest of the function inCan use the rest of the function in
tclient
tclient..dll dll as-is (some of which are notas-is (some of which are not exported)
exported)
n
n Allows us to have the degree ofAllows us to have the degree of
control we need control we need
Amusements
Amusements
n
n Smclient Smclient is only half-done, doesnis only half-done, doesn’’tt
actually work like the docs say actually work like the docs say
n
n Smclient Smclient is compiled in debug modeis compiled in debug mode n
n Turns out, Turns out, tsgrinder tsgrinder crashes if incrashes if in
release (non-debug) mode. It crashes release (non-debug) mode. It crashes
in
in tclienttclient..dlldll
n
Future enhancements
Future enhancements
n
n Need help testing with non-EnglishNeed help testing with non-English
versions of terminal server versions of terminal server
n
n Tell us what youTell us what you’’d like to see it do thatd like to see it do that
it doesn
it doesn’’t do nowt do now
n
