Labels

RDP issues - PsExec to the rescue


Recently I faced an issue where suddenly I lost my RDP session to a remote windows machine and couldn’t connect back.
Even the pings to this lost RDP machine does not produce any response. 

Luckily I have access to another windows machine on the same Network. After doing some research on the inter-webs found about a famous windows utility - PsExec

 PsExec is a light-weight windows utility from Windows Sysinternals suite (https://docs.microsoft.com/en-us/sysinternals/) that lets you execute processes on other systems.

I decided to check if that machine is really up, so did a NMAP scan using Zenmap.
Ah Scan with -Pn as our pings are blocked.
So at-least we know that Remote machine is up an also RDP port is open - 3389
One setting in Windows Registry control if the RDP sessions are allowed or not - "fDenyTSConnections". Check this out: https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-localsessionmanager-fdenytsconnections
 
So if this setting is enabled or disabled will determine if RDP connections are denied or allowed.
Now lets use PsExec from the Windows Machine where we have access to connect to this machine. Its is pretty simple, get the utility from the live Sysinternal link given in the staring and run this command:
C:\PsExex64.exe \\10.x.x.x cmd
And it just drop you right in to the command prompt of that remote machine. Amazing!
Now from here I did try few things to get the Remote Access back:
  • Update the firewall rules to allow Remote Access
    • netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
  • Add(if already not there) or Update (if disabled ) the Registry Entry for fDenyTSConnections. 
    • reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f               
  • Restart the Remote desktop service either through the command prompt which we have or from the other machine where we already had access. Go to Services via Control Panel :
    • or via Win+R then services.msc. The Right Click on Services(Local)=>Connect to another computer ...    
      
    Enter the IP of remote computer and Restart the Remote Desktop Services.
Few points which are important here:
  • We should know the IP address of these machines
  • We should have proper and legal access on these machines
  • Please try these commands at your own risk.
  • Currently not sure which command did the trick for me
Now as we saw that we can "Pivot" from one machine to another using PsExec, the concept can be used to move across the network when a user's machine/credentials have been compromised thus possibly gaining more footholds in the network.
Labels:

Comments

Post a Comment

Popular Posts