Hacking Microsoft RDP for Fun and Profit: Post-exploitation the easy way

Presented at REcon 2011, July 9, 2011, 3 p.m. (30 minutes).

Microsoft RDP is a powerful functionality included into almost any version of Microsoft Windows, which enables users to log in remotely while enjoying familiar graphical and sound experience. However, Microsoft has restricted the RDP functionality in so many ways, that even regular users have to apply third-party patches to enable missing functions (such as concurrent sessions). Nowadays many pro cyber attacks in post-exploitation stage are carried out by hands, via a malicious VNC connection, rather than via an automated payload trojan. Such attacks are still rare, because custom implementation of a remote desktop protocol is somewhat resource-intensive and unreliable. But, what if the attacker thinks of implementing malicious remote desktop backdoor on top of default functionality of Microsoft Windows? In this presentation we will discuss the Microsoft RDP internals, and how an attacker might intercept them to achieve some malicious profit.

Presenters:

• Alisa eSage

Links:

• https://recon.cx/2011/schedule/events/117.en.html

Similar Presentations:

• Black Hat USA 2019 / He Said, She Said – Poisoned RDP Offense and Defense
• Black Hat Europe 2019 / Fuzzing and Exploiting Virtual Channels in Microsoft Remote Desktop Protocol for Fun and Profit
• DEF CON 31 (2023) / I Watched You Roll the Die: Unparalleled RDP Monitoring Reveal Attackers Tradecraft