Automatic RDP checker for configuration

Considering the topic of Windows system vulnerabilities, we will continue to talk about attacks aimed at affected corporate networks. Surprisingly, the Pass-the-Hash technique now works for RDP connections. That is, we can authenticate using the user’s NTLM hash when connecting via RDP!

On the other hand, I recently learned that it turns out that not all people know what PtH is. So I’ll tell you briefly about this matter.
So, let's start with the fact that Windows OS is a multi-user system and therefore it needs to store user passwords. But storing them in plaintext is not secure, and therefore they are stored hashed. Hashing is a one-way function, the result of which cannot be determined from the input value (that is, it cannot be “decrypted”). NT hash is the format in which Windows stores passwords. Moreover, I would like to emphasize that even if it is a separate host or domain, the storage format is the same.

The second important point is the deep support for Single Sign-on (“single” automatic authentication) by Windows based on NTLM authentication. It does not transmit in clear text either the password or the NT hash itself. The algorithm is as follows: first the client sends a connection request, then the server returns a randomly generated sequence (challenge). After this, the client takes the user’s hash, connects it with the challenge, hashes it and sends it to the server. He, in turn, does the same. And if the hashes match, then the user is correct.

The conclusion here is that the NT hash is the exact equivalent of the user's password. After all, almost all services that exist in the Windows ecosystem support NTLM authentication. For example, HTTP, SMB (through which we can connect and manage the host remotely), SMTP, FTP, connections to a SQL server, and so on.

Thus, by hacking some host in the domain, we can get user hashes from memory and then move around the network, authenticating with them everywhere. This technique is called Pass-the-Hash. As a result, domain protection folds like a house of cards.

The exception has always been the RDP protocol. Previously, you could only connect by entering a password. And this was a problem, since very often there are closed segments (DMZ, for example) in a corporate network, where only RDP access is allowed on the firewall (so that admins can administrate).

So, in Windows 8.1 and 2012 R2, by default there is now support for hash authentication. But initially Microsoft called this function Restricted Admin Mode, and, of course, they don’t talk about “support” for PtH.

Therefore, let’s say thank you to the researchers from labs.portcullis.co.uk for telling the world the whole truth (for details, watch the video there). Now briefly about practice. All we need to connect is the result of the FreeRPD Project’s efforts, that is, an open source RDP client (included in Kali by default). After publishing the study, they built PtH support right into the study. Therefore, to connect we need the following line in the console:

where after /d: is the domain name,
after /u: - username,
after /pth: -hash,
after /v: - server IP.

For sale is a fully automatic multi-threaded RDP server configuration checker. The checker is written in C++ and is based on the pure RDP protocol without using any third-party libraries. Proper organization of multi-threading allows you to get the most out of the hardware and minimize the time required to scan large lists.

The checker has the following advantages
Works in several threads, not processes. This is primarily due to the fact that a pure socket implementation of the protocol is used. No specialized libraries from Microsoft are used.
The server verification process is fully automated. No manual manipulation required! It is enough to run the checker once and forget about its operation. He will do the rest himself.
Works with all versions of the Windows family of operating systems - from XP to Windows 10. Server operating systems are also supported. Various machines took part in testing, including Windows 7, Windows Server 2003, Windows Server 2008, Windows Server 2012.
During operation, the clipboard remains untouched. A file synchronization scheme is used, which makes the checker's operation on the machine invisible. You can calmly go about your business and forget that he is doing his job.
Only a special temporary directory is shared, and not the entire disk. This allows you to run the checker and not be afraid that someone from the server will be able to obtain or change files on the machine running the checker.

Checker can do
Launch arbitrary exe files (in any quantity) on a remote machine.
Receive system information about the computer: OS name and version, OS bit depth, whether the account has administrative rights, processor model and number of cores, RAM size.
Determine the incoming and outgoing speed of the Internet connection (the nearest server for testing is automatically determined).
Determine the real external IP address, and from it determine the country, region, city, ZIP, provider, ISP, mail server, time zone.
Check the real external IP address for its presence in blacklists, and also determine the proxy score of this address.
Determine the default browser.

Checker features
Possibility to pause the checker and continue from where it stopped.
Ability to hot change the number of threads during a pause. There is no need to start the check process again just to change the number of threads. You can change other settings completely in the same way. You just need to pause, make changes, and then continue.
Full control of all timeouts.
Ability to specify the number of attempts with automatically increasing timeouts in case of unsuccessful connection attempt. This allows you to connect to even the most problematic rdp servers.

System requirements
Microsoft Visual C++ 2012 Redistributable must be installed on the system
The number of possible threads depends entirely on the RAM and processor capabilities. The average amount of memory required for one thread is 3 megabytes.

Checker cost: 0.7 BTC (unlinked) [~$400]
jid contact:

As with past client versions of Microsoft operating systems, users of the Pro and Enterprise editions of Windows 10 (but not Home) editions can remotely connect to their computers via Remote Desktop Services (RDP). However, there is a limit on the number of simultaneous RDP sessions - only one remote user can work at a time. When trying to open a second RDP session, the first user's session is prompted to end.

In the English version the warning is:

Another user is signed in. If you continue, they’ll be disconnected. Do you want to sign in anyway?

The fact is that in desktop editions of Microsoft operating systems there are the following main restrictions on the use of the remote desktop service:

1. Support for RDP access is available only in older editions of Windows (Professional and higher), and in home editions (Home) this functionality is disabled.
2. Only one remote RDP connection is possible. When attempting to open a second RDP session, the user is prompted to terminate the existing connection.
3. In that case, there is a user working at the computer console (locally), with a remote RDP connection, his session will be disconnected (blocked). The opposite statement is also true: the remote RDP session is forcibly terminated if the user logs in to the system console

In fact, the limitation on the number of simultaneous rdp connections is not technical, but rather a licensing one, prohibiting the creation of a workstation-based terminal RDP server for multiple users. Although from a technical point of view, any edition of Windows, if there is enough memory, can support the simultaneous work of several dozen remote users (on average, 150-200 MB of memory is required for one user session, excluding running applications). Those. The maximum number of simultaneous sessions is in theory limited only by computer resources.

We will look at two ways to disable the limit on the number of simultaneous RDP connections in Windows 10:

Important. Initially, in the very first version of the article, the main working option to remove the limit on the number of simultaneous RDP user connections was the method of modifying and replacing a file termsrv.dll in the %SystemRoot%\System32 folder. However, when installing a new build of Windows 10 or some security updates, this file is updated. As a result, you have to edit this file with a Hex editor every time, which is quite tedious. Therefore, the main way to organize a free terminal server on client Windows 10 is to consider the utility RDP Wrapper Library.

Note. The system modifications described in this article will likely be considered a violation of the Windows License Agreement, with all the ensuing consequences.

RDP Wrapper Library

An alternative to modifying the termsrv.dll file is to use the project RDP Wrapper Library. This program works as a layer between the service control manager (SCM-Service Control Manager) and the terminal service (Terminal Services) and allows you to enable not only support for multiple simultaneous RDP sessions, but also activate support for RDP Host on home editions of Windows 10. RDP Wrapper does not makes no changes to the termsrv.dll file, simply loading termsrv with the changed parameters.

Thus, this solution will work even if you update the version of the termsrv.dll file, so you don't have to worry about Windows updates.

Important. Before installing RDP Wrapper: it is important that you use the original (unpatched) version of the termsrv.dll file. Otherwise, RDP Wrapper may not work stably or may not start at all.

You can download RDP Wrapper from the GitHub repository: https://github.com/binarymaster/rdpwrap/releases (the latest available version of RDP Wrapper Library v1.6.2 was released relatively recently - December 28, 2017). Judging by the information on the developer's page, all versions of Windows are supported. Windows 10 is supported up to Insider Preview build 10.0.17063.1000 dated December 13, 2017.

Advice. By the way, the RDP Wrapper Library sources are available, which allows you to assemble executable files yourself if you wish.

The RDPWrap-v1.6.2.zip archive contains several files:

• RDPWinst.exe - installation/removal program for RDP Wrapper Library
• RDPConf.exe - RDP Wrapper configuration utility
• RDPCheck.exe - Local RDP Checker - RDP check utility
• install.bat, uninstall.bat, update.bat - batch files for installing, uninstalling and updating RDP Wrapper

To install the utility, run the install.bat file with administrator rights.

After installation is complete, run RDPConfig.exe. And make sure that in the section Diagnostics all elements are painted green.

Note. In my case, because There is no Internet access on the computer; the program was unable to obtain from Github the current version of the INI file with settings for my version of Windows. That's why the status says . Download the rdpwrap.ini file from the development resource and place it in the installation directory. Restart the service and make sure that the label changes to .

Among the interesting features of the new version of RDP Wrapper:

• option Hideusersonlogonscreen– allows.
• When you disable the option Single session per user— several simultaneous RDP sessions will be allowed under one account (the registry key is set fSingleSessionPerUser= 0 in the branch HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\fSingleSessionPerUser).

If, after updating the Windows version, RDP Wrapper does not work, check that the Diagnostics section contains the inscription.

Try updating the ini file with a script update.bat, or manually and reinstall the service

rdpwinst.exe -u
rdpwinst.exe -i

We are trying to open a second RDP session. Everything worked out! Now our Windows 10 allows two remote users to simultaneously connect via RDP.

The utility should work on all currently supported editions of Windows: Windows Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10. Thus, you can make a terminal server from any client version of Windows.

Modification of the termsrv.dll file

Note. This method is applicable only to RTM version of Windows 10 x64 (10240).

You can remove the limit on the number of RDP connections by modifying the termsrv.dll file (a library file used by the Remote Desktop Services service). The file is located in the C:\Windows\System32 directory).

Before modifying the termsrv.dll file, it is advisable to create a backup copy of it (if necessary, you can return to the original version of the file):

copy c:\Windows\System32\termsrv.dll termsrv.dll_backup

Before editing the termsrv.dll file, you need to become its owner and grant the administrators group full rights to it (all operations are performed similarly to those described in the article). Then stop the Remote Desktop service (TermService) from the services.msc console or from the command line:

Net stop TermService

For Windows 10 x64 RTM edition (file version termsrv.dll - 10.0.10240.16384): Open the termsrv.dll file using any HEX editor (for example, Tiny Hexer)

Find the line:

39 81 3C 06 00 00 0F 84 73 42 02 00

And replace it with:

B8 00 01 00 00 89 81 38 06 00 00 90

Save the file and start the TermService.