1:00 AM
El DiPablo
I mentioned the other day that a local business owner whom I barter services with called me to take a look at his domain controller because he could no longer login to the domain with any domain accounts.
It turns out that his server was hacked into by a mischievous hacker, and they did some minor destructive things to make this particular business owner’s life a little harder than it needed to be. Well after getting his domain back using this domain administrator password reset technique, I started looking into other things this hacker did, and it seemed like the hacker probably got in using Remote Desktop (RDP) over the internet.
How is that possible you ask? Well, for one, RDP was open to the internet to that particular server, but mainly because there was no strong password policy or password lockout policy to prevent any type of guessing attack. Because of that, it actually made it pretty easy for them to get in.
I’m assuming the tool they probably used was a little beauty called TSGrinder. Here is a description from Virtualization Admin:
TSGrinder is a command line tool which very basically allows automating password guessing via RDP connections. TSGrinder is a "dictionary" based attack tool, supports multiple attack windows from a single dictionary file (you can specify this on the program command line).
A very interesting option in the program is the “leet” function. This leet function enables the program to cope with a popular development in password-land. What I mean is that, from the knowledgeable user up, people tend to secure their passwords by replacing letters with well-known symbols. For example, password becomes p@ssw0rd (replacing a’s with @’s and o’s with 0’s). This is a very well thought thorough option because as we will see trying these passwords does not require you to change your dictionary file.
For a quick example on how to use TSGrinder, here is a clip from Hak5 Episode 423 where Darren Kitchen shows us how TSGrinder is used, and gives us ways to protect against it.
What I did to fix up the business owner, was I closed RDP access from the internet to his server, and setup a VPN connection instead. That way the owner could still access his network remotely without the worry of some TSGrinder happy script kiddie. I also setup a strong password policy with password lockouts. That is good because if someone tries to do a password guessing attack on an account, the account will lock out and the bad guy can’t get in. Finally I renamed the administrator account and the guest account to something else and created fake account in their place with denied access.
Nothing is fool proof. If a really good hacker wants in, they are going to get in. Our jobs as administrators is to make getting in a little harder. By sacrificing security for ease of use, you really are leaving yourself open to an attack.
