top of page
  • Writer's pictureORNA

Pwning the Box Over Remote Desktop Protocol

Many years ago, a group of hackers sat at their computers late at night. It was their routine every night. They listened to music, ate snacks, and slammed energy drinks while scanning IP ranges for addresses running open remote desktop ports on port 3389.

This was the ritual. But it was tedious and not very stimulating unless one of them hit a jackpot because the process was normally quite time-consuming. For this reason, they liked to delegate the task to new initiates who were eager to prove their worth. Everyone had an objective, and this was how the proverbial organism thrived.

Whoever managed to discover and crack into an RDP surely would receive the bragging rights, especially if the target was an interesting machine. Even if it wasn’t, each machine could serve as a host to any number of services they wished to secretly host on the victim’s computer.

Don’t worry. The purpose of the silent hijackings was to secure the integrity of those systems, in order to maintain them for their own purposes, without denying access to the user. I know how that sounds. Trust me, in some ways having a hacker fix your security issues, is a lot better than just leaving them for others to find. Oh gosh, that sounds so awful. Moving on…

In the process of building up a defense around these systems to keep other hackers out, and to ensure the user didn’t become aware of their activities, they had to either purge or modify event logs in case there was a system audit.

Everyone had a different purpose for assuming silent control of the machines they found. One hacker liked to upload access to the systems he controlled to SETI@Home, to add computing power to the search for extraterrestrial life. But more practical was to create a hidden partition, install an FTP server and use some of the disk space for file storage.

Running an SSH server on the machines was equally necessary so they could remotely connect to it and run shell commands to aid in certain projects we were working on. You know, to throw commands at it and run scans against additional targets. They might also find a fast PC with a worthy internet connection and use it as an Internet Relay Chat (IRC) server for chatting among their members.

These were my people. And I was among them, searching for remote desktops. I was going to find them. It was just a matter of when.

A Peek Into the Sacred Space of Internet Users

Inside almost every hacktivist is a secret black hat. This is a secret you're not supposed to be privy to. The world is our playground, and every system we can possibly enter serves as a proving ground by which to test and validate our skills. It’s a double-edged sword. To fight the noble cause, we learn our worth from the computers we manage to penetrate, indiscriminately.

That doesn’t mean our intention is harmful or to observe what users are doing (from a certain point of view, of course). But I really can only speak for myself concerning those old experiences of mine from long ago. Mind you, I was certainly no paragon of virtue.

My intentions were oftentimes volatile depending on the circumstances. If we were at war with other hackers or needed firepower to take down a target host, then an RDP was useful for installing and launching Distributed Denial of Service (DDoS) attacks using botnets.

For better or for worse, it means the world is our playground, and users unintentionally give us the ability to gain experience, get better at our craft, and help launch us as we join others to fight the good fight.

Some will call this a cop-out. But this is just the way things are.

Nevertheless, I can’t speak for everyone. Only about those whom I knew. But as for me, I was hunting for the secret lives of those living double lives. The secret lies.

It's Usually Something Like This

The reason why RDPs were so insecure was that Microsoft had developed an operating system that was extremely vulnerable right out of the box, specifically Windows XP. Every Windows XP user’s personal computer contained a built-in Administrative account that was enabled, are required no password to authenticate.

Therefore, hackers could find and collect RDPs knowing that there was certainly going to be a discoverable administrative account, which possibly was open authenticated.

While this operating system has been discontinued for some time now, the method for intruding on the RDP protocol is relatively no different than it was over a decade ago. Hackers just have resources for finding ways to break in.

Believe it or not, Windows XP systems still exist out there, and hackers ache to find them because it means easy access. They often will locate these systems using Shodan, a powerful search engine that allows users to search for internet-connected devices, providing robust information about each host.

Aside from host discovery which can be performed in a variety of ways, the fact of the matter is that users still chose completely awful passwords that are often found in the dictionary lists of brute force cracking tools. Additionally, hackers trade massive lists of commonly used passwords extracted from data dumps to help expedite the cracking process.

Fixes for the Common and the Corporate User

Employing single sign-on (SSO) can help users manage logins associated with different desktop applications. This also provides enforcement options for stronger password management, as well as the implementation of two-factor authentication (2FA).

Adjusting firewall rules that disallow unsolicited outside connections except trusted IP addresses and devices is just as vital. It’s not a cure, but it could deter a less-than-ambitious hacker from breaking in.

Also, secure tunneling apps can prevent an attacker from sending requests to port 3389. This means the only authorized requests to port 3389 would have to use the tunnel, in order to establish a connection.

If we don’t guess our way, we crack our way in. And if those two things don’t work…

Exploitation. Fleshing out the various exploitation methods available to intruders could amount to another article. But the important thing to take from the knowledge exploitation vectors can amount to an intrusion means that it’s vital to maintain your device’s health by regularly keeping software updated with the latest bug fixes and patches.

That’s what they are there for. This, in turn, will help users close the doors that hackers search for so persistently.

One could argue, that it takes two to cause an intrusion. In most cases, it is negligence on the part of the user and an inquisitive threat actor.

An article by

Jesse McGraw

Edited by

Anne Caminer



Rome wasn't built in a day, but your SOC might be.


Weekly cyber insights

Thanks for submitting!

bottom of page