Remote Access Sheet
Remote Desktop Protocol (RDP)
RDP is Microsoft's built-in remote desktop solution that ships with all versions of Windows. The service is not listening by default, but it is commonplace to enable it in corporate environments.
Port: 3389/TCP
Tools: Microsoft Remote Desktop Client (Windows/Mac), rdesktop, xfreerdp
Examples:
Virtual Network Computing (VNC)
VNC was created as a vendor agnostic graphical desktop solution and is widely deployed in *nix environments. Historically it was commonly deployed without authentication. Modern servers strongly urge administrators to configure a password.
Port: 5900/TCP
Tools: The plethora of open-source VNC applications, RealVNC, TightVNC, Screen Sharing (Mac)
Examples:
Apple Remote Desktop (ARD)
ARD is Apple's graphical remote desktop solution. The service is not listening by default, and in our experience it is not widely deployed.
Port: 3283/UDP (v1), 5900/TCP (v2)
Tools: Screen Sharing, VNC applications
Examples:
Xorg
The Xorg Foundation create and maintain's the widely deployed X11 windowing system used in most *nix environments. Most administrators are aware that the client-server model allows forwarding of X-sessions over SSH tunnels; however, when configured to allow TCP sessions, the X-session can be attached to remotely. The default X11 configuration was changed to disallow TCP sessions several years ago, but we still see it from time to time. If you see TCP 6000+N open, you can likely execute code on that machine or remotely log keystrokes.
Port: 6000+N/TCP, (or 22/TCP via SSH)
Tools: xspy, xwatchwin, xwd, xvkbd, ssh, MSF, xrdp.py
Example screenshot:
Example keyboard injection:
Example remote keylog:
System Center Configuration Manager (SCCM) Remote Control
SCCM is often used in enterprise networks to handle patch deployment for workstations and servers, as well as help facilitate installation of applications to groups of managed systems. When configured through the administration console, managed systems can be configured to start a remote control service (System Center Remote Control). While it provides similar functionality to RDP, it does not leverage Terminal Services, and in certain configurations can allow full control of a remote system without alerting logged-on users to the session hijack.
Port: 2701/TCP
Note: If you are not inclined to download a random executable from the Internet(duh), the SCCM Remote Control client can be found at C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\i386\ after installing SCCM. Be warned, setting up an SCCM lab is unfathomably complicated.
Telnet
Modern operating systems no longer leverage telnet, but we still see it on almost every pentest on embedded devices, or legacy systems. The old skool command line console access operates as a cleartext protocol and has largely been replaced by SSH.
Port: 23/TCP
Tools: Telnet, Netcat (nc), Ncat
Examples:
RLogin/Rsh
The Berkeley alternate to the Telnet standard was used on *nix systems for decades before being replaced by SSH. Rather than requiring user/password auth, administrators could specify source machines that were considered authenticated via a .rhosts file. Rlogin is an interactive shell, similar to telnet. Rsh can be used to execute a single command.
Port: 512-514/TCP
Tools: rlogin, rsh, remsh, rexec, rcp
Examples:
Secure Shell (SSH)
It's everywhere in the *nix world, and has a ton of features built in that us attackers can leverage for pivoting, tunneling X-sessions, file transfers, etc..
Port: 22/TCP
Tools: ssh, PuTTY
Examples:
Server Message Block (SMB)
SMB has been leveraged for file administration on Windows and *nix systems for decades. Another feature often abused by attackers is the use of administrative shares (C$, ADMIN$, IPC$) to push a service binary to a target machine, then start the service for semi-interactive I/O. SysInternalsSuite includes the PsExec binary which is largely credited for developing and leveraging this technique. Local administrative privileges are required to push the service binary to the ADMIN$ share, after which an RPC/SVCCTL call creates and starts the remote control service. IPC$ is leveraged to create named pipes for input and output which act as a semi-interactive shell.
Port: 445/TCP (SMB), 135/TCP (RPC), High-random port
Tools: PsExec,exe, psexec.py (impacket), winexe, MSF, smbexec
Examples:
Windows Remote Management (WinRM)
WinRM was Microsoft's implementation of the open WS-Management standard for SOAP-based remote management. Microsoft includes several standalone tools (winrm, winrs) and is also the underlying technology used for PowerShell Remoting. Under the surface, WinRM makes use of WMI queries, but can also leverages the IPMI driver for hardware management. It's a terribly powerful tool, albeit not a widely deployed yet due to its relative infancy.
Port: 5985/TCP (HTTP), 5986/TCP (HTTPS)
Tools: winrm, winrs, PowerShell Remoting
Example list services:
Example execute ipconfig (or any other code):
Example PSRemote cmdlet on remote system:
Example PSRemote interactive PS Session:
Windows Management Instrumentation (WMI)
WMI is Microsoft's consolidation of system management under a single umbrella. It is leveraged heavily under the hood for local operation, but can also be used for remote execution. Several built-in tools exist for either WQL query execution, or full code execution. Impacket includes wmiexec which also provides a semi-interactive shell.
Remote WMI queries used RPC/DCOM as the communication bus.
Port: 135/TCP (RPC), plus one high-random TCP (DCOM)
Tools: winrm, winrs, PowerShell Remoting
Example list services:
Example execute code (add user):
Example list services (via PS cmdlet):
Example list processes (via linux wmic util):
Example semi-interactive shell (impacket):
Scheduled Tasks
Tasks, that are, scheduled. In addition to running commands locally, the built-in schtasks utility leverages RPC/DCOM to schedule tasks on remote machines. On legacy Windows machines At.exe performed this functionality, but was deprecated for SchTasks in modern platforms. Application firewalls that block Schtasks may still allow At, a good reason to attempt both if necessary.
Port: 135/TCP (RPC), plus one high-random TCP (DCOM)
Tools: schtasks, at
Examples:
Microsoft Management Console (MMC2.0) Application Class
MMC requires local admin due to the nature of the application, and will be blocked by the default firewall rules. BUT, we've seen enough networks that disable host firewalls to make good use of this technique.
Port: 135/TCP (RPC), plus one high-random TCP (DCOM)
Tools: native .NET calls on Windows
Example code execution:
Example Invoke-Mimikatz (listener started on 192.168.112.132:8000):
ShellWindows Object
Successful auth over RPC is required; however, regardless of privilege the code will execute as a child of the explore.exe process with limited privileges. No scaping memory directly with this method.. :(
Port: 135/TCP (RPC), plus one high-random TCP (DCOM)
Tools: native .NET calls on Windows
When invoking .NET calls in this fashion, the existing auth token is used. Great for lateral movement from a compromised system, but not if you are remotely accessing a target machine with recovered credentials. The simplest method we have found is to create a new PS Session with runas.
Example auth:
Example code execution:
Example: call shutdown routine (user prompted for confirmation):
Example troll: launch IE with Sloths in Space (10 hours):
ShellBrowserWindow Object
Functionally the same as the previous method, the ShellBrowserWindow object can be leverage for remote code execution over DCOM
Port: 135/TCP (RPC), plus one high-random TCP (DCOM)
Tools: native .NET calls on Windows
When invoking .NET calls in this fashion, the existing auth token is used. Great for lateral movement from a compromised system, but not if you are remotely accessing a target machine with recovered credentials. The simplest method we have found is to create a new PS Session with runas.
Example auth:
Example code execution:
Last updated
Was this helpful?