Penetration Testing mailing list archives
RE: Terminal Services
From: Ola <lawal () shaw ca>
Date: Sun, 13 Mar 2005 09:08:40 -0700
Gentlemen, You can use a tool called TSGrinder to brute force a terminal server using a dictionary password for the administrator account. I have been playing around with this tool this weekend and it really rocks. You will find detailed information from the hammerofgod site: http://www.hammerofgod.com/download.htm TSGringer is a "dictionary" based attack tool, but it does have some interesting features like "l337" conversion, and supports multiple attack windows from a single dictionary file. It supports multiple password attempts in the same connection, and allows you to specify how many times to try a username/password combination within a particular connection. Note that the tool requires the Microsoft Simulated Terminal Server Client tool, "roboclient," which may be found here: ftp://ftp.microsoft.com/ResKit/win2000/roboclient.zip Hope this helps. Kind regards Ola -----Original Message----- From: John the Kiwi [mailto:kiwi () kiwicomputing com] Sent: March 11, 2005 3:30 PM To: AEHeald Cc: pen-test () securityfocus com Subject: Re: Terminal Services I don't use any tools for RDP testing. I have thought about writing a perl script to try and brute force with rdesktop, but thinking about it is all I have done. I consider the RDP Protocol to be pretty reliable and secure, there are some things you can do to obfuscate it. I normally change the default RDP Port that the server listens on. There's a registry entry you can change the port 3389 to something else, I don't have a link handy but you can probably do a search for 3389 in the registry. This has the added benefit of allowing you to publish as many workstations (XP Professional anyway) behind your NAT as your router will let you forward ports for. It's not bullet proof, but it defeats random scans. I've also heard you can use ZeBeDee - http://www.winton.org.uk/zebedee/ to add an extra layer of encryption on a different port. I've never had a customer request it and it adds a lot of complexity for the user but the example usage I saw made setting it up look pretty straight forward. John the Kiwi On Thu, 2005-03-10 at 17:13 -0500, AEHeald wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings, group! I am de-lurking to inquire if anyone has some pointers on Microsoft Terminal Services. I'm testing a client who allows 3389 into their terminal server for the Remote Desktop Client. Other than the Bad Thing of allowing inbound traffic onto their LAN, I'm trying to hunt down ways to enter all the way in. I have seen TSCrack referenced, but the program is nowhere to be found. Any suggestions gratefully received. Eigen -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBQjDGeQGhZ4M3hyK+EQIh2QCg8y1LWs/oc4B303gBM5CLAD0BG4QAoJ+A QyWBGr7piv9nmNmHjFIUuRVi =xKXQ -----END PGP SIGNATURE-----
Current thread:
- PHP Directory Transversal Andres Molinetti (Mar 10)
- Re: PHP Directory Transversal Felikz (Mar 10)
- Re: PHP Directory Transversal Andres Molinetti (Mar 10)
- Re: PHP Directory Transversal David M. Zendzian (Mar 10)
- Re: PHP Directory Transversal Cedric Foll (Mar 10)
- RE: PHP Directory Transversal Ravish (Mar 10)
- Terminal Services AEHeald (Mar 11)
- Re: Terminal Services Kinnell (Mar 11)
- RE: Terminal Services Jerry Shenk (Mar 11)
- Re: Terminal Services John the Kiwi (Mar 11)
- RE: Terminal Services Ola (Mar 14)
- RE: Terminal Services Mark Woan (Mar 16)
- Terminal Services AEHeald (Mar 11)
- Re: PHP Directory Transversal Felikz (Mar 10)
- Re: PHP Directory Transversal John GALLET (Mar 14)