Compromising a Azure Windows 2008 R2 SP1 VM

TL;DR (Too long Didn’t Read)
If you stand up a windows 2008 R1 VM in Azure with a random user name and password, Its very easy to know that user name and depending on the complexity of the chosen password, It may be feasible to brute-force the VM using RDP.

Below is the process we will follow :

1) As a victim, set up the Azure VM and RDP to it
2) As an attacker, determine the user name for the Azure VM.
3) As an attacker, determine the password for the Azure VM.
4) Simple steps to defend against the attack.

As a victim, set up the Azure VM and RDP to it

Log in to the Azure portal and create the VM

Choose Windows 2008 R2 SP1

image

image

Machine Name : Test-Machine-1
Username : SomeRandomName
Password: Choose a password.
Resource Group : Select an existing or just create a new one.

image

Be cheap and select the lowest cost disk from the list.

image

Select the RDP from the public inbound port

image

Finally click on the “Create” button to create the VM

image

Once the VM is created and running (you will see a notification in the portal), you should see the VM in the list with “Running” status.

image

Click on the “Test-Machine-1” VM entry in the above list and then click on the “Connect” button.

image

Click on the “Download RDP File” to download the RDP file for the VM.

image

Open the RDP file for the VM and enter the credential you used while setting up the VM.

image

and now we are in the VM

image

As an attacker, determine the user name for the Azure VM

There is a easier way to determine the user name rather than brute-forcing the VM.
If the victim is logged in to the VM, the attacker can use something like rdpy-rdpscreenshot.py which is one of the fantastic binaries in rdppy by Sylvain Peyrefitte (@citronneur) which allows to take the screenshot of the login screen.

See in the below screenshot. It connected to the IP address 40.76.88.172 and saved the screenshot to c:\temp\test_40.76.88.172.jpg.
python rdpy-rdpscreenshot.py -o c:\temp\test_ 40.76.88.172:3389

image

Here is the file with screenshot of the login screens showing the user name for the machine.

image

This was possible because Windows 2008 R2 supports Network Level Authentication – which completes the user authentication before you establish a RDP connection and the logon screen appears.

As an attacker, determine the password for the Azure VM

You can use a RDP brute-forcing utility such as Hydra [https://github.com/maaaaz/thc-hydra-windows] to determine the password for the user from a password list.

hydra -C “C:\temp\login-password-list.txt” 40.76.88.172 rdp

image

 

Simple steps to defend against the attack

When you set up the VM and setting up the RDP for it, It warns you about RDP will be exposed to the internet.
So, you should limit access to the RDP from your/your organization’s public IP address/CIDR only through the network security group changes for RDP.

VM Settings > Networking> RDP > Source IP addresses/CIDR ranges

image

image

Now with the source IP restriction, rdpy-rdpscreenshot.py from a different IP wont be able to reach the VM to take the screenshot of the login screen.

image

Advertisements

, ,

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

Random Thoughts

The World as I see it

Simple Programmer

Making The Complex Simple

Ionic Solutions

Random thoughts on software construction, design patterns and optimization.

Long (Way) Off

A tragic's view from the cricket hinterlands

%d bloggers like this: