Security Experts:

Connect with us

Hi, what are you looking for?



Bypassing Security Defenses: DEF CON

In an attacker’s ideal world, he or she would infect a desktop, steal the user’s RDP password and move smoothly across the network to the RDP server and immediately gain access.

In real life however, things can get a little more complicated. 

In an attacker’s ideal world, he or she would infect a desktop, steal the user’s RDP password and move smoothly across the network to the RDP server and immediately gain access.

In real life however, things can get a little more complicated. 

Zoltan Balazs, chief technology officer at MRG Effitas, recalled a penetration test his team performed once while he was working at a previous company. The client had a secure, hardened environment – restrictive firewalls, two-factor authentication to access Remote Desktop servers, application whitelisting on the server, and so on. 

“The hacking of this environment was out of scope of the project, but we were talking about whether it is possible or not,” he told SecurityWeek. 

He thought it was, but had not had the opportunity to prove it. At the recent DEF CON conference in Las Vegas, Balazs walked through how to do just that, and get by the hardware firewall, authentication and whitelisting protections implemented in that type of secure environment. The key is to break the challenge into small chunks and deal with them one bite at a time. 

Step one, he said, is to infect a client workstation desktop. The next step is to infect the RDP server by simulating keyboard events.

“This infection can be done when a user from an infected workstation successfully logs into the RDP server,” he said in an email after the conference.

The attacker’s next challenge is to get past the whitelisting technology on the RDP server – in his scenario, AppLocker. According to Balazs, that problem can be solved with an old trick using LoadLibrary calls from Microsoft Office Visual Basic.

“The basic idea is that Applocker allows the running of Microsoft Office, and from Microsoft Office, one can run Visual Basic macro code,” he noted. “And this macro code can load DLL files directly, which are not restricted by AppLocker by default.”

To permanently bypass the firewall, Balazs developed a kernel driver that listens on the same TCP port as the legitimate RDP service and redirects traffic to another TCP port on the server if the TCP source port is the preconfigured port.

“On this TCP port on the server, the attacker can setup any backdoor server…and the communication can be established through the legitimate, trusted TCP port,” he said.

Administrator-level privileges are needed in order to install the kernel driver, he explained, noting that in his scenario the user connecting to the server only had user-level privileges.

“Because two-factor authentication is used to access the RDP server, knowing the user’s password is not enough,” he said.  

That challenge can be addressed using a privilege escalation vulnerability.  

After the firewall has been bypassed, the attacker can drop and start a bind shell. The end result is a successful attack for the hacker. 

Companies that have this many layers of protection are not that common, but they do exist and are likely guarding some “very expensive secrets,” Balazs said.

There are multiple actions an organization could take to thwart this kind of attack, starting with using next generation firewall technology to enforce RDP traffic on the RDP port, he said. Another is monitoring the use of new, unknown kernel drivers. In addition, organizations should also find and eliminate any local privilege escalation issues on the RDP server.

“Defense in depth and raising the costs for the attackers is important,” he said. “Yet, one should not believe that something is impossible to hack.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...