Security Experts:

Connect with us

Hi, what are you looking for?



Bypassing Security Defenses: DEF CON

In an attacker’s ideal world, he or she would infect a desktop, steal the user’s RDP password and move smoothly across the network to the RDP server and immediately gain access.

In real life however, things can get a little more complicated. 

In an attacker’s ideal world, he or she would infect a desktop, steal the user’s RDP password and move smoothly across the network to the RDP server and immediately gain access.

In real life however, things can get a little more complicated. 

Zoltan Balazs, chief technology officer at MRG Effitas, recalled a penetration test his team performed once while he was working at a previous company. The client had a secure, hardened environment – restrictive firewalls, two-factor authentication to access Remote Desktop servers, application whitelisting on the server, and so on. 

“The hacking of this environment was out of scope of the project, but we were talking about whether it is possible or not,” he told SecurityWeek. 

He thought it was, but had not had the opportunity to prove it. At the recent DEF CON conference in Las Vegas, Balazs walked through how to do just that, and get by the hardware firewall, authentication and whitelisting protections implemented in that type of secure environment. The key is to break the challenge into small chunks and deal with them one bite at a time. 

Step one, he said, is to infect a client workstation desktop. The next step is to infect the RDP server by simulating keyboard events.

“This infection can be done when a user from an infected workstation successfully logs into the RDP server,” he said in an email after the conference.

The attacker’s next challenge is to get past the whitelisting technology on the RDP server – in his scenario, AppLocker. According to Balazs, that problem can be solved with an old trick using LoadLibrary calls from Microsoft Office Visual Basic.

“The basic idea is that Applocker allows the running of Microsoft Office, and from Microsoft Office, one can run Visual Basic macro code,” he noted. “And this macro code can load DLL files directly, which are not restricted by AppLocker by default.”

To permanently bypass the firewall, Balazs developed a kernel driver that listens on the same TCP port as the legitimate RDP service and redirects traffic to another TCP port on the server if the TCP source port is the preconfigured port.

“On this TCP port on the server, the attacker can setup any backdoor server…and the communication can be established through the legitimate, trusted TCP port,” he said.

Administrator-level privileges are needed in order to install the kernel driver, he explained, noting that in his scenario the user connecting to the server only had user-level privileges.

“Because two-factor authentication is used to access the RDP server, knowing the user’s password is not enough,” he said.  

That challenge can be addressed using a privilege escalation vulnerability.  

After the firewall has been bypassed, the attacker can drop and start a bind shell. The end result is a successful attack for the hacker. 

Companies that have this many layers of protection are not that common, but they do exist and are likely guarding some “very expensive secrets,” Balazs said.

There are multiple actions an organization could take to thwart this kind of attack, starting with using next generation firewall technology to enforce RDP traffic on the RDP port, he said. Another is monitoring the use of new, unknown kernel drivers. In addition, organizations should also find and eliminate any local privilege escalation issues on the RDP server.

“Defense in depth and raising the costs for the attackers is important,” he said. “Yet, one should not believe that something is impossible to hack.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...