Dailydave mailing list archives

Re: Build Your Own Botnet with RDP

From: "Hamid . K" <elite_netbios () yahoo com>
Date: Mon, 3 Dec 2007 13:57:24 -0800 (PST)

Hi ,
What a surprise !
Today I was just thinking about the same topic for wiring, 
but focusing on Citrix technology , and owning clients 
through "shadowing" & "drive-mapping" features of Citrix MetaFrame .
I think abusing these will affect much more number of users . 
I`ll update my blog ,covering this topic , as soon as I got some free hours.

The scary thing about both "tsclient" maps , and citrix drive-mapping is that
they`re both enabled by default . To make things even more interesting , 
Citrixs mapping implementation is NOT depended to file-sharing service
of OS at all . feel free to block inbound /outbound connections , stop related
services and even watch for SMB traffic . mapped drives will still pop-up at
the remote site :)

In case anybody likes to help me on this topic,  I`m looking for possible and
also reliable methods of detecting drive-mapping in network traffic (maybe finally some
snort rules ?) . This is to prevent farther compromises , if citrix server is 0wned.
even if admin has disabled drive-mapping , intruder can simply re-enable it 
and enjoy "tactical exploitation" .
First problem is ICA protocol encryption , and second problem is false-positive
in detections ...

comments ? 

And, the topic you`ve mentioned is already documented by
microsoft , and also have been briefly blogged here :
http://www.intelliadmin.com/blog/2007/08/backup-your-files-using-remote-desktop.html


Best Regards
Hamid.k


----- Original Message ----
From: J.M. Seitz <lists () bughunter ca>
To: dailydave <dailydave () lists immunitysec com>
Sent: Monday, December 3, 2007 9:46:59 PM
Subject: [Dailydave] Build Your Own Botnet with RDP




 

Hey 
list,

 

I wrote a little 
blog posting over on OpenRCE.org on how you can compromise client machines that 
connect to a terminal services server when they enable disk sharing. It's 
nothing overly groundbreaking, but I hadn't read anything on it before so I 
thought I would share some observations.

 

http://www.openrce.org/blog/view/981/Build_Your_Own_Botnet_with_RDP

 

Again if there is 
any prior art on this please let me know, I just couldn't find anything for the 
life of me.

 

JS






      ____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Build Your Own Botnet with RDP J.M. Seitz (Dec 03)
- <Possible follow-ups>
- Re: Build Your Own Botnet with RDP Hamid . K (Dec 03)