Dailydave mailing list archives
Re: Build Your Own Botnet with RDP
From: "Hamid . K" <elite_netbios () yahoo com>
Date: Mon, 3 Dec 2007 13:57:24 -0800 (PST)
Hi , What a surprise ! Today I was just thinking about the same topic for wiring, but focusing on Citrix technology , and owning clients through "shadowing" & "drive-mapping" features of Citrix MetaFrame . I think abusing these will affect much more number of users . I`ll update my blog ,covering this topic , as soon as I got some free hours. The scary thing about both "tsclient" maps , and citrix drive-mapping is that they`re both enabled by default . To make things even more interesting , Citrixs mapping implementation is NOT depended to file-sharing service of OS at all . feel free to block inbound /outbound connections , stop related services and even watch for SMB traffic . mapped drives will still pop-up at the remote site :) In case anybody likes to help me on this topic, I`m looking for possible and also reliable methods of detecting drive-mapping in network traffic (maybe finally some snort rules ?) . This is to prevent farther compromises , if citrix server is 0wned. even if admin has disabled drive-mapping , intruder can simply re-enable it and enjoy "tactical exploitation" . First problem is ICA protocol encryption , and second problem is false-positive in detections ... comments ? And, the topic you`ve mentioned is already documented by microsoft , and also have been briefly blogged here : http://www.intelliadmin.com/blog/2007/08/backup-your-files-using-remote-desktop.html Best Regards Hamid.k ----- Original Message ---- From: J.M. Seitz <lists () bughunter ca> To: dailydave <dailydave () lists immunitysec com> Sent: Monday, December 3, 2007 9:46:59 PM Subject: [Dailydave] Build Your Own Botnet with RDP Hey list, I wrote a little blog posting over on OpenRCE.org on how you can compromise client machines that connect to a terminal services server when they enable disk sharing. It's nothing overly groundbreaking, but I hadn't read anything on it before so I thought I would share some observations. http://www.openrce.org/blog/view/981/Build_Your_Own_Botnet_with_RDP Again if there is any prior art on this please let me know, I just couldn't find anything for the life of me. JS ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Build Your Own Botnet with RDP J.M. Seitz (Dec 03)
- <Possible follow-ups>
- Re: Build Your Own Botnet with RDP Hamid . K (Dec 03)