0

About a year ago my Windows server 2008 R2 server was hacked. I had RDP open to the world, I know, not a good idea. Being that it was a year ago I don't have any of the logs, but I was thinking about something today.

How did they get the username?

It wasn't the administrator account, however, the administrator was active and being used, that is the only way I knew they were on there. Also, there was no password policy setup. This server is really not for anything important. I use it more as a playground.

For about 12 hours an IP out of Poland was brute forcing my server. Looking at the audit logs post incident I noticed about 12k, maybe more, attempts to get the right username and password.

I noticed they started with what looked like an educated guess of usernames, common names mostly, then somehow they got the right username they started with password guessing.

I watched this happen for two reasons really:

  1. To see if they could get in.
  2. To see what they were after.

Once they were in I used VNC to look at the desktop to see what they were doing. They were basically looking through everything, but since the user had very minimal privileges they could not get too much.

Yes, I gave the user RDP access but not much else.

When I tested this just now and put the right username/wrong password vs wrong username/wrong password I didn't see anything to indicate the username was right or wrong.

How did they know that they had found the right username? What software or program might they have been using?

Kindle Q
  • 155
  • 8
Anthony Fornito
  • 63
  • 2
  • 7
  • "It wasn't the administrator account, however the administrator was active and being used" - can you clarify this? They bruteforced a different account but then switched and started using the builtin Administrator account? – DmitryK Feb 09 '17 at 22:45
  • @DmitryK No from the looks of things they didn't even try the administrator account, which kind of make sense, who would have the administrator account active, with RDP open to the world..... anyway, i could see in the logs they kept trying different username, its not like the found a working username, it almost seemed very chaotic – Anthony Fornito Feb 10 '17 at 14:25

1 Answers1

2

There are few ways to enumerate windows usernames, but maybe they only needed RDP.

You don't need the username or password to start a rdp connection, and some windows versions (not sure which ones, looking for them but 2008 r2 is one of them) will show the names of the users who can connect and which ones are connected already.

This "feature" will directly leak the needed username/s.

wr2rdp

Maybe they used some tool like this one https://github.com/citronneur/rdpy (there are a few) to take a screenshot, or they just simply tried to login with a rdesktop ui program and saw something like the screenshot

Theres a nessus plugin also for this, but i doubt the used it ($$$), who knows.

There are a few ways to leak windows users, maybe they used any other.

jmingov
  • 844
  • 5
  • 11
  • 1
    I think it is since Vista at least. – Yuhong Bao Oct 24 '17 at 04:01
  • Is this feature on by default in server 2016? I recently installed a test vps and within 5 minutes I saw failed login attempts in the event viewer with my exact, very impossible to guess, user name... – jjxtra Apr 20 '22 at 00:00