Asia-24-Shi-A-Glimpse-Into-The-Protocol.pdf

1、#BHASIA BlackHatEventsA Glimpse Into The ProtocolFuzz Windows RDP Client For Fun And ProfitYingqi Shi(Mas0nShi),Mingjia Liu(cyberestro),Quan Jin(jq0904)DBAPPSecurity#BHASIA BlackHatEventsAbout UsYingqi ShiMas0nShiMingjia LiucyberestroQuan Jinjq0904Guoxian Zhong_p01arisZSiyuan Liu4nsw3r123#BHASIA Bla

2、ckHatEventsAgendaMotivationIntroductionFuzzingCase StudyFuture#BHASIA BlackHatEventsMotivation#BHASIA BlackHatEventsMotivation Popular Remote Access Solution Legacy and Longevity And more?https:/www.shodan.io/search?query=port%3A%223389%22#BHASIA BlackHatEventsMotivation Few vulnerabilities in RDP i

3、n the past year(01/2022-09/2023)https:/ BlackHatEventsIntroduction#BHASIA BlackHatEventsRDP Overview RDP contains the following features Clipboard Printer Storage Device Smart Card Audio IN/OUT#BHASIA BlackHatEventsRDP Client Attack Victims connect malicious server using mstsc.exe#BHASIA BlackHatEve

4、ntsRDP Server Attack Attackers take control of the RDP Server using mstsc.exe#BHASIA BlackHatEventsClient or Server?#BHASIA BlackHatEventsFocus on Microsoft RDP Client Why MS RDP Client？Clarity(mstscax.dll,etc.)Operability(Public APIs)Simplicity(Compared to RDP Server)Quickly(Learn from previous wor

5、ks)#BHASIA BlackHatEventsPrevious Works#BHASIA BlackHatEventsRDP Virtual Channel Virtual Channel Static Virtual Channel Dynamic Virtual Channelhttps:/ BlackHatEventsRDP Virtual Channel#BHASIA BlackHatEventsRDP Virtual ChannelRDPSNDRDPDRTSMF#BHASIA BlackHatEventsVirtual Channel API WTS API Open Serve

6、r Open Virtual Channel Write/Read Virtual Channel Close Virtual Channel Close Server https:/ BlackHatEventsFuzzing#BHASIA BlackHatEventsOpen Source RDP Fuzzerrdpfuzzhttps:/ BlackHatEventsFuzzing Architecture#1https:/ Loop#BHASIA BlackHatEventsFuzzing Architecture#2 Proxyhttps:/ BlackHatEventsChoose