If you do not specify a password in the < Password > parameter, and the target session belongs to a user other than the current one, tscon fails (not really) .

So we've got a session hijacking here. The most funny thing is that the legit user isn't asked for logout, by using this technique the user just will be kicked out of the session without any notification.









Attack Vector Details: A privileged user, which can gain command execution with NT AUTHORITY/SYSTEM rights can hijack any currently logged in user's session, without any knowledge about his credentials.

Terminal Services session can be either in connected or disconnected state.





This is high risk vulnerability which allows any local admin to hijack a session and get access to:

1. Domain admin session.

2. Any unsaved documents, that hijacked user works on.



feature



Example scenario: Some bank employee have access to billing system, and it's credentials to login.

One day, he come to work, logging in to the billing system and start to work. At lunch time he will lock his workstation, and out to lunch.

Then, system administrator gets to employee's workstation, and logs in with his administrator's account.

According to the bank's policy, administrator's account should not have access to the billing system, but with couple of built-in commands in windows, this system administrator will hijack employee's desktop which he leaved locked. From now, sysadmin can perform malicious actions in billing system as billing employee account.



There are huge amount of scenarios like this.



Furthermore, an attacker doesn't need to use tools like metasploit, incognito, mimikatz etc, which is commonly used for user's token manipulation and impersonating logged in users. Everything is done with built-in commands. Every admin can impersonate any logged in user either locally with physical access or remotely via Remote Desktops (see PoC).





3. Any other systems/applications in which hijacked user previously logged in (May include another Remote Desktop sessions, Network Share mappings, applications which require another credentials, E-mail etc.)featureSome bank employee have access to billing system, and it's credentials to login.One day, he come to work, logging in to the billing system and start to work. At lunch time he, and out to lunch.Then, system administrator gets to employee's workstation, and logs in with his administrator's account.According to the bank's policy, administrator's account should not have access to the billing system, but with couple ofin windows, this system administrator will hijack employee's desktop which he leaved locked. From now, sysadmin can perform malicious actions in billing system as billing employee account.There are huge amount of scenarios like this.Furthermore, an attacker doesn't need to use tools like metasploit, incognito, mimikatz etc, which is commonly used for user's token manipulation and impersonating logged in users.Every adminimpersonate any logged in user either locally with physical access or remotely via Remote Desktops (see PoC).

Tested on: Windows 2016 (Confirmed by Kevin Beaumont @GossiTheDog )

Windows 2012 R2

Windows 2008

Windows 10

Windows 7



We can talk about endless amount of examples. It can be done remotely, as shown in Proof of Concepts.



An attacker can hijack active or disconnected session remotely via remote desktops.

I use this technique about three weeks in my on-going penetration tests on daily basis. It in very simple way helps me to get access to sensitive information like emails, opened documents, clear-text passwords that administrators write down in notepad (not intended for saving, but for temporally writing it somewhere), opened RDP sessions to another external domains (think cloud), or another applications that make use of different login credentials.



Someone can say, if you admin, you can dump server's memory and parse it. That's correct, but you don't need it any more. Just two simple commands and you are in. The most incredible thing, is that I don't need to know the credentials of hijacked user, it is pure passwordless hijacking.



A successful attack heavily related on time and gathered information. If you need to dump a memory, to get your sensitive info, you're in problem. That means that you've tried all quick-wins that you know.



In example of hijacking user (active or disconnected) while he is working now remotely on some sensitive server that i have no access to, and haven't even knew about it, this technique allows me to compromise that server in less than a minute. Everything is real and from my own experience.



Furthermore, as I understand it is very hard to catch if this attack happen. Kevin Beaumont @GossiTheDog make an alert on tscon.exe usage, with Microsoft OMS.



I had a conversation about this finding with Benjamin Delpy @gentilkiwi author of mimikatz:

"That is normal Windows API, that's the design flow, they use it. As mentioned earlier, if you admin, you can do everything. But here is the point. Why and HOW you become admin? If some unprivileged user becomes admin using some kind of local privilege escalation - that's the problem and not the design flow we are talking about. You can do everything, even patch terminal services the way that it will accept your token and allow shadowing mode, without user's knowledge.", he said.



Proof of Concept:





Microsoft documentation helps us to do that from command line:





All we need is NT AUTHORITY/SYSTEM command line.

Easiest method with psexec, but requires psexec.exe to be there:

psexec -s \\localhost cmd





Another method is to create a service that will connect selected session to ours.





1. Get all sessions information:

C:\Windows\system32>query user USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME administrator 1 Disc 1 3/12/2017 3:07 PM >localadmin rdp-tcp#55 2 Active . 3/12/2017 3:10 PM C:\Windows\system32>

C:\Windows\system32>sc create sesshijack binpath= "cmd.exe /k tscon 1 /dest: rdp-tcp#55 " [SC] CreateService SUCCESS

3. Start service:

net setart sesshijack





Right after that your session will be replaced with target session.





Proof of Concept video: Windows Server 2016 Demo ( new ): https://youtu.be/bbTfN5geSKw Windows 7 via Task Manager: https://youtu.be/oPk5off3yUg

Windows 7 via command line: https://youtu.be/VytjV2kPwSg

Windows 2012 R2 via service creation: https://youtu.be/OgsoIoWmhWw



















Update: If you still think that this don't have high attack value, read a great writeup by Kevin Beaumont about this feature:

https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6



Update: RedSnarf has now support in RDP Hijacking Update: @gentilkiwi has found that before in 2011, so that is a feature and not zero-day: http://blog.gentilkiwi.com/securite/vol-de-session-rdp Update: If you still think that this don't have high attack value, read a great writeup by Kevin Beaumont about this feature:Update: RedSnarf has now support in RDP Hijacking https://www.youtube.com/watch?v=VrF8uXK_ePY

2. Create service which will hijack user's session: