[Dailydave] Build Your Own Botnet with RDP
Hamid . K
elite_netbios at yahoo.com
Mon Dec 3 16:57:24 EST 2007
Hi ,
What a surprise !
Today I was just thinking about the same topic for wiring,
but focusing on Citrix technology , and owning clients
through "shadowing" & "drive-mapping" features of Citrix MetaFrame .
I think abusing these will affect much more number of users .
I`ll update my blog ,covering this topic , as soon as I got some free hours.
The scary thing about both "tsclient" maps , and citrix drive-mapping is that
they`re both enabled by default . To make things even more interesting ,
Citrixs mapping implementation is NOT depended to file-sharing service
of OS at all . feel free to block inbound /outbound connections , stop related
services and even watch for SMB traffic . mapped drives will still pop-up at
the remote site :)
In case anybody likes to help me on this topic, I`m looking for possible and
also reliable methods of detecting drive-mapping in network traffic (maybe finally some
snort rules ?) . This is to prevent farther compromises , if citrix server is 0wned.
even if admin has disabled drive-mapping , intruder can simply re-enable it
and enjoy "tactical exploitation" .
First problem is ICA protocol encryption , and second problem is false-positive
in detections ...
comments ?
And, the topic you`ve mentioned is already documented by
microsoft , and also have been briefly blogged here :
http://www.intelliadmin.com/blog/2007/08/backup-your-files-using-remote-desktop.html
Best Regards
Hamid.k
----- Original Message ----
From: J.M. Seitz <lists at bughunter.ca>
To: dailydave <dailydave at lists.immunitysec.com>
Sent: Monday, December 3, 2007 9:46:59 PM
Subject: [Dailydave] Build Your Own Botnet with RDP
Hey
list,
I wrote a little
blog posting over on OpenRCE.org on how you can compromise client machines that
connect to a terminal services server when they enable disk sharing. It's
nothing overly groundbreaking, but I hadn't read anything on it before so I
thought I would share some observations.
http://www.openrce.org/blog/view/981/Build_Your_Own_Botnet_with_RDP
Again if there is
any prior art on this please let me know, I just couldn't find anything for the
life of me.
JS
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071203/7627a0f3/attachment-0001.htm
More information about the Dailydave
mailing list