This is about … .
Windows RDP
RDP Bitmap Cache. RDP was developed by Windows. Small chunks of screenshots. The size of each is 64x64
bit. And also there is 1 huge sprite with all of them.
%USERPROFILE%\AppData\Local\Microsoft\Terminal Server Client\Cache
- older -
.bmc
- newer -
Cache####.bin
where # is a number starting from0
In case you investigate a successful RDP login to a specific machine, note that only in the case of the RDP login the βWorkstation Nameβ field in the βNetwork Informationβ section does not refer to the source machine name instead it refers to the name of the machine that recorded the event log (Target machine). be careful because such wrong information may miss leading your incident investigations. For the example in the screenshot, the βpbeeslyβ account logged on the βSCARNTONβ hostname from the
172.18.39.2
source machine IP. If you want to find the source machine name you can use the Event IDs 4778 or 4779 recorded in the security events instead. https://www.linkedin.com/posts/mostafa-yahia-701b4b15a_in-case-you-investigate-a-successful-rdp-activity-7004505487912112130-W6Oo?utm_source=share&utm_medium=member_desktop
Pipes
A named pipe is not exactly the same as a reverse shell, but it can be used in a similar way to establish a remote connection between two systems. A named pipe is a type of inter-process communication (IPC) mechanism that allows two or more processes to communicate with each other on a local computer or over a network. A named pipe has a name and is implemented as a file object. Processes can read from and write to the named pipe as if it were a regular file. Named pipes are commonly used in client-server applications, where a server process creates a named pipe and waits for client processes to connect to it. Once a client connects to the named pipe, the server can send and receive data to and from the client. ChatGPT
π RTFM
cmd.exe /c echo something > \\.\pipe\something2
/c
tells cmd.exe
execute the command and then quit. Putting it all together, the command is echoing the text “something” and redirecting it to a named pipe called “something2”.
To create a named pipe, do the following:
mkfifo \\.\pipe\MyNamedPipe
dir \\.\pipe\MyNamedPipe
del \\.\pipe\MyNamedPipe
Telnet
Ports: 23
π RTFM
# If the Telnet port is open, you might try to log in with a user. If the user doesn't have a password set up, you might even be able to log in without a password.
telnet <IP> <port>
root # or any other username that you think is there
Password: # leave blank
FTP
Ports: 21
, 22
π RTFM
brew unlink telnet # for macOS if the telnet was already installed
brew install inetutils
ftp <IP>
# When prompted for the username, type
anonymous
# for password just hit Enter
# on macOS let gftp to accept incoming connection or else you won't be able to browse the FTP server. The server will respond with 200 PORT command successful. Consider using PASV, then hanging for a while and then puking the 425 Failed to establish connection. message.
ls # browse
get # get file
SMB
Ports: 135
, 139
, 445
π RTFM
nmap -p 139,445 --script smb-enum-shares <target>
brew install samba
smbclient -U username -W workgroup -c 'ls' //server/share