2022-05-20, 15:55–16:25, Ville-Marie
We have been studying and reimplementing parts of RDP for the last three years. This talk is about how to attack and defend against RDP attacks. From MITM and credential capture to secure deployment.
Remote Desktop Protocol (RDP) is the de facto standard for remoting in Windows environments. It grew in popularity over the last couple of years due to the pandemic. Many remote workers are now relying on it to perform duties on remote systems. RDP is secure when well deployed but, unfortunately, that’s rarely the case and thus clicking through warnings is common. We have spent the last 3 years working on and reimplementing parts of RDP in PyRDP, our open-source RDP library. This presentation is about what we have learned and can be applied to attack and defend against RDP attacks.
From an attacker’s perspective, we will cover conventional RDP attacks such as Monster-in-the-Middle (MITM) of RDP connections, capture of NetNTLMv2 hashes and techniques to bypass conventional defense mechanisms such as Network Level Authentication (NLA). Case in point: Did you know that by default all clients allow server-side NLA downgrades right now? This will enable us to understand and identify the risks with RDP.
From the Blue Team’s perspective, we will provide techniques and tools to detect attacks showcased previously. Finally, we will provide step-by-step instructions to deploy an accessible RDP server that is both secure and functional.
Olivier Bilodeau is leading the Cybersecurity Research team at GoSecure. With more than 10 years of infosec experience, he enjoys luring malware operators into his traps, writing tools for malware research and vulnerability research. Olivier is a passionate communicator having spoken at several conferences including BlackHat, Defcon, Botconf, NorthSec, Derbycon, and HackFest. Invested in his community, he co-organizes MontréHack, a monthly workshop focused on hands-on CTF problem solving, and NorthSec, a large non-profit conference and CTF based in Montreal.
Lisandro Ubiedo is part of the Cybersecurity Research team at GoSecure. Passionate about all things malware – from reverse-engineering to catching them on-the-go – and doing DevOps to keep attackers entertained. Lisandro also works on programming tools to aid malware analysis and cybersecurity research. He was part of the Aposemat team at Stratosphere Labs doing IoT malware research and as a DevSecOps engineer in multiple companies, while also enjoying CTF challenge solving.