Author Topic: RDP Brute Force Attacks on my PC - caused monitors to flash black  (Read 8018 times)

0 Members and 1 Guest are viewing this topic.

Offline janoc

  • Super Contributor
  • ***
  • Posts: 3781
  • Country: de
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #25 on: September 15, 2019, 05:19:34 pm »

At some point you have to trust that Microsoft implemented their functionality like RDP correctly and without bugs.

But: similar attacks are done to all possible ports, too!


Of course it is possible that other services on your computer or router have bugs. But there is a big difference between relying on a service that might have one and voluntarily exposing one with a known long history of critical issues permitting to take over the entire machine/network ...

Like these from a month ago:
https://nakedsecurity.sophos.com/2019/08/14/microsoft-warns-of-new-worm-ready-rdp-bugs/

"Worm-ready", no less.


That's like refusing to fire a contractor that has set fire to your house 3x already because "one has to trust that they have got it right this time".

Sorry but that's just plain dumb and asking for problems. Your presentation of it as "either it is my way or it is unusable for me" is a false dichotomy that will only cost you long term. Convenience is great - until it costs you your data, job and possibly livelihood/freedom (e.g. if your infected PC infects a network of your client with a destructive worm).

 

Offline magic

  • Super Contributor
  • ***
  • Posts: 6733
  • Country: pl
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #26 on: September 15, 2019, 05:59:19 pm »
When fully featured VPN is not possible SSH port forwarding may still work.

You will need to setup a publicly accessible SSH server on the router (or some other home machine and then forward the port) and connect to it with some Windows client like putty to create a tunnel.
https://www.akadia.com/services/ssh_putty.html

Two advantages over exposing RDP publicly:
1. any attack attempts will be against SSH, which is likely more secure than Micro$oft WinDOS :P
2. any attack attempts will be against SSH, so they won't disturb Windows

Using nonstandard ports also greatly reduces the nuisance from botnets, with any server and protocol.
 

Offline legacy

  • Super Contributor
  • ***
  • !
  • Posts: 4415
  • Country: ch
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #27 on: September 15, 2019, 06:09:28 pm »
ssh tunneling ... well my RSP router (Atheros9 @ 680Mhz) obtains a a gorgeous speedup when it's coupled with a Crypto engine on the miniPCI slot.
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #28 on: September 15, 2019, 06:39:22 pm »
Hi,

Just to clear up a few things:

My PC is NOT connected "directly" to the internet. It is behind a router that only forwards RDP to my computer. I do that because I need it: for work and hobby related reasons I require to access my computer through RDP frequently. When in need, I neet it to be fast: I sometimes use for example CAD/CAM software through RDP. If I tunel that through my VPN server, which I have, also, the speed drops considerably.

Also, having to first do VPN is not an option because the computers from which I need to access mine would require me to setup said VPN connection (not always possible due to lack of admin priviledges). Some networks I am in do not allow the use of VPN - it is filtered.
Then use something like Teamviewer or secure VNC. At least these don't require opening a direct connection from internet to your PC.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline MrMobodies

  • Super Contributor
  • ***
  • Posts: 1906
  • Country: gb
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #29 on: September 16, 2019, 12:13:39 am »
I had something similar happen to a Windows XP virtual machine last year. For RDP I had restricted it by IP's on a list on the firewall but I have forgotten about one rule to an IP that I put in many years ago and that was RDP but on a different port number. I allocated that virtual machine to that IP and a week later I started to get unusual dialogues that I have never seen before like that "service control" and when I did my checks I could see lot of inbound/outbound connections all over the world when there shouldn't be any as it was just for data logging. When I blocked it and the IP's coming in I could see on the logs many different ports being tried. I stopped the virtual machine and replaced with a template it but couldn't find any new file/ executable or changes apart from login attempts and those service things in the logs.

I don't think it is safe to even have RDP on a different port now unrestricted to any IP other than VPN as it is a matter time when they find it and do a campaign over some vulnerability.
 

Offline BicuricoTopic starter

  • Super Contributor
  • ***
  • Posts: 1707
  • Country: pt
    • VMA's Satellite Blog
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #30 on: September 16, 2019, 06:55:22 am »
Did my share of reading and after all considerations switched off RDP forwarding and left only VPN access.

THIS SUCKS!

Regrads,
Vitor

Offline BravoV

  • Super Contributor
  • ***
  • Posts: 7547
  • Country: 00
  • +++ ATH1
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #31 on: September 16, 2019, 08:03:37 am »
Did my share of reading and after all considerations switched off RDP forwarding and left only VPN access.

THIS SUCKS!

Regrads,
Vitor

Mind elaborate why it sucks ? What have you lost compared to prev setup ? Feature ? Performance ? Etc ?

Offline BicuricoTopic starter

  • Super Contributor
  • ***
  • Posts: 1707
  • Country: pt
    • VMA's Satellite Blog
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #32 on: September 16, 2019, 08:47:14 am »
I lost this:

1) Performance: Because VPN is provided by a TP-Link router running DD-WRT, it cannot even remotely benefit from my internet bandwidth. Where I could before use CAD/CAM software in real-time or even watch a movie being run on my remote PC, now I suffer from considerable lag. I don't know at this point, what my options are to get a faster VPN server. I do not want to purchase any additional, power consuming, device.
2) Usability: I now have to do two steps - first connect to VPN and only then connect to RDP. Before I could directly connect to RDP. The difference is about 30 seconds for each connection. Doesn't sound like much but is annoying.
3) Compatibility: I never succeeded in successfully connect my mobile phone (Samsung Galaxy Note 8 running official Android) to my VPN server. This means that I no longer can RDP to my computer from my phone, which is something I did a lot. Also, this will prevent me from easily accessing my computer from a customer computer, to show him some features he doesn't have a valid license for, or to access some files he needs, which are on my computer. I know many will think I could just take those files with me on a HDD, but it is not that easy. Sometimes those files need to be downloaded from my account at the provider and that is something I won't do on the customer's computer.

So in all, these are my main points. Might sound of little importance to IT admins, but there are people in the real world who need to use computers for reasons beyond the IT world.

And having a feature called RDP, which you cannot use as it was intended, sucks in my opinion.

Anyway, if someone cares to help me: is there a FREE recommended VPN server that I could safely run on my PC (Windows 10), as this PC is switched on all the time, anyway? Would that be a secure thing to do (pointing the VPN ports to my computer running a VPN server, so that I could then access the computer RDP)?

Regards,
Vitor

Offline BicuricoTopic starter

  • Super Contributor
  • ***
  • Posts: 1707
  • Country: pt
    • VMA's Satellite Blog
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #33 on: September 16, 2019, 09:12:34 am »
Forgot to add another reason why having to use VPN to be able to RDP sucks big time:

All the traffic is then routed through my home network!

I am sure I could use a better VPN server, but I am pretty sure that such solution would either require a commercial solution or having to setup a dedicated Linux machine.

So yes, it sucks.

Regards,
Vitor

Offline BravoV

  • Super Contributor
  • ***
  • Posts: 7547
  • Country: 00
  • +++ ATH1
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #34 on: September 16, 2019, 09:46:33 am »
I'm no expert, and I used to be so called "real man" use pFsense thingy  ::), own VPN server and etc, but I scrapped all of those as I just don't want spend the time maintaining them. Especially using old hardware, broken, fixed, broken again, reinstalled, reconfigured etc ... no more, too much trouble.


1) Performance: Because VPN is provided by a TP-Link router running DD-WRT, it cannot even remotely benefit from my internet bandwidth. Where I could before use CAD/CAM software in real-time or even watch a movie being run on my remote PC, now I suffer from considerable lag. I don't know at this point, what my options are to get a faster VPN server. I do not want to purchase any additional, power consuming, device.

How old is your TP-Link router ? and why DD-WRT ?

Modern mid class router nowadays already using powerful processor, the burden of processing the firewall , VPN are pretty miniscule that makes them basically unnoticeable.

Old router, when loaded with all these jobs, probably made you lag so much as they're over burdened, hence low bandwidth and probably bad latency too.

No affiliate, you choose so many brands or model, but just for example sake, I use this at my house and my mom's home ->https://www.tp-link.com/pt/home-networking/wifi-router/archer-c9/

This is considered NOT a high end model.

Firewall enabled with full packet inspection, VPN enabled and also subcribed to TP-LINK dynamic DNS, its free, so I can connect everywhere to home or mom's everywhere just by name I made at the Dynamic DNS provided free by TP-Link, example : mymommy.tplinkdns.com instead of using IP as they're dynamic.



2) Usability: I now have to do two steps - first connect to VPN and only then connect to RDP. Before I could directly connect to RDP. The difference is about 30 seconds for each connection. Doesn't sound like much but is annoying.

My VPN connection, say I connect from internet from my mobile phone back to home network, only needs 2 seconds.

Something is not right.


3) Compatibility: I never succeeded in successfully connect my mobile phone (Samsung Galaxy Note 8 running official Android) to my VPN server. This means that I no longer can RDP to my computer from my phone, which is something I did a lot. Also, this will prevent me from easily accessing my computer from a customer computer, to show him some features he doesn't have a valid license for, or to access some files he needs, which are on my computer. I know many will think I could just take those files with me on a HDD, but it is not that easy. Sometimes those files need to be downloaded from my account at the provider and that is something I won't do on the customer's computer.

The VPN server should not be in your working PC / desktop.

Say assumed you've fixed the router weakness and all VPN is handled by the router like mine, here what I use for my personal setup and mom's house.  ;D

At my android's mobile phone & tablet, I used app named OpenVPN.
-> https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en

For laptop, same, just google for Windows OpenVPN client.

Since the connection is VPN-ed (read:secured), consider TightVNC (open source & freeware) and install it at your PC as service, not running as apps. So you can even log-in remotely just like you're sitting in front of it.

I've been using TighVNC for > 10 years, they very reliable, tight & mean for remote computing, my suggestion, try it, you got nothing to loose.

For windows laptop, I use that TightVNC too, and for my android tablet and mobile phone, I use app called "Remote Ripple" , made by the TightVNC team, not free though, but dirt cheap just <$5, and one time payment for perpetual license support.  :-+

Also I installed an app called "Wake On LAN" at my android mobile phone and tablet too, while out door, I can turn on remotely my desktop PCs, and once turned on , I can use my phone to log in remotely and feels like almost real time, of course, shutting down them too.

For my mom's PC and her android mobile phone  ::), she has the same router, firewall (full DDOS attack protection enabled), and VPN enabled, and her old PC (win 8 ) running the TightVNC as service, so I can login remotely.

While her android phone, an old samsung, I installed a free Samsung's own app called "SideSync", so I can remotely help her to trouble shoot event simple stuffs like adding a phone book entry or installing an app from google play  ;D as its like I was right there using her phone. Newer version is called Samsung Flow.

And having a feature called RDP, which you cannot use as it was intended, sucks in my opinion.

RDP protocol has a lot of overhead, again, suggesting to try TightVNC at your two local computer and compare.

Anyway, if someone cares to help me: is there a FREE recommended VPN server that I could safely run on my PC (Windows 10), as this PC is switched on all the time, anyway? Would that be a secure thing to do (pointing the VPN ports to my computer running a VPN server, so that I could then access the computer RDP)?

Upgrade your router to more powerful one, the VPN problem will be gone.

I had been there, having my own VPN server, built, installed, configured .. maintained  :'( .. too much troubles, ended up just use a new router to handle them all, beside they're not that expensive anymore.

My 2 cents.
« Last Edit: September 16, 2019, 09:50:58 am by BravoV »
 

Offline legacy

  • Super Contributor
  • ***
  • !
  • Posts: 4415
  • Country: ch
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #35 on: September 16, 2019, 10:06:02 am »
use CAD/CAM software in real-time or even watch a movie being run on my remote PC

dunno...  for CAD/CAM you also might need a graphics tablet or a 3D mouse as input devices, and this sucks due to the big lag introduced by both the network and the RDP protocol.

Anyway, things usually go even worse when you to apply VPN because it decreases the throughput and increments the lag.

The miniPCI cryptoprocessor does a great job at accelerating ssh-tunnels' and VPNs' stuff and it actually helps the little Atheros9 CPU used in my router,  but it adds a lot of lag to each packet it processes. I feel the lag when I use the mouse on a remote RDP machine. It's tolerable but ... only for simple operations and only for a short while.

 

Offline BicuricoTopic starter

  • Super Contributor
  • ***
  • Posts: 1707
  • Country: pt
    • VMA's Satellite Blog
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #36 on: September 16, 2019, 10:07:05 am »
TightVNC is not an option.

There is a reason why RDP is so complex: it acts as virtual graphics card in the sense that it does not grab the screen, compresses it and send its like VNC does (which takes ages). It actually sends the instructions to draw the screen, which is much faster. Think of it as comparing having a X11 server locally or filming your screen and sending it through the internet.

The same with sound, which can be reproduced on the host or the client. These are just examples of the range of functionality of RDP. TightVNC (just noticed they made a new version after THREE years) might have its reasons to exist, but for sure it is not a replacement of RDP.

Again, and sorry to repeat myself: with RDP I can use a small, light and cheap 250 Euro laptop and remote connect to my computer (more like a workstation, actually) and use high-end CAD/CAM software without noticeable lag. It does have some minor graphical glitches, but these are acceptable. This is something you simply cannot do over VNC and you do need a good bandwidth, which I have (upload-wise).

I use the cheap TP-Link WR841n routers with DD-WRT. Why? Because I have three of them, on different floors, acting as access points for my WLAN. DD-WRT is easy to configure and offers extra services (not present in the original FW), including VPN server.

But I agree, these are a bit outdated CPU, flash and memory wise.

My ISP Router does not offer VPN functionality, btw.

So perhaps I need to get a more recent router, but I definitely want to run DD-WRT on it. I like it for the clear interface, the functionality offered and the fact that so far they have been immune to hacks, as opposed to default FW of major brands.

The problem is that there currently are no cheap options for DD-WRT compatible routers!

And yes, I know there is OpenWrt. I just never used it, as it requires more flash to have webserver for the GUI and overall I found it less user-friendly.

So the current question is: what router is recommended to act as a VPN server? With what FW? Such router would be behind my provider router, of course. It needs to be able to provide VPN at speeds of around 200MBPS - that is the main issue.

Regards,
Vitor

Offline legacy

  • Super Contributor
  • ***
  • !
  • Posts: 4415
  • Country: ch
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #37 on: September 16, 2019, 10:21:49 am »
I don't think it is safe to even have RDP on a different port now unrestricted to any IP other than VPN as it is a matter time when they find it and do a campaign over some vulnerability.

A dude in my team had (note the past verb) a windows XP machine with an RDP port open to the internet, and an asshole did exploit the weakness of the protocol to take the remote control of the computer so he was able to impersonate us on Discord with our IP just to make fun of us.

- making fun of fools is a lot of fun - he said in a comment, well, not something you can sue someone for, but for sure it was not funny.
 

Offline edy

  • Super Contributor
  • ***
  • Posts: 2385
  • Country: ca
    • DevHackMod Channel
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #38 on: September 16, 2019, 01:44:10 pm »
Thanks to this thread I just re-assigned the outward-facing ports of my internet modem to a different port for VNC. Not that I had any issues... but just to be sure.  Default for VNC is 5900 and it is just way too easy to try and brute-force an attack. At least some random high port will take longer to find. Not that it is a perfectly secure patch, but a bit less likely to be picked up. You need multiple layers of security, this being just one of many.

Here is a list of the top scanned ports:

https://securitytrails.com/blog/top-scanned-ports
« Last Edit: September 16, 2019, 01:45:44 pm by edy »
YouTube: www.devhackmod.com LBRY: https://lbry.tv/@winegaming:b Bandcamp Music Link
"Ye cannae change the laws of physics, captain" - Scotty
 

Offline legacy

  • Super Contributor
  • ***
  • !
  • Posts: 4415
  • Country: ch
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #39 on: September 16, 2019, 02:14:07 pm »
Here is a list of the top scanned ports

port scanning is not so bad. I mean, we have a project where a router continuously port-scans a restricted subnet in order to monitor the running services.

Code: [Select]
# ls-host 192.168.1.24
192.168.1.4____ 00.0c.42.0e.8f.01 uc-rb532............. (+) 22/ssh 25/HoNad 80/httpd 5201/iperf3
192.168.1.11___ 00.60.78.05.8d.d8 akita................ (+) 22/ssh 25/HoNad 80/httpd 443/https
192.168.1.12___ ....................................... (+) 6000/X11
192.168.1.24___ 00.16.e6.37.b0.fa OrangeCube........... (+) 22/ssh 25/HoNad
192.168.1.36___ 00.30.6e.1e.2c.17 c3600................ (+) 22/ssh 25/HoNad
192.168.1.50___ ....................................... (+) 80/httpd
192.168.1.81___ 00.11.24.e4.d7.f0 lelly................ (+) 22/ssh 25/HoNad 80/httpd 111/rpcbind 443/https 2049/nfs
192.168.1.84___ 00.30.65.6a.ab.a6 minerva.............. (+) 22/ssh 23/telnet 25/HoNad

We have recently created a protocol named "HoNad", defining a server which does some things including port-scanning and responds to queries on port 25. A remote client can run "ls-host" to issue a query requiring the list of all the machines found in the restricted LAN.

mac-addresses are also monitored, so if a machine changes its mac-address this triggeres the attention of the monitor which logs the event, and there is a specific "ls-intruders" tool that can issue the query to the server, which will respond with its metric.

Since the server runs in a router which is able to work as firewall, it can also automaticaly take the - fail-2-ban- decision to ban an IP from the restricted LAN that it serves.
« Last Edit: September 16, 2019, 02:16:53 pm by legacy »
 

Offline BicuricoTopic starter

  • Super Contributor
  • ***
  • Posts: 1707
  • Country: pt
    • VMA's Satellite Blog
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #40 on: September 16, 2019, 02:29:29 pm »
If people consider an open RDP port bad practice, I would say that an open VNC port is a VERY BAD practice.

Anyway, I just bought myself an Asus router of the newer kind - still not a too expensive model...

The thing is: it is not supported by DD-WRT, Merlin or OpenWrt. I knew that but thought that I would just use the VPN functionality supported by the stock firmware.

Bah... Asus decided that all the extra features like VPN are only available in router mode. If you switch to access point mode, these options are not available.

Plus, if you do configure the device into router mode, the VPN will only listen to the WAN port and of course the WAN/LAN ports have to be configured in different subnets.

See why I like DD-WRT? You can just configure it to access point mode, use the WAN port as a LAN port, but still retain all the services like DynDNS, VPN, etc.

I will give it a last test, connecting it like this: WAN -> Provider Router 192.168.2.x -> Asus Router 192.168.1.x

But I fear that won't work, either, due to the IPTV that is fed by the provider router into my network.

So I think it will be returned and I am 2h poorer...

Regards,
Vitor


Offline BicuricoTopic starter

  • Super Contributor
  • ***
  • Posts: 1707
  • Country: pt
    • VMA's Satellite Blog
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #41 on: September 17, 2019, 09:06:12 pm »
Update here: https://www.eevblog.com/forum/security/recommended-stand-alone-vpn-servers/msg2695695/#msg2695695

Got everything to work with the new ASUS router and now have a fast VPN server (couldn't test the final bandwidth, as my office internet bandwidth is smaller than what my router can handle when doing VPN). This allows to more or less use RDP as before, but with additional security layer.

And the end result is that the screen does not flicker anymore, which was driving me nuts!

This can be easily reproduced, btw: You need two computers, one running Windows Professional. Configure it to accept RDP requests, but uncheck the option "Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)".

From the other computer launch RDP and open the first computer: enter the wrong user/password and notice how the screen of the first computer flashes. Repeat and see how annoying it gets.

I guess that is a cool way to annoy office workmates...

Regards,
Vitor

Offline BravoV

  • Super Contributor
  • ***
  • Posts: 7547
  • Country: 00
  • +++ ATH1
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #42 on: September 18, 2019, 06:23:07 am »
Got everything to work with the new ASUS router and now have a fast VPN server (couldn't test the final bandwidth, as my office internet bandwidth is smaller than what my router can handle when doing VPN). This allows to more or less use RDP as before, but with additional security layer.

Glad to hear this  :-+ , modern routers nowadays use powerful cpu that handling the VPN processing easily.

At my mom's 64M link, once I measured running at full bandwidth when I was copying huge file over VPN, the router's cpu utilization is merely under 10%.


Offline gnif

  • Administrator
  • *****
  • Posts: 1672
  • Country: au
Re: RDP Brute Force Attacks on my PC - caused monitors to flash black
« Reply #43 on: September 18, 2019, 06:47:59 am »
If people consider an open RDP port bad practice, I would say that an open VNC port is a VERY BAD practice.

I'd wager that RDP is far worse then VNC since Microsoft's RDP implementation is closed source and only has a limited number of eyes looking at it. VNC has been around for years (20+?) as an open-source protocol, looked over by countless people for both home and inclusion in enterprise-grade mission-critical equipment. RDP in comparison is a baby compared to VNC.

That said, you should never expose any form of remote access to any system, be it a server or an enterprise endpoint. You really need some added layer of protection such as a VPN or a jump box.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf