RE: Terminal Services

From: Ola (
Date: 03/13/05

  • Next message: "Pen Testing capabilities of Flash Files"
    Date: Sun, 13 Mar 2005 09:08:40 -0700
    To:, 'AEHeald' <>


    You can use a tool called TSGrinder to brute force a terminal server using a
    dictionary password for the administrator account. I have been playing
    around with this tool this weekend and it really rocks. You will find
    detailed information from the hammerofgod site:

    TSGringer is a "dictionary" based attack tool, but it does have some
    interesting features like "l337" conversion, and supports multiple attack
    windows from a single dictionary file. It supports multiple password
    attempts in the same connection, and allows you to specify how many times to
    try a username/password combination within a particular connection.
    Note that the tool requires the Microsoft Simulated Terminal Server Client
    tool, "roboclient," which may be found here:

    Hope this helps.
    Kind regards

    -----Original Message-----
    From: John the Kiwi []
    Sent: March 11, 2005 3:30 PM
    To: AEHeald
    Subject: Re: Terminal Services

    I don't use any tools for RDP testing. I have thought about writing a
    perl script to try and brute force with rdesktop, but thinking about it
    is all I have done.

    I consider the RDP Protocol to be pretty reliable and secure, there are
    some things you can do to obfuscate it.

    I normally change the default RDP Port that the server listens on.
    There's a registry entry you can change the port 3389 to something else,
    I don't have a link handy but you can probably do a search for 3389 in
    the registry.

    This has the added benefit of allowing you to publish as many
    workstations (XP Professional anyway) behind your NAT as your router
    will let you forward ports for. It's not bullet proof, but it defeats
    random scans.

    I've also heard you can use ZeBeDee -
    to add an extra layer of encryption on a different port. I've never had
    a customer request it and it adds a lot of complexity for the user but
    the example usage I saw made setting it up look pretty straight forward.

    John the Kiwi

    On Thu, 2005-03-10 at 17:13 -0500, AEHeald wrote:
    > Hash: SHA1
    > Greetings, group!
    > I am de-lurking to inquire if anyone has some pointers on Microsoft
    > Terminal Services. I'm testing a client who allows 3389 into their
    > terminal server for the Remote Desktop Client.
    > Other than the Bad Thing of allowing inbound traffic onto their LAN,
    > I'm trying to hunt down ways to enter all the way in. I have seen
    > TSCrack referenced, but the program is nowhere to be found.
    > Any suggestions gratefully received.
    > Eigen
    > -----BEGIN PGP SIGNATURE-----
    > Version: PGPfreeware 6.5.8 for non-commercial use <>
    > iQA/AwUBQjDGeQGhZ4M3hyK+EQIh2QCg8y1LWs/oc4B303gBM5CLAD0BG4QAoJ+A
    > QyWBGr7piv9nmNmHjFIUuRVi
    > =xKXQ
    > -----END PGP SIGNATURE-----

  • Next message: "Pen Testing capabilities of Flash Files"