Hmm……l337 conversion seems all fancy but it don’t work with multiple threads open .

But HOG does have some nice programs like URLScan DTS pack and TSEnum.

Thanx for the link!!

To protect against this kind of attack, you could disable the terminal server, or make sure you have a strong password policy in place. Pretty scary that the attack isent picked up by IDS because of the encryption, would the brute force logins be logged within windows some where?

n0vv u-77 4rv3 t0 734rn 70 5p377 7h1n95 0u7 71k3 7h15 1n5t346:

a=ay, b=bee, c=sea/see/cee, d=dee, etc

@ratza: Having used this before for the hell of it, and to show a client how bad having rdp open to the world is I can tell you that windows will not log it if it is the administrator account. If it is any other user it will. I think you can turn on verbose authentication logging as well.
TSGrinder did get me into this clients server as well, it worked multi-threaded on my box, I think I had about 10 going at once, and it got the pretty simple password in about two hours, with nothing in the security log at all, and nothing on their firewall or IDS.
This is why with windows you are better off disabling or renaming the admin account, and setting the admin accounts that you create to have account lockouts. Or simply don’t open rdp, or do both.
I would like to see something like Denyhosts for RDP as then it would simply block the offending IP at the software level, slowing down majorly any brute force.

While tsgrinder is a neat windows only RDP bruter, for linux users i would suggest the rdesktop brute force patch (http://www.foofus.net/jmk/tools/rdp-brute-force-r805.diff). Although i’ve never used TSgrinder it sounds ridiculously slow..

@Splink: not having used the Rdesktop patch, I can say that from reading here: http://www.foofus.net/jmk/rdesktop.html that they sound very similar. There is a version of rdesktop for windows so maybe tsgrinder uses that as it seems quicker than the built in MSTSC.
As I said I had 10 threads of tsgrinder going at once to a 2k3 box, it would take about 5-10 seconds per thread to check a password, that does make it pretty slow (about 1 password a second), but this is more the server slowing down authentications due to failures.
You can work out that most admins are lazy, most passwords are non-complex, and most are 7 charecters or less, use a dictionary and you only have around a million words, that should only take 10-15 days. Thats pretty bad.
Very good reasons to also have complex passwords, oh btw the one I found oh so long ago was in my dictionary it was very basic, no caps, no numbers, and a dictionary word, they have changed it so it is all good.

Navin/Zupakomputer/Morgan,

i have been trying to get this working and your posts suggest you have it working. I (and many others on forums) have an error when trying to run tsgrinder which is:

“Couldn’t get handle to client window”

I have looked at the dll versions, target machines etc and i am having no joy. Did you have to do anything to get this working and on what platforms?

Thanks in advance!

Sure mate…we’re all here after all to help!!
Ya I did have a similar error quite a few times when I tried to run Tsgrinder from my home PC:

“timed_Event_send_recv: Wait Failed: TIMEOUT
Couldn’t get handle to client window”

But it did work from the office PC

I think the problem tht Ure facing is tht the server U’re trying to bruteforce has disabled remote access…..If its a high profile server then probably its unable to serve any more connection requests

Try a diff server…I’d also suggest tht U read up on wht TSgrinder can do…. http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-mullen.pdf

Do report on how it works out,
Cheers

PS thnks fr the blog appreciation

Im getting the same error in Vista, worked fine on XP.

@ razta

the same server tht U’d managed to connect to on XP din’t connect thru vista?? Or was it some diff. server??

Read my last comment

@navin

“the same server tht U’d managed to connect to on XP din’t connect thru vista??” Yes

“Or was it some diff. server??” Same server

hi
im getting
timed_Event_send_recv: Wait failed: TIMEOUT
Couldn’t get handle to client window
using xp

did anyone got the solution ?

please help//

@tal
Looks like it has timed out. Have you tried it on another box? Are you sure that the box your testing has a terminal server running?

timed_Event_send_recv: Wait failed: TIMEOUT
Couldn’t get handle to client window

i get this error on my win2000 server and also on my XP Laptop.

it dus brute force for 1/2 hours but after that it stops and it gives me that error.

The remote server has port: 3389 opend and it has remote desktop access enabled.

So what is the problem ???

i give u money by Paypal or creditcard if u can solve this problem 100%
ContacT: johnghowson2@hotmail.com

I too am getting:

timed_Event_send_recv: Wait failed: TIMEOUT
Couldn’t get handle to client window

This is on an XP SP3 to a 2003 R2 SP2, any assistance would be greatly appreciated.

The newer Version of Windows Remote Desktop doesnt work with TSgrinder, the homos at MS made this possible, uninstall that garbage “update” and your problems will be solved, you cannot use TSgrinder on vista, because it comes with the homo client.

One thing you guys can all do to prevent this kind of attack is place a legal notice on your machines. This was originally intended to prevent brute force attacks on Terminal Servers. The program doesn’t know to click ok to continue… I have enabled this and tested with tsgrinder and was unable to get past it…

A. You need to use the registry editor

1. Start the registry editor (regedit)
2. Move to HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon
3. Double Click the “LegalNoticeCaption”, and enter the text to be in the title bar, click OK
4. Double Click the “LegalNoticeText”, and enter the warning text and click OK
5. Close the registry and logoff, when you logon you will see the warning

Works every time!