Thursday, December 17, 2015

New RR Plugin: rdpnla.pl

I received a new RegRipper plugin from Chakib today, rdpnla.pl.  In short, the plugin checks the SecurityLayer value of the HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp key in order to determine if network level authentication is enabled or not.

So what?, you ask?  Well, for one, this is a way to help prevent the Sticky Keys attack from succeeding.  If you've found that a system had been subject to the attack and wanted to see if it would succeed, be sure to run this plugin.

This HowToGeek page has a graphical discussion of what some of the other settings look like for this key.

Thanks, Chakib!

No comments: