Mremoteng

The mRemoteNG project has finally some development activity again Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts.

MRemoteNG is the next generation of mRemote, an open source, tabbed, multi-protocol, remote connections manager. Skip to content. MRemoteNG is a fork of mRemote, an open source, tabbed, multi-protocol, remote connections manager. MRemoteNG adds bug fixes and new features to mRemote. It allows you to view all of your remote connections in a simple yet powerful tabbed interface. MRemoteNG supports the following protocols: RDP (Remote Desktop/Terminal Server). Top 10 alternatives to mRemoteNG that can be used as remote desktop connection which are free to use. As we all are aware that mRemoteNG is a free remote connection manager which has a multi-protocol design. You can use it to view all the remote connection in your system with just a simple tab format. Helps jump easily between tabs.

Sometimes to perform Windows Privilege Escalation you need to simply exploit the installed software. This is a common scenario for ethical hacking challenges. This tutorial will show you how to exploit remote connection managers, such as mRemoteNG.

One of those scenarios where it is necessary to exploit mRemoteNG is the Hack The Box host, “Bastion”. Metasploit has a module for decrypting encoded-passwords from mRemoteNG, but this tutorial is how to exploit mRemoteNG without using Metasploit.

Here’s What You Need

  • Kali Linux VM
  • Windows 10 VM
  • mRemoteNG installed on Windows 10
Mremoteng

What Is A Remote Connection Manager?

A remote connection manager basically manages remote connections to machines on the domain by saving the credentials being used and other settings. The vulnerability in this software is how it stores the passwords, sometimes someone finds out how to decrypt the encoded passwords. These are usually stored in configuration files in the software’s installation path.

Mremoteng

How To Exploit mRemoteNG

The connection doesn’t even need to be made, we are already saving the credentials. Open mRemoteNG and save a credential for username: sa-robbyg with password “Robbyrules”.

To exploit this remote connection manager we need to use this public exploit that came out after the vulnerability in the software was reported.

Go to this Github repository and download the exploit, which is a decryption toolhttps://github.com/kmahyyg/mremoteng-decrypt. The usage of this script is simple:

Usage: python3 mremoteng_decrypt.py [-f FILE | -s STRING] [-p CUSTOM_PASSWORD]

What we need to grab is the base64-encoded password from the file. The file path for this is C:Users%USER%AppDataRoamingmRemoteNGconfCons.xml, next open the file and grab the encoded password.

Mremoteng

This file is created by default by the software and it contains all the configuration items necessary for the program to run correctly.

Mremoteng Download

as you can see the password can be decrypted, and now we have the password for the user sa-robbyg.

Mremoteng

To see more about how to exploit mRemoteNG and remote connection managers to escalate privileges in a Windows environment buy a copy of the online ethical hacking course pdf, “Become An Ethical Hacker”.