Bypass Duo MFA for RDP
In this blog we are going to take a look at an often overlooked or under-appreciated method to bypass Duo MFA for RDP. As long as the attacker has administrative rights on the computer, this blog will demonstrate how it is possible to enable restricted admin mode, and subsequently bypass the multi-factor authentication (MFA) requirement to gain access to the target system via Remote Desktop Protocol (RDP).
Background
Before we jump into the method I used to bypass Duo MFA for RDP, we should start by defining the problem. On a recent penetration test, I was able to elevate my permissions on the network through common methods, and eventually I achieved domain administrator level permissions. The problem is, when I tried to RDP into the domain controller in order to create a Triaxiom account and get some impact screenshots for the report, I was met with a DUO MFA prompt.
Obviously, I could still use tools such as the Impacket script SecretsDump to dump the contents of the NTDS file, but I really wanted a good screenshot for the report aimed at a non-technical audience. So naturally, I started looking for a way to bypass Duo MFA for RDP.
Existing Method to Bypass Duo MFA for RDP
One of the most common methods for bypassing duo on RDP that I found in my searches is a blog written by N00PY. In this blog, N00PY explains a very common configuration in Duo known as FailOpen.
This configuration allows users to authenticate, even without MFA, if for some reason the Duo Security cloud service can’t be reached (e.g., no Internet access). This is used in many organizations for very obvious reasons. If the Internet is down, they may still need to RDP into a system to fix or troubleshoot issues. To take advantage of this, N00PY cleverly lays out two methods to intentionally cause a failure and subsequently a fail-open. First, with access to the system, an attacker can create an incorrect entry in the local hosts file for the Duo API. The second method, when command line access is not available, is to use an ARP spoofing attack to create a targeted denial of service, preventing that system from reaching out to the Duo API. In both methods, once the connection to the Duo API fails, the attacker is allowed to RDP to the system without being prompted for MFA.
Alternative Method to Bypass MFA
Well, what happens if the current configuration for Duo does not fail open? During this internal penetration test, I found an alternative way to bypass Duo MFA for RDP. When reading the FAQ for Windows Logons and RDP on Duo’s Website, I noticed that Duo does not add a secondary authentication prompt for RDP with Restricted Admin Mode. This means if we can turn on Restricted Admin Mode, we can logon without being prompted for Duo MFA. To enable restricted admin mode we need local command access, or we can use a tool such as crackmapexec to run this command on the underlying host:
CME smb target_IP -u Administrator -p Password -x ‘reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f’
This command is setting the Registry Value for ‘DisableRestrictedAdmin’ to 00, which enables Restricted Admin Mode.
And once that is enabled, we are able to RDP to the host with no MFA prompt!
Once we have the screenshots we need, the only thing required to clean up is changing the registry entry back to a 1. Once we logout, we can try logging in again to verify that MFA is now required. This does not require rebooting the server.
How to Defend
Unfortunately, the best way to defend against this type of attack is to prevent an attacker from gaining administrative permissions over the workstation in the first place. Without administrative permissions, an attacker would be unable to modify registry settings, and thereby could not enable restricted admin mode. Additionally, Will Schroeder (HarmJ0y) has written a Yara rule to alert on this registry value changing.
