Skip to main content
The RDP Screenshots tool captures visual screenshots of Remote Desktop services (port 3389) across your scope using netexec’s --nla-screenshot flag. Each screenshot is then processed with OCR (pytesseract/Tesseract) to extract visible text — useful for identifying login banners, computer names, domain membership, and running applications. Navigate to NETWORK → RDP Screenshots in the sidebar.

How it works

1

Scan targets

netexec runs nxc rdp <targets> --nla-screenshot against all provided targets. Each host that responds on RDP is screenshotted before authentication — capturing the NLA (Network Level Authentication) pre-login screen.
2

OCR text extraction

Each PNG screenshot is processed with pytesseract (Tesseract OCR engine) to extract readable text. The extracted text is stored alongside the screenshot in the results JSON.
3

Copy PNGs to gallery

Resulting PNGs are copied from netexec’s output directory into recon/screenshots/ so they can be served via the API and viewed in the gallery.

Requirements

RDP Screenshots requires two additional Python packages installed by setup.sh:
PackagePurpose
pillowImage processing library (PIL) required by pytesseract
pytesseractPython wrapper for Tesseract OCR
The system package tesseract-ocr and tesseract-ocr-eng are installed by setup.sh via apt.

API endpoints

POST /api/rdpscreenshot/run

Launches an RDP screenshot scan against a list of targets. Any currently running RDP scan is automatically cancelled before the new scan starts. 
curl -X POST http://localhost:8000/api/rdpscreenshot/run \
  -H "Content-Type: application/json" \
  -d '{"targets": ["10.10.10.1", "10.10.10.2", "192.168.1.0/24"]}'
Request body
FieldTypeDescription
targetsarray of stringsIP addresses, hostnames, or CIDR ranges to scan
Response 
{
  "status": "success",
  "scan_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

GET /api/rdpscreenshot/status

Poll the progress of a running RDP scan. 
curl "http://localhost:8000/api/rdpscreenshot/status?scan_id=<scan_id>"
Response 
{
  "status": "running",
  "phase": "scanning",
  "total": 10,
  "completed": 4,
  "results": [],
  "error": null,
  "scan_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}
status is one of running, completed, cancelled, or error.

GET /api/rdpscreenshot/latest

Retrieve the results from the most recently completed RDP screenshot scan. 
curl http://localhost:8000/api/rdpscreenshot/latest
Response 
{
  "status": "ok",
  "results": [
    {
      "host": "10.10.10.1",
      "screenshot": "rdp_10.10.10.1.png",
      "ocr_text": "Windows Server 2019\nDC01\nCORP\\Administrator"
    }
  ]
}
Returns {"status": "none"} if no completed scan exists.

Output files

FileContents
recon/rdpscreenshot_<scan_id>.jsonFull results with OCR text for all targets
recon/rdpscreenshot_<scan_id>.txtRaw netexec output log
recon/screenshots/rdp_<ip>.pngIndividual RDP pre-login screenshots
Previous scan results (JSON + PNG files) are automatically cleaned up when a new scan starts.

Workflow

1

Identify RDP hosts

Run an Nmap scan with the infra port preset, which includes port 3389. Alternatively, run Masscan against port 3389. Discovered hosts appear in DATA → Hosts.
2

Run RDP Screenshots

Open NETWORK → RDP Screenshots. Enter target IPs or pull from your scope. Click Start Scan.
3

Review the gallery

Once the scan completes, screenshots appear in a gallery. The OCR text overlay shows extracted text from each pre-login screen.
4

Identify targets

Look for: computer names, domain membership displayed in the login banner, software versions visible on the desktop, and any other information that helps prioritize targets.
RDP Screenshots capture the pre-authentication NLA screen. No credentials are required or submitted. The tool is read-only and does not attempt to authenticate to RDP.

Build docs developers (and LLMs) love

Get started for freeTalk to us