icon

RDP (Remote Desktop Protocol) Pentesting

Last modified: 2022-12-26

RDP is a protocol that provides a user with a graphical interface to connect to another computer over a network connection. A default port is 3389.

Enumeration

nmap --script rdp-enum-encryption -p 3389 <target-ip>
nmap --script rdp-ntlm-info -p 3389 <target-ip>
nmap --script rdp* -p 3389 <target-ip>

Brute Force Credentials

hydra -l username -P passwords.txt <target-ip> rdp
hydra -L usernames.txt -p password <target-ip> rdp

Connect

Remmina

Remmina is a remote desktop client for POSIX-based computer operating systems.

remmina

# -c: Connect given URI or file
remmina -c rdp://username@vulnerable.com
remmina -c rdp://domain\\username@vulnerable.com
remmina -c rdp://username:password@vulnerable.com

# ---------------------------------------------------------------------------------

# Settings

# Keyboard mapping
1. On Remmina client window, click menu icon and move to "Preferences".
2. Navigate to "RDP" tab and check "Use client keyboard mapping".
3. Reboot Remmina

FreeRDP

xfreerdp /u:username /v:10.0.0.1:3389
xfreerdp /u:username /p:password /cert:ignore /v:10.0.0.1 /workarea
# Create a shared drive (/drive:LOCAL_DIR,SHARE_NAME)
xfreerdp /u:username /p:password /drive:.,share /v:10.0.0.1
# Useful command for exploiting
xfreerdp /v:10.0.0.1 /u:username /p:password +clipboard /dynamic-resolution /drive:/usr/share/windows-resources,share

# --------------------------------------------------------------------------------

# On remote Windows

# Access share directory in Command Prompt or PowerShell
\\tsclient\\~share\

Rdesktop

rdesktop -u username -p password 10.0.0.1:3389