RDP (Remote Desktop Protocol) Pentesting
Last modified: 2022-12-26
Windows
RDP is a protocol that provides a user with a graphical interface to connect to another computer over a network connection. A default port is 3389.
Enumeration
nmap --script rdp-enum-encryption -p 3389 <target-ip>
nmap --script rdp-ntlm-info -p 3389 <target-ip>
nmap --script rdp* -p 3389 <target-ip>
Brute Force Credentials
hydra -l username -P passwords.txt <target-ip> rdp
hydra -L usernames.txt -p password <target-ip> rdp
Connect
Remmina
Remmina is a remote desktop client for POSIX-based computer operating systems.
remmina
# -c: Connect given URI or file
remmina -c rdp://username@vulnerable.com
remmina -c rdp://domain\\username@vulnerable.com
remmina -c rdp://username:password@vulnerable.com
# ---------------------------------------------------------------------------------
# Settings
# Keyboard mapping
1. On Remmina client window, click menu icon and move to "Preferences".
2. Navigate to "RDP" tab and check "Use client keyboard mapping".
3. Reboot Remmina
FreeRDP
xfreerdp /u:username /v:10.0.0.1:3389
xfreerdp /u:username /p:password /cert:ignore /v:10.0.0.1 /workarea
# Create a shared drive (/drive:LOCAL_DIR,SHARE_NAME)
xfreerdp /u:username /p:password /drive:.,share /v:10.0.0.1
# Useful command for exploiting
xfreerdp /v:10.0.0.1 /u:username /p:password +clipboard /dynamic-resolution /drive:/usr/share/windows-resources,share
# --------------------------------------------------------------------------------
# On remote Windows
# Access share directory in Command Prompt or PowerShell
\\tsclient\\~share\
Rdesktop
rdesktop -u username -p password 10.0.0.1:3389