3389 - RDP
Basic Information
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software (from here).
Default port: 3389
PORT STATE SERVICE
3389/tcp open ms-wbt-serverEnumeration
Automatic
nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 <IP>It checks the available encryption and DoS vulnerability (without causing DoS to the service) and obtains NTLM Windows info (versions).
Be careful, you could lock accounts
Password Spraying
Be careful, you could lock accounts
# https://github.com/galkan/crowbar
crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'
# hydra
hydra -L usernames.txt -p 'password123' 192.168.2.143 rdpConnect with known credentials/hash
Check known credentials against RDP services
rdp_check.py from impacket let you check if some credentials are valid for a RDP service:
Attacks
Session stealing
With SYSTEM permissions you can access any opened RDP session by any user without need to know the password of the owner.
Get openned sessions:
Access to the selected session
Now you will be inside the selected RDP session and you will have impersonate a user using only Windows tools and features.
Important: When you access an active RDP sessions you will kickoff the user that was using it.
You could get passwords from the process dumping it, but this method is much faster and led you interact with the virtual desktops of the user (passwords in notepad without been saved in disk, other RDP sessions opened in other machines...)
Mimikatz
You could also use mimikatz to do this:
Sticky-keys & Utilman
Combining this technique with stickykeys or utilman you will be able to access a administrative CMD and any RDP session anytime
You can search RDPs that have been backdoored with one of these techniques already with: https://github.com/linuz/Sticky-Keys-Slayer
RDP Process Injection
If someone from a different domain or with better privileges login via RDP to the PC where you are an Admin, you can inject your beacon in his RDP session process and act as him:
{% content-ref url="../windows-hardening/active-directory-methodology/rdp-sessions-abuse.md" %} rdp-sessions-abuse.md {% endcontent-ref %}
Adding User to RDP group
Shadow Attack
AutoRDPwn is a post-exploitation framework created in Powershell, designed primarily to automate the Shadow attack on Microsoft Windows computers. This vulnerability (listed as a feature by Microsoft) allows a remote attacker to view his victim's desktop without his consent, and even control it on demand, using tools native to the operating system itself.
{% embed url="https://github.com/JoelGMSec/AutoRDPwn" %}
HackTricks Automatic Commands
Last updated