3389 - Pentesting RDP

Resources :

Basic Information

The Remote Desktop Protocol (RDP) is a protocol developed by Microsoft for remote access to a computer running the Windows operating system. This protocol allows display and control commands to be transmitted via the GUI encrypted over IP networks. RDP works at the application layer in the TCP/IP reference model, typically utilizing TCP port 3389 as the transport protocol. However, the connectionless UDP protocol can use port 3389 also for remote administration.

Connect with known credentials/hash

rdesktop -u <username> <IP>
rdesktop -d <domain> -u <username> -p <password> <IP>
xfreerdp /u:[domain\]<username> /p:<password> /v:<IP>
xfreerdp /u:[domain\]<username> /pth:<hash> /v:<IP>

Footprinting RDP

nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 <IP>
nmap -sV -sC <IP> -p3389 --script rdp*

It checks the available encryption and DoS vulnerability (without causing DoS to the service) and obtains NTLM Windows info (versions).

we can use --packet-trace to track the individual packages and inspect their contents manually. We can see that the RDP cookies (mstshash=nmap) used by Nmap to interact with the RDP server can be identified by threat hunters and various security services such as Endpoint Detection and Response (EDR) which can lock us down.

nmap -sV -sC <IP> -p3389 --packet-trace --disable-arp-ping -n

A Perl script named rdp-sec-check.pl has also been developed by Cisco CX Security Labs that can unauthentically identify the security settings of RDP servers based on the handshakes.

sudo cpan # instalation
git clone https://github.com/CiscoCXSecurity/rdp-sec-check.git && cd rdp-sec-check
./rdp-sec-check.pl <IP>
Previous3306 - Pentesting MysqlNext5985,5986 - WinRm

Last updated