Hacking Notes
  • What is this?
  • Reconnaissance πŸ—£
    • Information Gathering πŸ—£
  • Enumeration 🎯
    • Host Discovery πŸ›Ž
    • DNS Enumeration
    • OS Discovery πŸ–₯
    • Port Scanning πŸ“Ÿ
    • WAF Evasion
  • Web πŸ“±
    • Unrestricted File Upload
    • Templates Injections βœ–οΈ
    • File Inclusion
    • Login Panes
    • SQL Injection
    • NoSQL Injection
    • OAuth 2.0 Bypass
  • Privilege Escalation
    • Linux Privesc
    • Windows Privesc
    • Run Commands AS
  • Post Explotation πŸ’€
    • Port Forwarding and Tunneling
    • Transfering Files πŸ“€
    • Reverse Shell πŸ”™
    • Crypto 101 πŸ‘
    • AV Evasion
    • Bypass UAC
    • Get Credentials
  • Services
    • PORT 21/tcp - FTP
    • PORT 25/tcp - SMTP
    • PORT 53/tcp/udp - DNS
    • Port 80,443/tcp - HTTP
    • Port 111/tcp - RPCBind
    • PORT 143,993/tcp - IMAP
    • PORT 139,445/tcp - SMB
    • PORT 161/udp - SNMP
    • PORT 1100/tcp - Java RMI
    • PORT 1433/tcp - Microsoft SQL Server
    • PORT 2049/tcp - NFS
    • PORT 3306/tcp MySQL
    • PORT 3389/tcp RDP
    • PyPI Server
  • Software
    • Tomcat
    • Jenkins
    • Drupal
    • Wordpress
  • Client-Side Attacks
    • Evil PDF
    • Microsoft Office Macros
  • Other
    • Hacking WiFI
      • WPA/WPA2 PSK
      • WPA/WPA2 PEAP (Enterprise)
      • WEP
    • Hacking with Powershell
    • Hacking AWS
  • Exploiting
    • Buffer Overflow
  • Active Directory
    • πŸ–₯️AD Attacks
Powered by GitBook
On this page
  • Introduction
  • Enumeration
  • Checking Credentials
  • Connect via RDP
  • rdesktop
  • xfreerdp
  • Post Exploitation
  • Enable RDP

Was this helpful?

  1. Services

PORT 3389/tcp RDP

PreviousPORT 3306/tcp MySQLNextPyPI Server

Last updated 3 years ago

Was this helpful?

Introduction

Remote Desktop Protocol is a proprietary protocol developed by Microsoft which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software

Enumeration

With nmap we can enumerate the service a little bit, and obtain information such as the DOMAIN or the HOSTNAME. Also checks available encryption and DoS vulnerabilities.

nmap -sV --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 <ip-addr>

Checking Credentials

With rdp_check we can check credentials.

rdp_check <domain>/<username>:<password>@<ip-addr>

Connect via RDP

rdesktop

rdesktop <ip-addr>
rdesktop -u <user> -p <password><ip-addr>
rdesktop -d <domain> -u <user> -p <password> <ip-addr>

xfreerdp

xfreerdp is an X11 Remote Desktop Protocol (RDP) client which is part of the FreeRDP project. An RDP server is built-in to many editions of Windows. Alternative servers included xrdp and VRDP (VirtualBox).

xfreerdp /d:<domain> /u:<user> /p:<password> /v:10.10.10.10
xfreerdp /u:<user> /p:<password> /v:10.10.10.10

Connect RDP via pass the hash.

xfreerdp /u:<user> /pth:e3071bcf8c3ad25c891a8898f56aa62b /v:10.10.10.10

Other configurations.

/workarea                        Full Window
+clipboard                       Enable shared clipboard
/drive:share,/mnt/folder        Create a Shared folder

Post Exploitation

With mimikatz is possible to obtain the current sessions and connect it. Check section **Hijacking RDP Session ** to more info.

Enable RDP

When we fully compromised the server we can enable RDP.

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

And add the user or group to the Remote Desktop Users group.

net localgroup β€œremote desktop users” user  /add
Get Credentials