# 3389 - RDP

A user need to be part of the "Remote Desktop Users" in order to login to the host via RDP.

## Enumeration

### Nmap

Find encryption type:

`nmap -p 3389 --script rdp-enum-encryption <target>`

Enumerates information from remote RDP services with CredSSP (NLA) authentication enabled:

`nmap -p 3389 --script rdp-ntlm-info <target>`

Check if vulnerable to MS12-020:

`nmap -sV --script=rdp-vuln-ms12-020 -p 3389 <target>`

## Brute force access

### RDPassSpray

RDPassSpary is a python tool to perform password spray attack in a Microsoft domain environment.

Link: <https://github.com/xFreed0m/RDPassSpray>

Usage:

```
python3 RDPassSpray.py -u [USERNAME] -p [PASSWORD] -d [DOMAIN] -t [TARGET IP]
```

### Crowbar

Link: <https://github.com/galkan/crowbar>

`./crowbar.py -b rdp -s 10.xx.xx.xx/32 -u sectest@TESTDOMAIN.local -C /root/Desktop/tests/hyda_rdp/rock.txt`

### Hydra:

`hydra -t 1 -V -f -l administrator -P rockyou.txt rdp://192.168.1.1`

## Connect to RDP

Please see this section on [how to connect ](https://infra.newerasec.com/infrastructure-testing/gaining-access/remote-desktop)