RDP (3389)

Remote Desktop Protocol.

Protocol Information

RDP is a remote access protocol with GUI developed by Microsoft and is used to connect and interact remotely with a Windows system. Access is possible only if the host has Network level authentication (NLA), and by credentials.

Port

3389 TCP

RDP

Interact

Tools

Details

xfreerdp

xfreerdp /u:<USER> /p:<PASS> /v:<IP>:<PORT> [/dynamic-resolution /drive:linux,<PATH_DIR_SHARE>] (net use to view the location of our redirected drive)

rdesktop

rdesktop -u <USER> -p <PASS>

Attacks

BlueKeep

CVE-2019-0708

BlueKeep is a critical security vulnerability that affects the Microsoft Windows Remote Desktop Protocol (RDP) service. This security flaw allows an attacker to execute remote code on a vulnerable system without the need for authentication, simply by sending specially constructed requests to the active RDP service. If successfully exploited, BlueKeep can allow the complete compromise of the system, including complete control of the machine.

Disable Restricted Admin Mode

If Restricted Admin Mode is enabled, to disable it you need to run this command on the host.

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

Last updated 11 months ago

hashtagPort

hashtagInteract

hashtagAttacks

hashtagBlueKeep

hashtagDisable Restricted Admin Mode

Port

Interact

Attacks

BlueKeep

Disable Restricted Admin Mode