RDP (3389)

Remote Desktop Protocol.

Protocol Information

RDP is a remote access protocol with GUI developed by Microsoft and is used to connect and interact remotely with a Windows system. Access is possible only if the host has Network level authentication (NLA), and by credentials.

Port

3389 TCP	RDP

Interact

Linux

Tools	Details
xfreerdp	xfreerdp /u:<USER> /p:<PASS> /v:<IP>:<PORT> [/dynamic-resolution /drive:linux,<PATH_DIR_SHARE>] (net use to view the location of our redirected drive)
rdesktop	rdesktop -u <USER> -p <PASS>

Windows

Tools	Details
mstsc.exe	On Windows locally

Other

Other

Tools	Details
remmina	Alternative

Attacks

BlueKeep

CVE-2019-0708

BlueKeep is a critical security vulnerability that affects the Microsoft Windows Remote Desktop Protocol (RDP) service. This security flaw allows an attacker to execute remote code on a vulnerable system without the need for authentication, simply by sending specially constructed requests to the active RDP service. If successfully exploited, BlueKeep can allow the complete compromise of the system, including complete control of the machine.

Disable Restricted Admin Mode

If Restricted Admin Mode is enabled, to disable it you need to run this command on the host.

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f