RDP
What is RDP?
RDP (Remote Desktop Protocol) is a network communication protocol developed by Microsoft that allows a user to connect to and control another computer remotely over a network connection.
Remote Desktop Protocol enables a client device to display and interact with the graphical desktop of a remote machine as if the user were physically present at it. The protocol transmits screen updates, keyboard input, mouse movements, and other user interface data between the client and the remote system.
RDP is commonly used by:
System administrators for server management
IT support for remote troubleshooting
Users accessing their work or home computers remotely
Key features:
Graphical remote desktop access
Encrypted communication for security
Support for clipboard sharing, file transfer, printers, and audio redirection
Multi-session support on Windows Server editions
Default port - TCP/UDP 3389
Typical use cases:
Remote administration of Windows servers
Remote work and virtual desktops
Technical support and helpdesk operations
Connecting from Windows
We can connect to other machines using the RDP client built into Windows:
In the "Computer" field we indicate the host, and below the username;
After inserting host and username, it will ask you to enter a password for this user:
After typing the password, connection will start:
Sometimes, when connecting, a certificate warning will pop up (self-signed cert, untrusted authority and etc.):
In my case, I trust this certificate, so I click yes:
As you can see, i successfully connected to another host with RDP.
Connecting from Linux
We can also connect via RDP from Linux machines.
To work with RDP, two popular utilities are usually used:
rdesktop - the simplest and most convenient option.
freerdp - more common in the information security community, as it has the ability to use PassTheHash
We can install these utilities in this way, say on Kali:
To connect with rdesktop, we use the following command:
As you can see, itβs quite easy to remember, just 3 parameters:
172.16.2.5- Host to connect-u- Username-p- Password
Sometimes these parameters are also used:
-d- Domain-n- Client hostname-r- Enable specified device redirection
Connection:
As we can see, there is a warning about the certificate here too.
After entering yes, we connect:
To use freerdp we will typically enter the following command:
Parameters:
/v:- Host/u:- Username/p:- Password
Sometimes these parameters are also used:
+clipboard- Enable clipboard/dynamic-resolution- Allows for dynamic resolution, making the image more stable/d:- Domain/cert:<deny/ignore/...>- Operations with certificate
As I said earlier, you can use PtH:
Replaced /p: with /pth: .
Another tool you can take note of for network auditing is NetExec;
NetExec has features for working with RDP:
Check the possibility of connecting via RDP:
Take a screenshot:
Here it is:
Run a command without fully connecting:
RDP: Authentication Types and Features
NLA β Network Level Authentication (the most important):
Authentication before creating an RDP session (even before the desktop appears).
How it works:
Uses CredSSP
Inside: Kerberos (if domain and possible), or NTLM
Peculiarities:
Requires valid credentials
The user must have the right:
Allow log on through Remote Desktop ServicesThe safest and default option on modern Windows
If NLA is enabled on the server:
Connection without NLA is impossible
In freerdp:
Standard RDP Security (no NLA):
The old scheme involved logging in after establishing an RDP session.
Characteristics:
More vulnerable
Login screen may be displayed without valid credentials
Often disabled by policy
In freerdp:
TLS Security:
RDP over TLS, but without NLA.
Peculiarities:
Encryption is available
Authentication is later
Sometimes used on older systems
In freerdp:
Restricted Admin Mode (important for pentesting):
What is this:
RDP without password transfer
Uses NTLM hash
In freerdp:
More About RDP
Last updated