The content discussed here is for educational purposes only. It is essential to understand the methods and tools used to then be able to detect and analyze them during attempts or incidents. If you wish to reproduce the examples shown here, feel free to do so in a homelab. HF does not support / encourage malicious activities.0. INTRODUCTION
RDP cracking is one way for hackers to get into systems, wether these servers a're exposed on the WAN or to pivot inside a network. This is also a way for them to conduct attacks from these remote hacked servers to stay anonymous.
Why are RDP servers hacked?
Exposure on the Internet : Statistics on the number of accessible RDP servers (Shodan, Censys).
Weak or Reused Passwords : The impact of brute-force attacks and password spraying.
Lack of Protection : No MFA (Multi-Factor Authentication) / No lockout rules after failed attempts.
Known Vulnerabilities : Examples like BlueKeep (CVE-2019-0708) and other unpatched flaws.
Lack of Monitoring : Unmonitored logs, absence of SIEM, etc.
1. BASICS / TERMINOLOGY
A. RDP vs RDS
RDP = Remote Desktop Protocol is a Microsoft-developed protocol that allows remote control of a computer with a graphical interface. It works by transmitting screen data, inputs (keyboard/mouse), and commands between the client and the remote server over a network.
RDP characteristics :
Default Port: TCP 3389 (this is default, it can be different)
Encryption: Supports SSL/TLS for secure communication
Authentication: Network Level Authentication (NLA) for added security
Multi-Session: Supports multiple remote sessions in environments like RDS (Remote Desktop Services)
Platform Support: Primarily Windows, but clients exist for Linux, macOS, and mobile platforms
Security Risks: Can be vulnerable to brute-force attacks and exploits if not secured properly (e.g., weak passwords, open ports)
RDP needs to be enabled on servers and computers, by default they are not (screenshot of Windows Server Manager below) :
[Image: aRv5toT.png]
RDS = Remote Desktop Services is a Microsoft service that allows multiple users to access virtual desktops, applications, or sessions hosted on a remote server. It enables centralized management and delivery of resources over a network.
This is where the RDS service is configured on a Windows Server, this is often used to make software / work environments for many users, instead of installing the same software / environment on all user's computers, that can also help to reduce the cost of licenses, as you only need 1 license :
[Image: ZlJKq0N.png]
B. Tools to connect through RDP
Windows
Be aware that Windows RDP is available on Windows Server and Windows Pro / Enterprise. You cannot enable Windows Home/Family to allow ingoing connections, however you can use Windows Home / Family to connect to other RDP machines. That means that the target are mostly profesionnal / corporate computers. Here's the built-in tool of Microsoft :
[Image: 2jtcHJV.png]
Linux
You can also use tools on Linux, such as Remmina : https://remmina.org/ or xFreeRDP : https://linux.die.net/man/1/xfreerdp
[Image: fj2PDYn.png]
C. Find targets
Search engines :
Censys : https://search.censys.io/
[Image: hhjjTm9.png]
Shodan : https://www.shodan.io/
[Image: 3SpUCX0.png]
Scan tools :
Masscan : https://github.com/robertdavidgraham/masscan
Nmap : https://nmap.org/
Don't forget that ports shown here are the default port (3389), when servers are exposed on the WAN, the IT usually use port forwarding, that means that the external and reachable port is not 3389, but another one. And the firewall / routeur, will accept requests on a defined number by the IT (example : 47 777), and when the routeur receives a request on this port it knows to which service redirect the request (for example, the rules would b like : when a request comes on port 47 777, then forward to server A to port 3389).
That means that RDP can run behind other ports, nmap and masscan are quite useful in those cases as those tool allow to scan many ports and inspect which service is running behind open ports.
Here is an example of a nmap scan with a default port :
[Image: GyWoe7D.png]
Here is the same machine but with a forwarded port, as you can see RDP is now running on port 47 777 :
[Image: pRNzYXz.png]
Google Dorks
Here is a list to help you find RDP servers through web links and Google :
Quote:---------------
RDP WEB INTERFACE ---------------intitle:"Remote Desktop Web Connection"
intitle:"RD Web Access"
inurl:"/tsweb"
inurl:"/RDWeb"
inurl:"/remote"
inurl:"/remote-desktop"
inurl:"/remote-desktop-gateway"
inurl:"/webclient/index.html"
inurl:"rdp.html"
inurl:"rdweb/login.aspx"
intext:"Terminal Services" "Welcome"
intitle:"Remote Desktop" intext:"login"
intitle:"Remote Desktop Login"
inurl:"login" intext:"Remote Desktop"
intitle:"Remote Desktop" intext:"Username" intext:"Password"
intitle:"RD Web Access" intext:"Sign in"
---------------
DOWNLOADABLE RDP FILES ---------------filetype:rdp
intitle:index.of "rdp"
---------------
LOG FILES CONTAINING "RDP"---------------filetype:log intext:"RDP"
filetype:conf intext:"RDP"
filetype:txt intext:"3389"
filetype:ini intext:"3389"
