--- title: "3389 - Rdp" weight: 3389 date: "2026-03-09T09:23:30+08:00" lastmod: "2026-03-10T13:26:55+08:00" --- 💡 **学习提示**: 本文档介绍 **Rdp** 的渗透测试方法,适合信息安全初学者和从业人员参考。 ⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。 --- > ⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。 ## 3389 - 渗透测试 RDP ### 基本信息 Developed by Microsoft, the **Remote Desktop 协议** (**RDP**) is designed to enable a graphical interface connection between computers over a network. To establish such a connection, **RDP** client software is utilized by the user, and concurrently, the remote computer is required to operate **RDP** server software. This setup allows for the seamless control and access of a distant computer's desktop environment, essentially bringing its interface to the user's local device. **默认 port:** 3389 ``` PORT STATE SERVICE 3389/tcp open ms-wbt-server ``` ### 信息收集 #### Automatic ```bash nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 ``` It checks the available encryption and 拒绝服务 vulnerability (without causing 拒绝服务 to the service) and obtains NTLM Windows info (versions). #### [Brute force](../generic-hacking/brute-force.md#rdp) **Be careful, you could lock accounts** #### **密码 Spraying** **Be careful, you could lock accounts** ```bash ## https://github.com/galkan/crowbar crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123' ## hydra hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp ``` #### Connect with known credentials/hash ```bash rdesktop -u rdesktop -d -u -p xfreerdp [/d:domain] /u: /p: /v: xfreerdp [/d:domain] /u: /pth: /v: #Pass the hash ``` #### Check known credentials against RDP services rdp_check.py from impacket let you check if some credentials are valid for a RDP service: ```bash rdp_check /:@ ``` ### **Attacks** #### Session stealing With **SYSTEM permissions** you can access any **opened RDP session by any user** without need to know the password of the owner. **Get openned sessions:** ``` query user ``` **Access to the selected session** ```bash tscon /dest: ``` Now you will be inside the selected RDP session and you will have impersonate a user using only Windows tools and features. **Important**: When you access an active RDP sessions you will kickoff the user that was using it. You could get passwords from the process dumping it, but this method is much faster and led you interact with the virtual desktops of the user (passwords in notepad without been saved in disk, other RDP sessions opened in other machines...) #### **Mimikatz** You could also use mimikatz to do this: ```bash ts::sessions #Get sessions ts::remote /id:2 #Connect to the session ``` #### Sticky-keys & Utilman Combining this technique with **stickykeys** or **utilman you will be able to access a administrative CMD and any RDP session anytime** You can search RDPs that have been backdoored with one of these techniques already with: [https://github.com/linuz/Sticky-Keys-Slayer](https://github.com/linuz/Sticky-Keys-Slayer) #### RDP Process Injection If someone from a different domain or with **better privileges login via RDP** to the PC where **you are an Admin**, you can **inject** your beacon in his **RDP session process** and act as him: ../windows-hardening/active-directory-methodology/rdp-sessions-abuse.md #### Adding User to RDP group ```bash net localgroup "Remote Desktop Users" UserLoginName /add ``` ### Automatic Tools - [**AutoRDPwn**](https://github.com/JoelGMSec/AutoRDPwn) **AutoRDPwn** is a post-exploitation framework created in Powershell, designed primarily to automate the **Shadow** attack on Microsoft Windows computers. This vulnerability (listed as a feature by Microsoft) allows a remote attacker to **view his victim's desktop without his consent**, and even control it on demand, using tools native to the operating system itself. - [**EvilRDP**](https://github.com/skelsec/evilrdp) - Control mouse and keyboard in an automated way from command line - Control clipboard in an automated way from command line - Spawn a SOCKS proxy from the client that channels network communication to the target via RDP - Execute arbitrary SHELL and PowerShell commands on the target without uploading files - Upload and download files to/from the target even when file transfers are disabled on the target - [**SharpRDP**](https://github.com/0xthirteen/SharpRDP) This tool allows to execute commands in the victim RDP **without needing a graphical interface**. ### HackTricks Automatic Commands ``` Protocol_Name: RDP #Protocol Abbreviation if there is one. Port_Number: 3389 #Comma separated if there is more than one. Protocol_Description: Remote Desktop Protocol #Protocol Abbreviation Spelled out Entry_1: Name: Notes Description: Notes for RDP Note: | Developed by Microsoft, the Remote Desktop Protocol (RDP) is designed to enable a graphical interface connection between computers over a network. To establish such a connection, RDP client software is utilized by the user, and concurrently, the remote computer is required to operate RDP server software. This setup allows for the seamless control and access of a distant computer's desktop environment, essentially bringing its interface to the user's local device. https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-rdp.html Entry_2: Name: Nmap Description: Nmap with RDP Scripts Command: nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 {IP} ``` --- --- --- ### 搜索引擎语法 #### FOFA ```bash # FOFA 搜索语法 port="3389" ``` #### Shodan ```bash # Shodan 搜索语法 port:3389 ``` #### ZoomEye ```bash # ZoomEye 搜索语法 port:3389 ``` --- ## 📖 参考资料 - [HackTricks - 3389-rdp](https://book.hacktricks.wiki/en/network-services-pentesting/3389-rdp.html)