Exploiting Remote Desktop Protocol

Mahran Al-Zyoud
|
10 steps

Firstly, power on the Kali Linux and Metasploitable 3 (Windows-based) virtual machines. \ On Kali Linux, open Terminal and use the following commands to determine the IP address of our target: [[nmap -sn 172.17.2.0/24 --exclude 172.17.2.25]] **Note**: Before performing a network scan, always identify the IP address of your attacker machine (Kali Linux) and exclude it from the scan results by using the following syntax: [[--exclude <IP-address>]].

Next, use the following Nmap commands to identify whether the target is running the RDP service: [[nmap -p 3389 172.17.2.23]] As shown in the following screenshot, port 3389 is open on the targeted system. In addition, port 3389 is the default port on Microsoft Windows for running RDP.

Next, use **Ncrack** to perform an online password-based attack on the RDP service on the targeted system with the intention of identifying valid user credentials for accessing the service on the target: [[ncrack -v -T 3 -u Administrator -P /usr/share/wordlists/rockyou.txt rdp://172.17.2.23]] The following is a breakdown for each syntax that’s used in the preceding command: - \-v: Enables verbosity - \-T: Specifies the timing of the attack from 0 (slow) to 5 (fastest) - \-u: Specifies a single username - \-P: Specifies a wordlist for dictionary-based attacks Performing password cracking can be very time-consuming. Ncrack will check connectivity with the targeted system and will then try each password if a wordlist is used with the specified username. Once the valid username and password combination is found, Ncrack will display the results as shown below.

[**Hydra** ](https://www.kali.org/tools/hydra/)is another online password-cracking tool that helps us identify valid username and password combinations on targeted systems with RDP enabled. Use the following commands to perform RDP password cracking with Hydra: [[hydra -t 4 -l Administrator -P /usr/share/wordlists/rockyou.txt rdp://172.17.2.23]] The following screenshot shows the results of Hydra and the valid user credentials.

Now that valid user credentials have been found, let’s try to obtain a remote desktop session with the target by using the following command: rdesktop -u Administrator -p vagrant 172.17.2.23 -g 1280x1024 The -g option allows you to specify the resolution of the window when the session is established. Be sure to modify the resolution settings such that the window fits your computer screen.

You will be prompted to trust the certificate from the remote target; simply type yes and hit Enter to establish the RDP session, as shown below.

The following screenshot shows the RDP session from Kali Linux to the targeted system. As shown below, using the rdesktop tool enables you to establish an RDP session from Kali Linux to a Windows operating system.