OSCP Cheatsheet
  • Reference List
  • Basic
  • Methodology
    • Basic Scans
    • Service Enumeration
      • TCP: HTTP(S) - 80 / 443
      • TCP: SMB - 139 / 445
      • TCP: FTP - 21
      • TCP/UDP: DNS - 53
      • TCP: SSH - 22
      • TCP/UDP: LDAP - 389 / 636 / 3268
      • TCP/UDP: Kerberos - 88
      • UDP: SNMP - 161
      • TCP: SMTP - 25
      • TCP: RDP - 3389
      • TCP: RPC - 135 / 593
      • TCP: Evil-WinRM - 5985 / 5986
      • TCP: MYSQL - 3306
      • TCP: MSSQL - 1433
      • TCP: Confluence - 8090
    • Extras
  • File Transfer
  • KeePass Database
  • Shells
  • Enumeration
    • Linux
    • Windows
    • Git
  • Privilege Escalation
    • Linux
      • Abusing Cron Jobs
      • Abusing Password Authentication
      • Abusing Setuid Binaries and Capabilities
      • Abusing Sudo
      • Exploits
    • Windows
      • Service Binary Hijacking
      • DLL Hijacking
      • Unquoted Service Paths
      • Scheduled Tasks
      • Exploits
  • Port Forwarding
    • Linux
    • Windows
  • Attacks
    • Public Exploits
    • User Creation
    • Password Cracking
      • Custom Rules
      • Custom Password List
    • Phishing
    • SQLi
  • Active Directory
    • Enumeration
    • Attack
    • Lateral Movement
    • Persistence
Powered by GitBook
On this page
  • Connection to Target Machine
  • FreeRDP3
  • Impacket
  • Enumeration
  • Nmap
  • Bruteforce
  • crackmapexec
  • nxc
  • hydra
  1. Methodology
  2. Service Enumeration

TCP: RDP - 3389

Connection to Target Machine

FreeRDP3

xfreerdp3 /u:'<Username>' /d:'<Domain Name>' /p:'<Password>' /v:<Target IP Address> /dynamic-resolution +clipboard /drive:/home/kali/offsec/downloads,/shared

Impacket

impacket-psexec '<Domain Name>'/'<Username>':'<Password>'@<Target IP Address>
impacket-wmiexec <Domain Name>/<Username>:<Password>@<Target IP Address>

Enumeration

Nmap

nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 <Target IP Address>

Bruteforce

crackmapexec

crackmapexec rdp <Target IP Address> -u <Username List> -H <Hashes List> --continue-on-success
crackmapexec rdp <Target IP Address> -u <Username List> -P <Password List> --continue-on-success

nxc

nxc rdp <Target IP Address> -d <Domain Name> -u <Username List> -p <Password List> --continue-on-success
nxc rdp <Target IP Address> -d <Domain Name> -u <Username List> -H <Hashes List> --continue-on-success

hydra

hydra -L <Username List> -p <Password List> <Target IP Address> rdp
PreviousTCP: SMTP - 25NextTCP: RPC - 135 / 593

Last updated 22 days ago