RDP#
RDP (Remote Desktop Protocol) is Microsoft’s display protocol for graphical remote sessions on Windows. The Linux operator meets RDP in two ways: as a client (graphical access into a Windows host on a red-team engagement, a jump-box, or an admin workstation), and as a brute-force / vulnerability target on internal networks. RDP runs on TCP/UDP 3389 (UDP for newer transports) and is the single most common Windows-side foothold in mid-sized environments after SMB.
Protocol layers, briefly:
Layer |
Role |
|---|---|
X.224 / T.125 |
ITU heritage; framing. |
TLS / CredSSP |
Modern transport security; CredSSP implements NLA (Network Level Authentication). |
MS-RDPBCGR |
Core protocol; bitmap updates, input, channels. |
Virtual channels |
Clipboard, drives, audio, smart cards,
|
Connection negotiation#
NLA (Network Level Authentication) is the modern default. The client must prove credentials before the server allocates a session, which is why NLA blocks the pre-auth bitmap of a brute force the way bare RDP did not.
sequenceDiagram
participant C as Client (xfreerdp)
participant S as Server (RDP host)
C->>S: X.224 Connection Request, RDP Negotiation, TLS + CredSSP
S-->>C: X.224 Connection Confirm
Note over C,S: TLS handshake over the established channel
C->>S: CredSSP / NLA credentials, Kerberos or NTLM via SPNEGO
S-->>C: CredSSP auth result
C->>S: MCS Connect Initial, Erect Domain, Attach User
S-->>C: MCS Connect Response
C->>S: Client Info, encrypted credentials, locale, channels
S-->>C: Licensing exchange
Note over C,S: MS-RDPBCGR session begins, bitmaps and input flow
Linux clients#
Client |
Notes |
|---|---|
|
Best feature set; supports NLA, CredSSP, pass-the-hash, drive / clipboard / audio redirection, RDPGW, RemoteApp. |
|
Older; legacy RDP only. Mostly superseded by FreeRDP. |
|
GTK GUI front-end; uses FreeRDP + libvncserver. |
|
The actual MS client; rarely needed. |
# standard interactive session
$ xfreerdp /u:alice /d:CORP /v:dc01.corp.local /size:1600x900 /cert:ignore
# with sound, clipboard, and a shared drive
$ xfreerdp /u:alice /v:host \
+clipboard +fonts \
/sound:sys:pulse \
/drive:share,/tmp/rdpshare \
/size:1920x1080 +dynamic-resolution
# restricted-admin (no password sent; uses Kerberos / NTLM)
$ xfreerdp /u:alice /v:host /restricted-admin
# pass-the-hash
$ xfreerdp /u:Administrator /pth:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 /v:host
Pentest sweep#
# discover listeners
$ nmap -p 3389 --open 10.0.0.0/24
# security posture (TLS / CredSSP / NLA, NTLM target info)
$ nmap -p 3389 --script rdp-enum-encryption,rdp-ntlm-info host
# known CVEs
$ nmap -p 3389 --script rdp-vuln-ms12-020,rdp-vuln-cve2019-0708 host
# screenshot every reachable RDP host (handy for triage)
$ scrying -t 10.0.0.0/24:3389 -o /tmp/scrying
# password spray (low-and-slow)
$ crackmapexec rdp 10.0.0.0/24 -u alice -p 'Spring2025!'
$ ncrack -vv -p 3389 --user alice -P passwords.txt host
$ hydra -L users.txt -P pass.txt rdp://host
The two CVEs the operator names without looking up:
CVE |
Affects |
|---|---|
MS12-020 |
2012; pre-auth DoS via RDP. Ancient, still found. |
CVE-2019-0708 |
BlueKeep; pre-auth RCE on Win 7 / Server 2008 R2. Wormable. Patched May 2019. |
xrdp on Linux#
xrdp is the Linux-side RDP server, primarily used to expose
a Linux desktop to RDP clients. Less common than the inverse.
Path |
Purpose |
|---|---|
|
Listener / sesman configuration. |
|
Session policy (which DE to start, etc.). |
|
Connection logs. |
$ sudo apt install xrdp
$ sudo systemctl enable --now xrdp
$ sudo ss -tlnp | grep 3389
Hardening#
Don’t expose 3389 to the internet. Put RDP behind a VPN or a bastion. Look for it in
shodan.ioto see why; millions of hosts.Require NLA. Forces auth before the desktop is drawn; defeats pre-auth DoS / RCE classes (BlueKeep would have been mitigated).
MFA at the gateway. Use Remote Desktop Gateway (RDP-over-HTTPS) with conditional access / MFA, or wrap with ZTNA / VPN MFA.
Limit admin RDP. Put domain admins in Protected Users and use restricted-admin mode; no plaintext creds sent.
Account lockout + monitoring. RDP brute is loud; alert on 4625 failures and unusual source IPs.
See also#
SSH, the equivalent on the Linux side.
0X42 - Networks, discovering RDP listeners.
FreeRDP, [MS-RDPBCGR] (protocol reference).