RDP#

RDP (Remote Desktop Protocol) is Microsoft’s display protocol for graphical remote sessions on Windows. The Linux operator meets RDP in two ways: as a client (graphical access into a Windows host on a red-team engagement, a jump-box, or an admin workstation), and as a brute-force / vulnerability target on internal networks. RDP runs on TCP/UDP 3389 (UDP for newer transports) and is the single most common Windows-side foothold in mid-sized environments after SMB.

Protocol layers, briefly:

Layer

Role

X.224 / T.125

ITU heritage; framing.

TLS / CredSSP

Modern transport security; CredSSP implements NLA (Network Level Authentication).

MS-RDPBCGR

Core protocol; bitmap updates, input, channels.

Virtual channels

Clipboard, drives, audio, smart cards, rdpdr, rdpsnd.

Connection negotiation#

NLA (Network Level Authentication) is the modern default. The client must prove credentials before the server allocates a session, which is why NLA blocks the pre-auth bitmap of a brute force the way bare RDP did not.

        sequenceDiagram
    participant C as Client (xfreerdp)
    participant S as Server (RDP host)
    C->>S: X.224 Connection Request, RDP Negotiation, TLS + CredSSP
    S-->>C: X.224 Connection Confirm
    Note over C,S: TLS handshake over the established channel
    C->>S: CredSSP / NLA credentials, Kerberos or NTLM via SPNEGO
    S-->>C: CredSSP auth result
    C->>S: MCS Connect Initial, Erect Domain, Attach User
    S-->>C: MCS Connect Response
    C->>S: Client Info, encrypted credentials, locale, channels
    S-->>C: Licensing exchange
    Note over C,S: MS-RDPBCGR session begins, bitmaps and input flow
    

Linux clients#

Client

Notes

xfreerdp (FreeRDP)

Best feature set; supports NLA, CredSSP, pass-the-hash, drive / clipboard / audio redirection, RDPGW, RemoteApp.

rdesktop

Older; legacy RDP only. Mostly superseded by FreeRDP.

Remmina

GTK GUI front-end; uses FreeRDP + libvncserver.

mstsc.exe (via Wine)

The actual MS client; rarely needed.

# standard interactive session
$ xfreerdp /u:alice /d:CORP /v:dc01.corp.local /size:1600x900 /cert:ignore

# with sound, clipboard, and a shared drive
$ xfreerdp /u:alice /v:host \
           +clipboard +fonts \
           /sound:sys:pulse \
           /drive:share,/tmp/rdpshare \
           /size:1920x1080 +dynamic-resolution

# restricted-admin (no password sent; uses Kerberos / NTLM)
$ xfreerdp /u:alice /v:host /restricted-admin

# pass-the-hash
$ xfreerdp /u:Administrator /pth:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 /v:host

Pentest sweep#

# discover listeners
$ nmap -p 3389 --open 10.0.0.0/24

# security posture (TLS / CredSSP / NLA, NTLM target info)
$ nmap -p 3389 --script rdp-enum-encryption,rdp-ntlm-info host

# known CVEs
$ nmap -p 3389 --script rdp-vuln-ms12-020,rdp-vuln-cve2019-0708 host

# screenshot every reachable RDP host (handy for triage)
$ scrying -t 10.0.0.0/24:3389 -o /tmp/scrying

# password spray (low-and-slow)
$ crackmapexec rdp 10.0.0.0/24 -u alice -p 'Spring2025!'
$ ncrack -vv -p 3389 --user alice -P passwords.txt host
$ hydra -L users.txt -P pass.txt rdp://host

The two CVEs the operator names without looking up:

CVE

Affects

MS12-020

2012; pre-auth DoS via RDP. Ancient, still found.

CVE-2019-0708

BlueKeep; pre-auth RCE on Win 7 / Server 2008 R2. Wormable. Patched May 2019.

xrdp on Linux#

xrdp is the Linux-side RDP server, primarily used to expose a Linux desktop to RDP clients. Less common than the inverse.

Path

Purpose

/etc/xrdp/xrdp.ini

Listener / sesman configuration.

/etc/xrdp/sesman.ini

Session policy (which DE to start, etc.).

/var/log/xrdp.log

Connection logs.

$ sudo apt install xrdp
$ sudo systemctl enable --now xrdp
$ sudo ss -tlnp | grep 3389

Hardening#

  • Don’t expose 3389 to the internet. Put RDP behind a VPN or a bastion. Look for it in shodan.io to see why; millions of hosts.

  • Require NLA. Forces auth before the desktop is drawn; defeats pre-auth DoS / RCE classes (BlueKeep would have been mitigated).

  • MFA at the gateway. Use Remote Desktop Gateway (RDP-over-HTTPS) with conditional access / MFA, or wrap with ZTNA / VPN MFA.

  • Limit admin RDP. Put domain admins in Protected Users and use restricted-admin mode; no plaintext creds sent.

  • Account lockout + monitoring. RDP brute is loud; alert on 4625 failures and unusual source IPs.

See also#