Guide
TrainingSupportCommunity

RDP

Suggest Edits

This exploiter uses brute force to propagate through the network via Remote Desktop Protocol (RDP). For more information about RDP, see Microsoft's documentation .

Credentials used

The RDP exploiter can be run from both Linux and Windows attackers and will use configured or stolen credentials to propagate. Different combinations of credentials are attempted in the following order:

  1. Brute force usernames and passwords - The exploiter will attempt to use all combinations of usernames and passwords that were set in the [configuration]({{< ref "/usage/configuration/credentials" >}}) or stolen by
    a credentials collector.

  2. Brute force usernames and NT hashes - The exploiter will attempt to use all combinations of usernames and NT Hashes that were set in the [configuration]({{< ref "/usage/configuration/credentials" >}}) or stolen by a credentials collector.

This only works on Windows 8.1 and Windows Server 2012 R2. You can read more
here.

Securing Remote Desktop Protocol

For information about remediating RDP-related security risks, see Microsoft's
guidance.

Updated about 1 year ago