RDP Security Audit

28 April 2023 7 minutes

Everything about RDP: from setup to hacking

Remote Desktop Services (formerly known as Terminal Services) is a component of Microsoft Windows (server and client operating systems) that allows users to remotely run programs or manage a server from any machine running a Remote Desktop Connection client and network access. In a Remote Desktop Services session, whether the client needs access to the entire environment of the remote computer or simply needs to run individual programs, the Remote Desktop Session Host server does all the processing and uses its hardware resources. Connection technology ensures connection security in two ways. But nothing is impossible. There are methods that can break the security of the connection. Bruteforce is a method of hacking accounts by selecting their passwords.

The essence of the approach consists in the sequential automated search of all possible combinations of symbols with the aim of finding the correct one sooner or later. Or an “inside person”, when there is the ability to read and modify at will the messages exchanged between correspondents, and none of the latter can guess about the presence of an outsider in the channel. It usually begins with listening to the communication channel and ends with an attempt to replace the intercepted message, extract useful information from it, redirect it to some external resource. Therefore, you need to take care of your security in advance and understand that the information or access to it can be used by a third party. Therefore, this section discusses the tools and techniques associated with finding and verifying the security of remote desktops supported by the RDP service.

How to discover computers with Remote Desktop Protocol (RDP)

Search RDP on open ports

By default, the RDP server listens on TCP port 3389 and UDP port 3389.

Computers with Remote Desktop enabled can be searched using Nmap with a command like this:


Search result using Nmap.

You can add options to collect banners : -sV –script=banner:

Bruteforce RDP

crowbar (levye)

Crowbar, formerly known as levye, is a brute force tool that supports sshkey, vnckey, rdp, openvpn. The feature of the program is its simplicity and efficiency.

Installing crowbar in Kali Linux:

Installing crowbar in BlackArch:

As a target, you can specify a range of IP addresses in CIDR format (-s option) or a file with such ranges (-S option). If you only need to specify one destination (one IP address), just use the /32 mask, for example The -U option specifies a file with a list of user names, and the -u option allows you to specify a single user. The -C option specifies a file with a list of passwords, and the -c option allows you to specify a password. With the -b option, you need to specify the protocol to attack, in the case of -b rdp. The default port of the protocol can be changed with the -p option. The -d option makes it pre-check whether ports are open on the specified targets (that is, those specified with the -S and -s options).

All options crowbar: https://kali.tools/?p=3636

An example of a successful RDP attack:

An example of a successful RDP attack.

The levye program also works, but it has slightly different options:

An example of a successful levye attack.


Patator  it is the most powerful application for brute force of many network services.

An example of RDP brute force launch:

For details on using patator, see the application card https://kali.tools/?p=269, and the instructions link at the bottom of the application card.


This is a modified version of the previously discussed rdesktop program, which is a client for connecting to Windows Remote Desktop. This version differs from the original in that a brute force patch has been added. Let me remind you that the rdesktop program requires additional configuration if network level authentication (NLA) is enabled, so it is not very convenient to use it.

Collection of information about and through RDP

Rdp-sec-check to obtain characteristics of RDP service security settings

The rdp-sec-check tool checks what encryption algorithms and authentication methods are used, as well as some other security options. At the end of the scan, rdp-sec-check provides a brief summary of possible RDS security issues.

Installing rdp-sec-check on Kali Linux

Installation sequence.

Installing rdp-sec-check in BlackArch

The launch command is very simple:

In the screenshot, you can see the security methods used on the remote RDP server. There is nothing after the [+] Summary of security issues line, so no obvious problems have been detected.

Startup example.

Let’s check another, less secure host:

Here we see the following RDP server security issues:

They say that there is no NLA and therefore a DOS attack is possible. If NLA is not used, a man-in-the-middle attack is also possible. It goes on to say that SSL is supported but not required, allowing for a MITM (man-in-the-middle) attack.

Startup example.

Nmap scripts to gather information and audit RDP

Complete list of scripts: https://nmap.org/nsedoc/. Among them I found 3 related to RDP.


Determines which level of security and encryption level is supported by the RDP service. This happens by looping through all protocols and ciphers. When run in debug mode, the script also returns the protocols and ciphers that failed, as well as any errors encountered.


This script lists information from remote RDP services with CredSSP authentication (NLA) enabled.


Checks if the machine is vulnerable to the MS12-020 RDP vulnerability.

To run, you need to use the –script option, after which you can specify a script or several scripts separated by a comma:

You can also use all scripts like this:

We check vulnerabilities.

An example of searching for RDP servers in the local network and obtaining information using NSE scripts:

A man-in-the-middle attack on RDP


Responder is a comprehensive man-in-the-middle attack tool against Windows authentication methods. Among others there is an RDP server.


Pyrdp – is a man-in-the-middle attack tool and RDP library written in Python 3. It includes three tools:

  • pyrdp-clonecert

  • pyrdp-mitm

  • pyrdp-player

pyrdp does not have its own spoofer, so traffic redirection must be done by third-party tools such as bettercap, Ettercap, or MITMf. The author of pyrdp created his own version of bettercap, the main difference from the original one, which redirects all traffic when attacked, is that this version only redirects RDP traffic. Details about it here: https://github.com/GoSecure/pyrdp/blob/master/docs/bettercap-rdp-mitm.md

An example of running a man-in-the-middle attack on RDP using pyrdp:

Error «ImportError: cannot import name ‘RsaKey’ from ‘Crypto.PublicKey.RSA’»

The following error may occur:

To fix it, run the following commands:

Error «The server failed the negotiation. Error: The server requires that the client support Enhanced RDP Security»

The following error is also possible:

The reason is that the program does not support Network Level Authentication (NLA), that is, authentication only at the network level. Network Level Authentication (NLA) is a good way to add additional security to RDP, as it is impossible for an attacker to perform a man-in-the-middle attack on RDP without knowing the Windows user’s password.


seth performs a MitM attack and extracts credentials in plain text from RDP connections.


Launch example:

Other programs


sensepost-xrdp is the simplest X11 remote desktop tool for exploiting X11 sessions that do not require authentication.


sticky-keys-hunter this is a script for testing RDP hosts for sticky keys and utilman backdoor.


Found an error?
If you find an error, take a screenshot and send it to the bot.