RDP
Overviewβ
Remote Desktop Protocol (RDP) provides a full graphical desktop session to a Windows host. RDP runs on 3389/TCP by default.
- Windows β Windows: Use the built-in
mstsc.exe(Remote Desktop Connection) ormstsc /v:<TARGET_IP>from a Run prompt. - Linux β Windows: Use
xfreerdp(preferred) orrdesktop.
This section covers Linux-originated RDP connections using xfreerdp.
xfreerdp β Basic Connectionβ
# Basic connection (prompts for password)
xfreerdp /v:<TARGET_IP> /u:username /d:DOMAIN
# Specify password inline (exposes to shell history β see OPSEC note)
xfreerdp /v:<TARGET_IP> /u:username /p:Password123 /d:DOMAIN
# Local account (no domain)
xfreerdp /v:<TARGET_IP> /u:localuser /p:Password123
# Specify non-default port
xfreerdp /v:<TARGET_IP>:3390 /u:username /d:DOMAIN
Common Optionsβ
# Set window resolution
xfreerdp /v:<TARGET_IP> /u:username /d:DOMAIN /w:1920 /h:1080
# Full screen
xfreerdp /v:<TARGET_IP> /u:username /d:DOMAIN /f
# Dynamic resolution (resizes session to window)
xfreerdp /v:<TARGET_IP> /u:username /d:DOMAIN /dynamic-resolution
# Ignore certificate errors (NLA/TLS cert not trusted by operator workstation)
xfreerdp /v:<TARGET_IP> /u:username /d:DOMAIN /cert-ignore
# Keyboard layout (use if keymap is incorrect on target)
xfreerdp /v:<TARGET_IP> /u:username /d:DOMAIN /kbd:0x00000409 # US English
Drive and Clipboard Sharingβ
Share local directories or clipboard contents into the RDP session β useful for file transfer without SCP/SMB.
# Share local clipboard (copy/paste between operator and target)
xfreerdp /v:<TARGET_IP> /u:username /d:DOMAIN /clipboard
# Mount a local directory as a drive inside the RDP session
# Appears as a network drive in File Explorer under "tsclient"
xfreerdp /v:<TARGET_IP> /u:username /d:DOMAIN /drive:tools,/opt/tools
# Mount home directory
xfreerdp /v:<TARGET_IP> /u:username /d:DOMAIN /drive:home,$HOME
# Combined example β clipboard + shared drive
xfreerdp /v:<TARGET_IP> /u:username /d:DOMAIN /cert-ignore /clipboard /drive:ops,/opt/ops /w:1920 /h:1080
Once connected, mounted drives appear in File Explorer under:
\\tsclient\<SHARE_NAME>
You can copy files to/from this path in File Explorer or from cmd.exe:
copy C:\malware_sample.exe \\tsclient\ops\
NLA (Network Level Authentication)β
NLA pre-authenticates before establishing a full desktop session, reducing attack surface on the server side. Most modern Windows targets require NLA.
xfreerdp handles NLA automatically when credentials are provided. If NLA negotiation fails:
# Disable NLA (fallback β some older targets or misconfigured hosts)
xfreerdp /v:<TARGET_IP> /u:username /d:DOMAIN /sec:rdp
# Force TLS only (no NLA, no RDP classic)
xfreerdp /v:<TARGET_IP> /u:username /d:DOMAIN /sec:tls /cert-ignore
If you receive ERRCONNECT_LOGON_FAILURE or the connection drops before a login screen appears, NLA authentication is failing β verify credentials and domain format before troubleshooting NLA settings.
Tunneling RDP Through SSHβ
When RDP is not directly accessible but a jump host is available, tunnel RDP through an SSH local port forward.
# Step 1: Create SSH tunnel β forward local port 13389 to target's 3389 via jump host
ssh -L 13389:<TARGET_IP>:3389 -N -f username@<JUMP_HOST_IP>
# Step 2: Connect xfreerdp to the local tunnel endpoint
xfreerdp /v:localhost:13389 /u:username /d:DOMAIN /cert-ignore
mstsc (Windows to Windows)β
For reference β when operating from a Windows operator workstation:
# Open Remote Desktop Connection GUI
mstsc
# Connect directly from command line
mstsc /v:<TARGET_IP>
# Connect full screen
mstsc /v:<TARGET_IP> /f
# Save RDP connection file
mstsc /v:<TARGET_IP> /edit
Saved .rdp files store connection settings (server, username, resolution) and can be re-used. Do not store plaintext passwords in .rdp files.
OPSEC β Cleanupβ
- RDP logon events are logged on the target: Security EID 4624 (Logon Type 10 β RemoteInteractive), TerminalServices-LocalSessionManager EID 21/24.
- The target stores logon history in the Security event log. This is expected behavior and cannot be avoided while using RDP.
- On the operator's Windows host,
mstsc.exestores recently connected servers in:Clear these after mission if operating from a shared or monitored workstation.HKCU\Software\Microsoft\Terminal Server Client\Default
HKCU\Software\Microsoft\Terminal Server Client\Servers\ - If using a shared Linux operator station,
xfreerdpdoes not cache credentials by default. Verify no.freerdp/config was written:ls ~/.freerdp/