Skip to main content

RDP


Overview​

Remote Desktop Protocol (RDP) provides a full graphical desktop session to a Windows host. RDP runs on 3389/TCP by default.

  • Windows β†’ Windows: Use the built-in mstsc.exe (Remote Desktop Connection) or mstsc /v:<TARGET_IP> from a Run prompt.
  • Linux β†’ Windows: Use xfreerdp (preferred) or rdesktop.

This section covers Linux-originated RDP connections using xfreerdp.


xfreerdp β€” Basic Connection​

# Basic connection (prompts for password)
xfreerdp /v:<TARGET_IP> /u:username /d:DOMAIN

# Specify password inline (exposes to shell history β€” see OPSEC note)
xfreerdp /v:<TARGET_IP> /u:username /p:Password123 /d:DOMAIN

# Local account (no domain)
xfreerdp /v:<TARGET_IP> /u:localuser /p:Password123

# Specify non-default port
xfreerdp /v:<TARGET_IP>:3390 /u:username /d:DOMAIN

Common Options​

# Set window resolution
xfreerdp /v:<TARGET_IP> /u:username /d:DOMAIN /w:1920 /h:1080

# Full screen
xfreerdp /v:<TARGET_IP> /u:username /d:DOMAIN /f

# Dynamic resolution (resizes session to window)
xfreerdp /v:<TARGET_IP> /u:username /d:DOMAIN /dynamic-resolution

# Ignore certificate errors (NLA/TLS cert not trusted by operator workstation)
xfreerdp /v:<TARGET_IP> /u:username /d:DOMAIN /cert-ignore

# Keyboard layout (use if keymap is incorrect on target)
xfreerdp /v:<TARGET_IP> /u:username /d:DOMAIN /kbd:0x00000409 # US English

Drive and Clipboard Sharing​

Share local directories or clipboard contents into the RDP session β€” useful for file transfer without SCP/SMB.

# Share local clipboard (copy/paste between operator and target)
xfreerdp /v:<TARGET_IP> /u:username /d:DOMAIN /clipboard

# Mount a local directory as a drive inside the RDP session
# Appears as a network drive in File Explorer under "tsclient"
xfreerdp /v:<TARGET_IP> /u:username /d:DOMAIN /drive:tools,/opt/tools

# Mount home directory
xfreerdp /v:<TARGET_IP> /u:username /d:DOMAIN /drive:home,$HOME

# Combined example β€” clipboard + shared drive
xfreerdp /v:<TARGET_IP> /u:username /d:DOMAIN /cert-ignore /clipboard /drive:ops,/opt/ops /w:1920 /h:1080

Once connected, mounted drives appear in File Explorer under:

\\tsclient\<SHARE_NAME>

You can copy files to/from this path in File Explorer or from cmd.exe:

copy C:\malware_sample.exe \\tsclient\ops\

NLA (Network Level Authentication)​

NLA pre-authenticates before establishing a full desktop session, reducing attack surface on the server side. Most modern Windows targets require NLA.

xfreerdp handles NLA automatically when credentials are provided. If NLA negotiation fails:

# Disable NLA (fallback β€” some older targets or misconfigured hosts)
xfreerdp /v:<TARGET_IP> /u:username /d:DOMAIN /sec:rdp

# Force TLS only (no NLA, no RDP classic)
xfreerdp /v:<TARGET_IP> /u:username /d:DOMAIN /sec:tls /cert-ignore
NLA Failure

If you receive ERRCONNECT_LOGON_FAILURE or the connection drops before a login screen appears, NLA authentication is failing β€” verify credentials and domain format before troubleshooting NLA settings.


Tunneling RDP Through SSH​

When RDP is not directly accessible but a jump host is available, tunnel RDP through an SSH local port forward.

# Step 1: Create SSH tunnel β€” forward local port 13389 to target's 3389 via jump host
ssh -L 13389:<TARGET_IP>:3389 -N -f username@<JUMP_HOST_IP>

# Step 2: Connect xfreerdp to the local tunnel endpoint
xfreerdp /v:localhost:13389 /u:username /d:DOMAIN /cert-ignore

mstsc (Windows to Windows)​

For reference β€” when operating from a Windows operator workstation:

# Open Remote Desktop Connection GUI
mstsc

# Connect directly from command line
mstsc /v:<TARGET_IP>

# Connect full screen
mstsc /v:<TARGET_IP> /f

# Save RDP connection file
mstsc /v:<TARGET_IP> /edit

Saved .rdp files store connection settings (server, username, resolution) and can be re-used. Do not store plaintext passwords in .rdp files.


OPSEC β€” Cleanup​

  • RDP logon events are logged on the target: Security EID 4624 (Logon Type 10 β€” RemoteInteractive), TerminalServices-LocalSessionManager EID 21/24.
  • The target stores logon history in the Security event log. This is expected behavior and cannot be avoided while using RDP.
  • On the operator's Windows host, mstsc.exe stores recently connected servers in:
    HKCU\Software\Microsoft\Terminal Server Client\Default
    HKCU\Software\Microsoft\Terminal Server Client\Servers\
    Clear these after mission if operating from a shared or monitored workstation.
  • If using a shared Linux operator station, xfreerdp does not cache credentials by default. Verify no .freerdp/ config was written: ls ~/.freerdp/