Remote Desktop Protocol Attacks Explained
marketing302922
0 views
4 slides
Oct 01, 2025
Slide 1 of 4
1
2
3
4
About This Presentation
Since BlueKeep is very popular, it would be beneficial to known the mechanism behind the exploit. RDP connects two machines via RDP through 32 virtual channels. One of the channels named MS_T120 does not require to be connected by the client. However, if it is used for connection by the client, memo...
Slide Content
RDP AttacksExplained
Threat Intelligence Team
05.06.2022
BD02112102
A
uthor: Cyber Threat
Intelligence
Team
Release Date:
05.06.2022
Report ID: 02112102
Threat Intelligence Team
05.06.2022
BD02112102
A
uthor: Cyber Threat
Intelligence
Team
Release Date:
05.06.2022
Report ID: 02112102
2
What is RDP?
RDP (Remote Desktop Protocol) is a protocol which provides connection to a
remote machine. It is a service built for Windows, but anyone can connect to an RDP
port via such tools from different operating systems. You can have a control of a
remote machine from its Graphical User Interface, unlike telnet or SSH. Telnet and
SSH provides you to control a remote machine from its Command Line Interface.
Therefore, RDP is more comfortable to connect and having the control of a remote
machine. You need to know the name or IP address of the remote machine,
username and password in order to connect to it.
RDP is mostly used in corporate networks. Employees who want to do their job
remotely, connect to their work computer via RDP. As the remote jobs are more
prevalent nowadays, employees tend to work from remote locations and thus, RDP
becomes more important. Another usage reason is that an IT employee may want to
log into your computer remotely to fix an issue.
RDP Attacks
Attack Types and Vulnerabilities
•BruteforceattacksonRDPcanbedoneviaautomatedtools,iftheRDPportis
open.Thisattackisusefulwhentheusernamesandpasswordsareeasytoguess
andrelatedtothetarget’sprivatelife(name,city,petname,etc.).
•BlueKeepvulnerability(CVE-2019-0708)providesattackerstoexecutecommands
remotelyonthetargetmachine.Thisvulnerabilityispopularandcanbefoundin
themetasploitexploitmodule.
•Thereare103CVERecordsforRDPvulnerabilities.Youmaywanttolookatthem:
https
://cve.mitre.org/cgi- bin/cvekey. cgi?keyword=rdp
BlueKeep Mechanism
SinceBlueKeepisverypopular,itwouldbebeneficialtoknownthemechanism
behindtheexploit.RDPconnectstwomachinesviaRDPthrough32virtual
channels.OneofthechannelsnamedMS_T120doesnotrequiretobeconnectedby
theclient.However,ifitisusedforconnectionbytheclient,memorycorruption
occursandtheattackerwillbeabletoexecutecommands remotelyonthetarget
machine.
BlueKeepvulnerabilityiswormable.Thismeansthatitcanreplicateitselfandspread
toothermachinesinthenetwork.Wormablevulnerabilitiesmaycreateamassive
damage,especiallytothecompaniesbecausecompanieshavealotofmachines
connectedtothesamenetwork.
What is RDP?
RDP (Remote Desktop Protocol) is a protocol which provides connection to a
remote machine. It is a service built for Windows, but anyone can connect to an RDP
port via such tools from different operating systems. You can have a control of a
remote machine from its Graphical User Interface, unlike telnet or SSH. Telnet and
SSH provides you to control a remote machine from its Command Line Interface.
Therefore, RDP is more comfortable to connect and having the control of a remote
machine. You need to know the name or IP address of the remote machine,
username and password in order to connect to it.
RDP is mostly used in corporate networks. Employees who want to do their job
remotely, connect to their work computer via RDP. As the remote jobs are more
prevalent nowadays, employees tend to work from remote locations and thus, RDP
becomes more important. Another usage reason is that an IT employee may want to
log into your computer remotely to fix an issue.
RDP Attacks
Attack Types and Vulnerabilities
•BruteforceattacksonRDPcanbedoneviaautomatedtools,iftheRDPportis
open.Thisattackisusefulwhentheusernamesandpasswordsareeasytoguess
andrelatedtothetarget’sprivatelife(name,city,petname,etc.).
•BlueKeepvulnerability(CVE-2019-0708)providesattackerstoexecutecommands
remotelyonthetargetmachine.Thisvulnerabilityispopularandcanbefoundin
themetasploitexploitmodule.
•Thereare103CVERecordsforRDPvulnerabilities.Youmaywanttolookatthem:
https
://cve.mitre.org/cgi- bin/cvekey. cgi?keyword=rdp
BlueKeep Mechanism
SinceBlueKeepisverypopular,itwouldbebeneficialtoknownthemechanism
behindtheexploit.RDPconnectstwomachinesviaRDPthrough32virtual
channels.OneofthechannelsnamedMS_T120doesnotrequiretobeconnectedby
theclient.However,ifitisusedforconnectionbytheclient,memorycorruption
occursandtheattackerwillbeabletoexecutecommands remotelyonthetarget
machine.
BlueKeepvulnerabilityiswormable.Thismeansthatitcanreplicateitselfandspread
toothermachinesinthenetwork.Wormablevulnerabilitiesmaycreateamassive
damage,especiallytothecompaniesbecausecompanieshavealotofmachines
connectedtothesamenetwork.
3
RDP Attacks
Mitigation Methods
Therearemanywaysfortakingmeasures;however,noneofthemcanbeefficientto
preventtheuserfromtheattacker,whenonlyoneofthemistaken.Thesemeasures
arebasiconesandcanbedonebyanon-ITperson.Youshouldconsidertakingas
manymeasuresasyoucan.
•Windowspublishespatchesrelatedtoaspecificvulnerabilityjustafteritisfound.
Youneedtokeepyouroperatingsystemupdated,ifyouareusingWindows.
•WhenyoutrytoconnecttoothermachinesviaRDP,itwillaskyoutoentera
username andpassword.Itwouldbebeneficialtousesecond- factor
authenticationsuchasVPN,SSLorRDPgateway.
•YoushouldenableNLA(NetworkLevelAuthentication)sinceitforcespeopleto
authenticatebeforeconnectingtoanymachineremotely.
•DisableRDPservice,ifitisnotrequiredtoomuch.Youcanenableit,whenitis
needed.
•Youcansetamaximum limitofloginattempts.Thiswillpreventyoufromthe
bruteforceattacks.
•RDPuses3389asthedefaultportnumber.Anattackermightattacktothisport
blindlybyguessingthatportservesRDP.IfyouchangetheRDP’sportnumber,it
willbealittlehardertohackintothesystem.
•Youcanuseportscannersorsomepowershell/command -linetools(tnc,netstat,
telnet,…)fortestpurposes.Thiswillmakeyoutobesureiftheportisopenornot.
Hereisanexampleofhowtnctoolsisused(wewillshowclosedportandopened
portrespectively).
RDP Attacks
Mitigation Methods
Therearemanywaysfortakingmeasures;however,noneofthemcanbeefficientto
preventtheuserfromtheattacker,whenonlyoneofthemistaken.Thesemeasures
arebasiconesandcanbedonebyanon-ITperson.Youshouldconsidertakingas
manymeasuresasyoucan.
•Windowspublishespatchesrelatedtoaspecificvulnerabilityjustafteritisfound.
Youneedtokeepyouroperatingsystemupdated,ifyouareusingWindows.
•WhenyoutrytoconnecttoothermachinesviaRDP,itwillaskyoutoentera
username andpassword.Itwouldbebeneficialtousesecond- factor
authenticationsuchasVPN,SSLorRDPgateway.
•YoushouldenableNLA(NetworkLevelAuthentication)sinceitforcespeopleto
authenticatebeforeconnectingtoanymachineremotely.
•DisableRDPservice,ifitisnotrequiredtoomuch.Youcanenableit,whenitis
needed.
•Youcansetamaximum limitofloginattempts.Thiswillpreventyoufromthe
bruteforceattacks.
•RDPuses3389asthedefaultportnumber.Anattackermightattacktothisport
blindlybyguessingthatportservesRDP.IfyouchangetheRDP’sportnumber,it
willbealittlehardertohackintothesystem.
•Youcanuseportscannersorsomepowershell/command -linetools(tnc,netstat,
telnet,…)fortestpurposes.Thiswillmakeyoutobesureiftheportisopenornot.
Hereisanexampleofhowtnctoolsisused(wewillshowclosedportandopened
portrespectively).
4
RDP Attacks
•IfyoudonotneedtouseRDP,youmaywanttoclosetheport,notjusttheservice.
YoucandothatbywritinganinboundruletotheWindowsDefenderFirewall. In
theexamplebelow,youcanseeanalreadywritteninboudrulenamed«RDP
Connection».Youcansetnewrulesbyselecting«NewRule…»intherightpanel.
Conclusion
RDPiswidelyusedbyremoteworkers.Itsusagerateisincreasedbecauseofthe
coronavirus.Thisisnottheonlyreasonwhyattackerspreferattackingtothisservice.
Attackersareabletoexecutecommands remotelyorevensometimesgaincontrol
oftheGUIofthetargetmachine.Attackersarelikelytotargetcompaniessincethey
havealotofcomputersinthesamenetworkandtheyarelikelyuseRDP.Therefore,
companiesshouldsettheauthenticationandautharizationrulesstrictly.The
measuresmentionedaboveshouldalsobeconsideredtobetaken.
RDP Attacks
•IfyoudonotneedtouseRDP,youmaywanttoclosetheport,notjusttheservice.
YoucandothatbywritinganinboundruletotheWindowsDefenderFirewall. In
theexamplebelow,youcanseeanalreadywritteninboudrulenamed«RDP
Connection».Youcansetnewrulesbyselecting«NewRule…»intherightpanel.
Conclusion
RDPiswidelyusedbyremoteworkers.Itsusagerateisincreasedbecauseofthe
coronavirus.Thisisnottheonlyreasonwhyattackerspreferattackingtothisservice.
Attackersareabletoexecutecommands remotelyorevensometimesgaincontrol
oftheGUIofthetargetmachine.Attackersarelikelytotargetcompaniessincethey
havealotofcomputersinthesamenetworkandtheyarelikelyuseRDP.Therefore,
companiesshouldsettheauthenticationandautharizationrulesstrictly.The
measuresmentionedaboveshouldalsobeconsideredtobetaken.
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 0
- Slides 4
- Age 60 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
28 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views