Any RDP Cracker in the house?

[Emmynet]

Hello house i need a tool or way i can crack RDPs for tutorial and educational purpose. I have downloaded several version of dubrute but not cracking any, dont know if any working software that can crack is available?

[barry99705]

Good luck!

[Bigbiz]

I think try crowbar.

[0phoi5]

The only (bodge-job) method I ever managed was;

• Create SendKeys based VBScript to press 'yes' on a Remote Desktop Connection approval pop up
• Copy VBScript to target machine
• Create Scheduled Task on target machine, to run as logged in user, using PSEXEC, to run the above VBScript.
• Send a Remote Desktop Connection request just before the above runs.
• Profit.

This does require some pre-requisites, such as an admin account credentials.

Edited May 30, 2018 by haze1434

[PoSHMagiC0de]

HTC-Hydra can do a bruteforce on RDP.  Of course if common practice is used there shouldn't be an exposed RDP unless behind a RDP gateway.  Even if still if they follow some security, you will most likely lock the account out which will ruin the rest of your attack.  If not, Hydra can brute it with a wordlist, you will have to follow the examples and lower the thread count though or you will DOS the service.

Other than that if they did not apply a cert you can use the self signed cert you see to get the machine name inside the network and domain name.  If CredSSPSupport is off you can get the graphical desktop and see what Windows they are running.

[jOte-]

:: "Unknown publisher"
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\LocalDevices" /v "%HOSTNAME%;%RDGATEWAY%" /t "REG_DWORD" /d 109 /f >NUL 2>&1

:: "The identity of the remote computer cannot be verified. Do you want to connect anyway?"
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client" /v "AuthenticationLevelOverride" /t "REG_DWORD" /d 0 /f >NUL 2>&1

:: Delete old credentials from Micro$oft vault
CMD /Q /D /C cmdkey /delete:"%RDGATEWAY%" >NUL 2>&1
CMD /Q /D /C cmdkey /delete:"%HOSTNAME%" >NUL 2>&1

:: Store credentials to Micro$oft vault
CMD /Q /D /C cmdkey /add:"%RDGATEWAY%" /user:"%RDUSERNAME%" /pass:"%RDPASSWORD%" >NUL 2>&1
CMD /Q /D /C cmdkey /generic:"%HOSTNAME%" /user:"%USERNAME%" /pass:"%PASSWORD%" >NUL 2>&1

[jOte-]

See spoiler:

 

@ECHO OFF
:: @jOte- 2059
:: CONNECT RDP/RDGATEWAY and cleanup ...

:: SETTINGS

SET RDGATEWAY=remote.bla.com
SET RDUSERNAME=BASE\admin
SET RDPASSWORD=whatthefuck

SET HOSTNAME=TS01
SET USERNAME=BASE\admin
SET PASSWORD=whatthefuck

SET RDPFILE=%TMP%\~bb%RANDOM%.tmp

:: END SETTINGS

@ECHO OFF
CLS

:: "Unknown publisher"
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\LocalDevices" /v "%HOSTNAME%;%RDGATEWAY%" /t "REG_DWORD" /d 109 /f >NUL 2>&1

:: "The identity of the remote computer cannot be verified. Do you want to connect anyway?"
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client" /v "AuthenticationLevelOverride" /t "REG_DWORD" /d 0 /f >NUL 2>&1

:: Delete old credentials from Micro$oft vault
CMD /Q /D /C cmdkey /delete:"%RDGATEWAY%" >NUL 2>&1
CMD /Q /D /C cmdkey /delete:"%HOSTNAME%" >NUL 2>&1

:: Store credentials to Micro$oft vault
CMD /Q /D /C cmdkey /add:"%RDGATEWAY%" /user:"%RDUSERNAME%" /pass:"%RDPASSWORD%" >NUL 2>&1
CMD /Q /D /C cmdkey /generic:"%HOSTNAME%" /user:"%USERNAME%" /pass:"%PASSWORD%" >NUL 2>&1

:: Create tmpfile
CALL :createFile %HOSTNAME% %USERNAME%

:: Start tmpfile
REM START mstsc /admin %RDPFILE% 
START mstsc %RDPFILE%

:: Wait 20 seconds and cleanup
TIMEOUT /NOBREAK 30 >NUL
CALL :cleanup
GOTO :EOF

:cleanup
:: Delete stored credentials from Micro$oft vault
CMD /Q /D /C cmdkey /delete:"%RDGATEWAY%" >NUL 2>&1
CMD /Q /D /C cmdkey /delete:"%HOSTNAME%" >NUL 2>&1

:: Restore "Unknown publisher"
REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client" /v "AuthenticationLevelOverride" /f >NUL 2>&1

:: Restore "The identity of the remote computer cannot be verified. Do you want to connect anyway?"
REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\LocalDevices" /v "%HOSTNAME%;%RDGATEWAY%" /f >NUL 2>&1

:: Delete tmpfile
DEL /F /Q %RDPFILE% >NUL 2>&1
GOTO :EOF

:createFile
(
ECHO screen mode id:i:2
ECHO use multimon:i:0
ECHO desktopwidth:i:1920
ECHO desktopheight:i:1080
ECHO session bpp:i:32
ECHO winposstr:s:0,3,0,0,800,600
ECHO compression:i:1
ECHO keyboardhook:i:2
ECHO audiocapturemode:i:0
ECHO videoplaybackmode:i:1
ECHO connection type:i:7
ECHO networkautodetect:i:1
ECHO bandwidthautodetect:i:1
ECHO displayconnectionbar:i:1
ECHO enableworkspacereconnect:i:0
ECHO disable wallpaper:i:0
ECHO allow font smoothing:i:0
ECHO allow desktop composition:i:0
ECHO disable full window drag:i:1
ECHO disable menu anims:i:1
ECHO disable themes:i:0
ECHO disable cursor setting:i:0
ECHO bitmapcachepersistenable:i:1
ECHO full address:s:%1
ECHO audiomode:i:0
ECHO redirectprinters:i:0
ECHO redirectcomports:i:0
ECHO redirectsmartcards:i:1
ECHO redirectclipboard:i:1
ECHO redirectposdevices:i:0
ECHO autoreconnection enabled:i:1
ECHO authentication level:i:2
ECHO prompt for credentials:i:0
ECHO negotiate security layer:i:1
ECHO remoteapplicationmode:i:0
ECHO alternate shell:s:
ECHO shell working directory:s:
ECHO gatewayhostname:s:%RDGATEWAY%
ECHO gatewayusagemethod:i:2
ECHO gatewaycredentialssource:i:4
ECHO gatewayprofileusagemethod:i:1
ECHO promptcredentialonce:i:0
ECHO gatewaybrokeringtype:i:0
ECHO use redirection server name:i:0
ECHO rdgiskdcproxy:i:0
ECHO kdcproxyname:s:
ECHO username:s:%2
)>%RDPFILE%

GOTO :EOF

:END
EXIT 1

Edited June 12, 2018 by Foxtrot
Add spoiler tags for large content

[jOte-]

bruteforcing rdp is stupid... gpo would lock u out as PoSHMagiC0de is mentioning...