Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS)
Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials.
Sometimes we need to access our PC from a remote location due to situations that are out of our control, but Windows made it simple to allow RDP Connections to our PC through the RDP Service. (Pro to Enable, Home only allows Connection). And we will initiate our RDP Service to point a Public IP Address so that we can Access our Internet Network from a remote location.
Here in a work perspective is great in an Attacker perspective this is even greater, the only thing that stops them is too find any Valid Accounts that can give them access to the service. There are some public exploits but have a few requirements for them to be successful. Some need to run a specific service (UltraVNC, TightVNC, etc.) Other need older OS (Windows XP, Vista, 7).
Let us start with a simple nmap scan these services run on specific ports(unless changed) RDP is known for running on port 3389 we will focus our scan on this specific port and see what information we can grab from this port.
We continue by searching for accounts or common passwords that can give us some access to this services, in this step we can use many techniques such as OSINT, Phishing, Leaked Databases, etc. These will be helpful to find users or credentials for trying out on the External Remote Services available from a company that is facing the public internet.
Well on this attack we won't be using any exploits but this attack consists mostly on having some Valid Accounts with RDP Permissions or Administrator Account Privileges, these accounts are usually the ones capable of remote access through RDP.
But in this example we did our recon and found some old credentials leaked in a previous Database.
And finally after some hard work we manage to get Access through our RDP Service that we found in our Initial Recon, this is another great example not common but still out there, that can give attackers access to the internal network.