Merge pull request #2009 from HackTricks-wiki/research_update_src_network-services-pentesting_pentesting-rdp_20260316_025459

carlospolop · web-flow · commit ce8075570f00 · 2026-03-16T04:20:58.000+01:00
Research Update Enhanced src/network-services-pentesting/pen...
diff --git a/src/network-services-pentesting/pentesting-rdp.md b/src/network-services-pentesting/pentesting-rdp.md
@@ -24,6 +24,24 @@ nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 338
 
 It checks the available encryption and DoS vulnerability (without causing DoS to the service) and obtains NTLM Windows info (versions).
 
+### Security Layer / NLA Checks
+
+RDP can negotiate different security layers (native RDP, TLS, or CredSSP/NLA). You can quickly fingerprint the server-side settings and whether NLA is required:
+
+```bash
+# Security layer and encryption info
+nmap --script rdp-enum-encryption -p 3389 <IP>
+
+# Quick auth check (also reports if NLA is required)
+nxc rdp <IP> -u <user> -p <password>
+
+# Pre-auth screenshot only works if NLA is disabled
+nxc rdp <IP> --nla-screenshot
+
+# Authenticated screenshot after valid login
+nxc rdp <IP> -u <user> -p <password> --screenshot
+```
+
 ### [Brute force](../generic-hacking/brute-force.md#rdp)
 
 **Be careful, you could lock accounts**
@@ -90,6 +108,38 @@ ts::sessions        #Get sessions
 ts::remote /id:2    #Connect to the session
 ```
 
+### RDP Shadowing (Remote Control)
+
+If **Remote Desktop Services shadowing** is enabled, you can **view or control** another user's active session (sometimes **without consent**) using built-in `mstsc` switches.
+
+```bash
+# List sessions on a remote host
+qwinsta /server:<IP>
+quser /server:<IP>
+
+# Shadow a specific session (consent required if policy enforces it)
+mstsc /v:<IP> /shadow:<SESSION_ID> /control
+
+# Shadow without consent if policy allows it
+mstsc /v:<IP> /shadow:<SESSION_ID> /noconsentprompt /prompt
+
+# Check current shadowing policy on the target
+reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v Shadow
+```
+
+### RDP Virtual Channel Tunneling
+
+RDP supports **virtual channels** that can be abused for **pivoting/tunneling** over an established RDP session. One option is **rdp2tcp** (client/server) which can multiplex TCP forwards over RDP (works with FreeRDP).
+
+```bash
+# Start FreeRDP with rdp2tcp virtual channel
+xfreerdp /u:<user> /v:<IP> /rdp2tcp:/path/to/rdp2tcp/client/rdp2tcp
+```
+
+{{#ref}}
+../generic-hacking/tunneling-and-port-forwarding.md
+{{#endref}}
+
 ### Sticky-keys & Utilman
 
 Combining this technique with **stickykeys** or **utilman you will be able to access a administrative CMD and any RDP session anytime**
@@ -150,6 +200,11 @@ Entry_2:
 ```
 
 
-{{#include ../banners/hacktricks-training.md}}
 
 
+## References
+
+- [https://swarm.ptsecurity.com/remote-desktop-services-shadowing/](https://swarm.ptsecurity.com/remote-desktop-services-shadowing/)
+- [https://www.errno.fr/rdptunneling/](https://www.errno.fr/rdptunneling/)
+
+{{#include ../banners/hacktricks-training.md}}
