> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/information-gathering/service-enumeration/windows-remote-management-protocols/rdp-3389.md).

# RDP (3389)

Use this page to enumerate RDP and review common security and detection details.

### RDP (Remote Desktop Protocol)

RDP is a proprietary GUI-based management protocol developed by Microsoft to transmit display interface and control commands over IP networks.

### Core engineering properties

* **Port baselines** — operates primarily on application-layer TCP `3389`, though connectionless UDP `3389` can also handle remote administration capabilities.
* **Firewall and NAT dependencies** — establishing an active session requires end-to-end traversal rules. If Network Address Translation (NAT) separates the endpoints, the attacking node must target the destination's public IP address via explicitly defined router port forwarding rules.
* **Encryption history** — secured via Transport Layer Security (TLS/SSL) standard mechanisms since Windows Vista.
* **Operational defaults** — enabled by default starting with Windows Server 2016. It defaults to enforcing Network Level Authentication (NLA) via CredSSP to authenticate sessions prior to initializing full desktop rendering layers.

### Security deficiencies and detection hooks

* **RDP security fallbacks** — legacy or unhardened Windows platforms still downgrade to unencrypted or poorly encrypted RDP Security Layer configurations.
* **Self-signed certificate trust traps** — default setups use automatically generated self-signed certificates. Because target machines cannot dynamically distinguish authentic identities from rogue items, users become desensitized to ignoring safety alerts.
* **The `mstshash` detection trigger** — when running aggressive Nmap NSE scripts with `--script rdp*`, the scanner transmits a signature cookie payload value matching `mstshash=nmap`. Blue teams, threat hunters, and endpoint detection and response (EDR) agents actively trigger alerts on this text stream to locate and lock out ongoing infrastructure assessments.

### Service enumeration and connection syntax

#### Target information leak discovery with Nmap

Querying the endpoint can leak target names, internal NetBIOS configurations, and operating system build indices:

```bash
sudo nmap -sV -sC -p 3389 --script rdp* <TARGET_IP>
```

#### Handshake security auditing with `rdp-sec-check.pl`

Developed by Cisco CX Security Labs, this tool unauthentically queries the target wrapper to document supported encryption configurations:

```bash
# Setup dependencies via CPAN
sudo cpan install Encoding::BER

# Clone and run verification loops
git clone https://github.com/CiscoCXSecurity/rdp-sec-check.git && cd rdp-sec-check
./rdp-sec-check.pl <TARGET_IP>
```

#### Spawning graphical control channels

```bash
# Connect from a Linux shell via xfreerdp
xfreerdp /u:<username> /p:"<password>" /v:<TARGET_IP>
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/information-gathering/service-enumeration/windows-remote-management-protocols/rdp-3389.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
