Day 15 : Introduction to Remote Desktop Protocol (RDP)

One of the most abused protocols in cyber attacks is the Remote Desktop Protocol (RDP). According to this article, Sophos has found that RDP was abused in 90% of cyber attacks in 2023. In today's article I will go over what RDP is, it's features and functionalities, and how to protect yourself from RDP abuse.

What is Remote Desktop Protocol?

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that allows users to remotely connect to and control another computer over a network. RDP is commonly used for remote management, technical support, and accessing resources on a computer from a different location. The protocol provides a graphical interface that enables users to interact with the remote machine as if they were sitting in front of it. RDP makes use of TCP and uses port 3389 by default.

Features of RDP:

1. Remote Access: Allows users to log in to a computer from a remote location, providing access to applications, files, and network resources.
2. Graphical Interface: Offers a full desktop experience, allowing users to interact with the remote machine through a graphical user interface (GUI).
3. Encryption: RDP sessions are encrypted to ensure secure data transmission between the client and the remote machine.
4. Clipboard Sharing: Supports sharing of clipboard data (e.g., text, files) between local and remote systems.
5. Printer and Peripheral Redirection: Enables remote access to local devices like printers, USB drives, and audio devices.

Advantages of RDP

• Remote Access and Flexibility: RDP allows users to securely access and control computers from anywhere, enabling remote work and centralized IT management.
• Cost and Resource Efficiency: Reduces the need for on-site visits, saves travel costs, and uses bandwidth efficiently by transmitting only screen updates and inputs.
• Cross-Platform Compatibility: Supports multiple operating systems, making it flexible for users across different devices.
• Security and Productivity: Provides encryption and authentication features to secure remote connections while allowing access to powerful remote systems, boosting productivity.

How is RDP Abused by Attackers?

Attackers regularly scan the internet for exposed RDP services running on servers to find targets to attack. They can then either try brute forcing their way in using common usernames and passwords, or use credentials they might have phished from users.

If access is gained, the attackers might then perform credential dumping to harvest even more valid credentials from the server, using the for lateral movement across the network.

Gaining such access can get attackers closer to their goal of data exfiltration or deploying ransomware.

How to Find Exposed RDP Servers

There are many ways to find exposed RDP Servers. Please note that one must not try to attack these machines since its unethical and illegal.

Shodan

Using shodan.io, on searching for port:3389, I got a list of machines running an exposed RDP service:

Censys

Another platform to find exposed RDP services is censys.io. Head over to the website and search for 3389

We can narrow down our search by filtering the options to the left.

How to Protect Yourself from RDP Abuse Attacks

Now that we have a good understanding of RDP, its associated ports and services, we can take the following steps to protect ourselves from attackers:

1. Turn off RDP: Turn off RDP services on your endpoint so that it is no longer exposed.
2. Use Multi-Factor Authentication: If RDP is to be used on your endpoint, setting up multiple steps to gain access will prevent any unauthorized access.
3. Restrict Access: Set up firewall rules to only allow RDP attempts from known and trusted IP addresses and ranges. You can also use a VPN to add an extra layer of protection to your endpoints
4. Use Better Passwords: Avoid using common passwords and number, letter combinations like "password", "1234", "abcde" etc. in your passwords. Use longer passwords that are a combination of numbers, upper and lower case characters and special characters to avoid getting your credentials easily guessed by attackers.
5. Disable Default Accounts: Another good step to take is to create new Administrator accounts on your endpoints with names and passwords that are not default values, since default values are public information and are easily guessable.

Conclusion

With invaluable guidance from Mr. Stevens at MYDFIR (his website) and his YT video outlining day 15 of the 30-Day SOC Challenge, I learned about Remote Desktop Protocol (RDP), its functionalities, how it is abused, how to find exposed RDP endpoints and how to defend myself from RDP abuse attacks.