Hail Hydra – RDP brute forcing with HYDRA

Securing services requires a broad range of knowledge of operating systems, networking, protocols and offensive capabilities. So I thought I would demonstrate some testing methods to show how a control is effective in blocking certain types of attack, so here’s some offensive and defensive guidance to limit RDP attacks. Please remember this is for educational purposes, do NOT break the law and only use these techniques where you have permission! #whitehat

Overview

This document provides a sample of the internal (white box) testing process and procedure for testing RDP controls against brute force attacks.

Test Objectives

• Demonstrate only authorised users can access the service
• Demonstrate Remote Desktop Services has a hardened configuration
• Demonstrate a brute force attack

Method

1. Scope Evaluation
2. Testing
   1. Enumeration
   2. Vulnerably Assessment
   3. Exploitation
3. Report Results

Read more “Hail Hydra – RDP brute forcing with HYDRA” →