Listen to this Post
Introduction
Remote Desktop Protocol (RDP) is a critical tool for system administrators and security professionals, but enabling it isn’t always straightforward—especially during penetration tests or OSCP exams. Network Execution (NXC), a powerful tool derived from CrackMapExec, provides an efficient way to enable RDP remotely, even when manual configuration isn’t feasible.
Learning Objectives
- Learn how to use NXC to enable RDP on a Windows host.
- Understand the security implications of enabling RDP remotely.
- Discover alternative methods for lateral movement in Active Directory environments.
You Should Know
1. Enabling RDP with NXC
Command:
nxc smb <target_IP> -u <username> -p <password> -M rdp -o ACTION=enable
Step-by-Step Guide:
1. Install NXC (a modern version of CrackMapExec):
pip install netexec
2. Run the command above, replacing <target_IP>, <username>, and `
3. The `-M rdp` module enables RDP, and `ACTION=enable` forces the service to start.
4. Verify RDP is enabled by attempting to connect via `mstsc` or xfreerdp.
Why It Matters:
This bypasses manual GUI configuration, saving time during engagements where GUI access is restricted.
2. Checking RDP Status
Command:
nxc smb <target_IP> -u <username> -p <password> -M rdp -o ACTION=status
Step-by-Step Guide:
- Use the command to check if RDP is enabled.
- The output will confirm whether the service is active or disabled.
3. Disabling RDP (Cleanup)
Command:
nxc smb <target_IP> -u <username> -p <password> -M rdp -o ACTION=disable
Step-by-Step Guide:
- After testing, disable RDP to avoid leaving unintended access.
2. Verify with the `status` action.
4. Alternative: PowerShell Remoting
Command:
Enable-PSRemoting -Force
Step-by-Step Guide:
- Run this in an elevated PowerShell session to enable WinRM.
- Use `nxc` or `evil-winrm` for lateral movement if RDP is locked down.
5. Securing RDP Post-Exploitation
Command:
nxc smb <target_IP> -u <username> -p <password> -M rdp -o ACTION=enable,GROUP="Remote Desktop Users"
Step-by-Step Guide:
- Restrict RDP access to specific groups to minimize exposure.
- Audit logs with
Get-WinEvent -LogName "Security" | ?{$_.ID -eq 4624}.
What Undercode Say
- Key Takeaway 1: NXC streamlines RDP enablement, but misuse can lead to persistent backdoors. Always clean up after testing.
- Key Takeaway 2: RDP is a common lateral movement vector—monitor its usage in AD environments.
Analysis:
While NXC simplifies offensive tasks, defenders should monitor `HKLM\System\CurrentControlSet\Control\Terminal Server` registry keys and Event ID 1149 for RDP service changes. Organizations should enforce Network Level Authentication (NLA) and restrict RDP to VPN-only access.
Prediction
As offensive tools like NXC evolve, expect more automated exploitation of misconfigured RDP services. Defenders will increasingly rely on EDR solutions to detect and block such tooling, pushing red teams toward lesser-known protocols like WinRM or SSH for lateral movement.
IT/Security Reporter URL:
Reported By: Activity 7343462709629263873 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
