RDP-Check: Eliminating False Positives in Credential Spraying Attacks

By /

Listen to this Post

Featured Image
When performing RDP credential spraying with tools like NetExec (nxc), false positives can be a major headache. Traditional methods may indicate access with a `(Pwn3d!)` flag, but this doesn’t always guarantee successful GUI access. Enter rdp-check—a tool that performs a full RDP handshake to confirm real access.

Why RDP-Check?

  • Eliminates false positives by verifying GUI-level access.
  • Faster & more reliable than partial handshake checks (e.g., `rdp_check.py` from Impacket).
  • Seamlessly integrates with existing tools like CrackMapExec (NetExec).

You Should Know:

Here’s how to manually verify RDP access using common tools and commands:

1. Using Impacket’s `rdp_check.py` (Basic Check)

python3 rdp_check.py DOMAIN/user:password@target_ip

Limitation: Doesn’t always confirm GUI access due to incomplete handshake.

2. Manual RDP Testing with `xfreerdp`

xfreerdp /v:target_ip /u:user /p:password /cert:ignore +auth-only

– `/cert:ignore` bypasses certificate errors.
– `+auth-only` tests authentication without a full session.

3. NetExec (nxc) for Spraying

nxc rdp target_ip -u users.txt -p passwords.txt --continue-on-success

– Look for (Pwn3d!)—but verify with `rdp-check` for accuracy.

4. Automating with `rdp-check` (Upcoming Tool)

rdp-check -t targets.txt -u user -p password --threads 10

(Expected command structure—awaiting release.)

5. Detecting RDP Misconfigurations

nmap -p 3389 --script rdp-ntlm-info target_ip

– Checks RDP security settings (NTLM, encryption level).

What Undercode Say

False positives in RDP credential spraying waste time and create operational noise. A full RDP handshake is the only true verification method. Until `rdp-check` is released, use:

– `xfreerdp` for manual validation.
– Wireshark filters (tcp.port == 3389) to analyze handshake failures.
– Brute-force mitigation with account lockout checks: 

crackmapexec smb target_ip -u user -p password --lockout-threshold 5

For defenders:

  • Enable Network Level Authentication (NLA) (gpedit.msc → Require NLA for RDP).
  • Log RDP failures with Windows Event ID 4625.
  • Restrict RDP access via GPO: 
    Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 1

Expected Output:

A reliable, false-positive-free RDP credential sprayer that confirms real access. Stay tuned for rdp-check’s release!

Relevant URL:

References:

Reported By: Activity 7322773127585742848 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: