nxc-rdp

Search for valid credentials by trying out every combination in the specified lists of usernames and passwords

$ nxc rdp [192.168.178.2] [[-u|--username]] [path/to/usernames.txt] [[-p|--password]] [path/to/passwords.txt]

$ nxc rdp [192.168.178.2] [[-u|--username]] [username] [[-p|--password]] [password] --screenshot --screentime [10]

$ nxc rdp [192.168.178.2] [[-u|--username]] [username] [[-p|--password]] [password] --screenshot --res [1024x768]

$ nxc rdp [192.168.178.2] [[-u|--username]] [username] [[-p|--password]] [password] --nla-screenshot

nxc rdp <target(s)> [options]

<target(s)>
    One or more targets specified as IP addresses, CIDR ranges, hostnames, or a path to a file containing targets.
Example: '192.168.1.1', '192.168.1.0/24', 'target.txt'.

-u <USERNAME>
    Single username for authentication.

-p <PASSWORD>
    Single password for authentication. If omitted with -u, a blank password will be used.

-H <HASH>
    NTLM hash for authentication (e.g., 'aad3b435b514a04eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0').

-L <USER_FILE>
    Path to a file containing a list of usernames to try.

-P <PASS_FILE>
    Path to a file containing a list of passwords to try.

--local-auth
    Forces authentication using local accounts, bypassing domain authentication where applicable.

--enum-rdp
    Enumerates various RDP details such as RDP version, NLA status, certificate information, and more.

--screenshot
    Attempts to take a screenshot of the RDP login screen. Requires Xvfb and imagemagick to be installed.

--threads <THREADS>
    Number of concurrent threads to use for scanning/attacking targets. Default is 10.

--timeout <SECONDS>
    Connection timeout in seconds.

nxc rdp is a module of the NetExec (formerly CrackMapExec) post-exploitation tool, specialized in interacting with Remote Desktop Protocol (RDP) services. It's primarily used for network enumeration and assessing RDP endpoint security. This module can discover RDP service configurations, check for Network Level Authentication (NLA) status, and attempt credential-based login attempts using various authentication methods. It helps penetration testers gather intelligence about RDP environments, identify misconfigurations, and validate access through available credentials or hashes. It can also perform advanced actions like taking screenshots of RDP login screens.

Usage of nxc rdp requires the NetExec framework to be installed. Certain advanced features, such as screenshotting, depend on additional system utilities like Xvfb and imagemagick. Be aware that extensive scanning or brute-force attempts can generate significant network traffic and may trigger intrusion detection/prevention systems (IDS/IPS). Unauthorized access attempts are illegal.

The module supports various authentication methods, including plaintext usernames and passwords, NTLM hashes, and the ability to specify user and password lists for brute-forcing or dictionary attacks. This makes it highly versatile for leveraging different types of compromised credentials.

Beyond basic enumeration, nxc rdp can provide valuable insights into the RDP service's configuration, including whether Network Level Authentication (NLA) is enabled or disabled, which significantly impacts the attack surface. This information is crucial for planning further exploitation steps.

nxc rdp is an integral module of NetExec, which is the community-maintained fork and successor to the widely popular CrackMapExec (CME) tool. CME initially gained prominence for its versatile capabilities in Active Directory and Windows network post-exploitation. The RDP module has been consistently developed alongside the main project, adapting to new RDP features and security mechanisms, ensuring its relevance for modern penetration testing scenarios.

nxc(1), xfreerdp(1), rdesktop(1), crackmapexec(1)