Skip to content

RDP Login Scanner (rdplogin)

The RDP Login Scanner in OctoPwn tests whether specified user credentials can successfully authenticate to a target system via Remote Desktop Protocol (RDP). This scanner helps identify systems that acquired credentials can log in to via RDP for potential further lateral movement.

Authentication

This scanner uses the same authentication surface as the RDP client. Use PLAIN for local accounts and standalone Windows logins, NTLM / KERBEROS for domain accounts, and combine NTLM + an NT-hash credential against hosts that allow RestrictedAdmin (often surfaced by rdpcap). The client doc has the full secret-type / CredSSP breakdown.

Parameters

Normal Parameters

credential

Specifies the ID of the credential to use for authentication.

Enter the ID of the credential stored in the Credentials Window.

targets

Specifies the targets to scan.

A list of targets can be specified in the following formats:

  • ID: ID of the target server from the targets window.
  • IP: Single IP address (e.g., 192.168.1.1).
  • CIDR: IP range in CIDR notation (e.g., 192.168.1.0/24).
  • Hostname: Resolvable hostname.
  • File: Path to a file containing targets (must be in OctoPwn’s /browserefs/volatile directory). File lists need to be uploaded into OctoPwn and separated by newlines.
  • Control word: Use all to scan all stored targets.
  • Single Group: g:<groupname> (e.g., g:test1).
  • Multiple Groups: g:<groupname1>,g:<groupname2> (e.g., g:test1,g:test2).
  • Port Group: p:<port> (e.g., p:445).
  • Port Group with Protocol: p:<port>/<protocol> (e.g., p:445/tcp).

Advanced Parameters

authtype

Specifies the authentication protocol. See the RDP client authentication section for the full breakdown of which secret types each authtype accepts.

Available protocols:

  • PLAIN — local / standalone Windows accounts and any RDP server that accepts cleartext.
  • NTLM — Windows / domain accounts (also the path for NT-hash + RestrictedAdmin).
  • KERBEROS — Windows / domain accounts.

dialect

Specifies the connection dialect.

Defines the protocol used for the RDP connection. Fixed to RDP for this scanner.

krbetypes

Specifies the Kerberos encryption types to use during the scan.

Provide a comma-separated list of encryption types (e.g., 23,17,18).

krbrealm

Specifies the Kerberos realm to use.

Enter the Kerberos realm (domain name) for authentication.

maxruntime

Specifies the maximum runtime for the scanner.

proxy

Specifies the proxy ID to use for the scan.

Enter the ID of the proxy to route the scan through. Proxies must be configured in the Proxy Window.

resultsfile

Specifies a file for saving the scan results.

The file will be saved in OctoPwn’s /browserefs/volatile directory.

showerrors

Determines whether errors encountered during the scan should be displayed.

timeout

Sets the timeout (in seconds) for each target.

workercount

Specifies the number of parallel workers for the scan.