Step 1: Enable the RDP Server on a Windows System

First of all, we will need a system with RDP enabled. If there are multiple PC’s, then you need to enable RDP on one of them. To do so,  Go to Control Panel > System and Security. Below the System section, you will see “Allow remote access”. Click there.

Now, click on the “Allow Remote Assistance connections to this computer” and click “Apply.”

Step 2: Install Cain and Abel on your Windows System

You should have Cain and Abel installed on your attack system. I have it on my Windows 7 system that I will be using to attack RDP on another Windows 7 system. In this case, we will not be using BackTrack as Cain and Abel is one of the few hacking tools developed originally for Windows and has never been ported to Linux.

Cain and Abel, besides being a great password cracking tool (albeit a bit slow) is probably the best MiTM tool on the market—and it is free!

Step 3: Use ARP Scan on Systems with Cain

Now that we have Cain and Abel running on our attack system and RDP server enabled on another, we need to do an ARP scan. In this way, we will find all the systems on the network by sending out ARP requests and the systems on the network will respond with their IP address and MAC addresses. Choose a range that is appropriate for your target network.

Step 4: ARP Poison

Next, now that know all the machines, IP addresses and MAC addresses on the network from the ARP scan, we are in a position to be able to poison the ARP. We poison the ARP so that our attack system sits between the RDP server and the RDP client. In this way, all of either machine’s traffic must travel through our attack machine.

Click on the Sniffer button on Cain, then select the Sniffer tab, then select theHosts tab at the bottom, then click on the blue + on the top menu, select theRadio button, select the target IP range, and click OK.

Here, we see the hosts on the network.

Step 5: Choose the Server and Client You Want to Poison

Select the APR button at the bottom next to the hosts tab you used above, press the blue + button, select the targets, and press OK.

Step 6: Connect RDP Client to the RDP Server

Now, we wait for the RDP client to connect to the RDP server. This is likely to happen when an individual calls tech support and tech support needs to configure and demonstrate something on their machine. As you might guess, this requires some patience. When they do, we can then intercept its traffic.

Below, we are connecting to the RDP server called Null Byte.

Step 7: Intercept Traffic

With our Cain and Abel MiTM attack in place, all of the traffic between the RDP server and the RDP client will pass through our attack system.

Cain and Abel is now capturing the entire session and saving it into a file named in the far right column. We can now right click on that filename and choose View to open the decrypted file in Notepad.

Step 8: Search for Traffic

Now that all the traffic on the RDP connect is traveling through our attack system, we can search for traffic of interest to us.

Ideally, we want the system admin password for RDP. If we can find the sysadmin password for RDP, we will likely be able to use RDP on any of the network’s machines as usually the sysadmin will set up RDP with the same password on every system for convenience.

Even better, many system admins use the same password to remote into client machines as they use on their system and other accounts. This means that when we capture this password we may own the entire domain and network!

To find any keys pressed in the hexadecimal file capture, use the Find feature in Notepad to search for “key pressed”. This will find each of the keystrokes, one-by-one, of any keystrokes entered by the sysadmin including their password. 

Hope you like this article of Windows Hack using Remote Desktop Connection. You can also read out other hacking articles here

Have any questions in mind, comment below