logo

Port 3389 – RDP (Remote Desktop Protocol)

Service:

TermService ,
xrdp

Protocol:

TCP

Port:

3389

Used for:

Remote desktop access to Windows systems

Why It’s Open

RDP is the standard way to remotely manage Windows servers and desktops via GUI. It’s widely used in enterprise IT and remote support environments.

Common Risks

  • BlueKeep (CVE-2019-0708): A critical wormable vulnerability.
  • Brute Force Attacks: Common target for weak password cracking.
  • Credential Theft: Via clipboard sharing or keylogging malware.
  • Exposed to Internet: Big no-no without additional hardening.

Want to save time on reporting?

Let PentestPad generate, track, and export your reports - automatically.

logo-cta

Enumeration & Testing

Nmap enumeration

Terminal window
nmap -p 3389 -sV
nmap -p 3389 --script rdp-enum-encryption


rdesktop

What to Look For

CheckpointWhat it means
RDP open to internetMajor attack surface
Weak/NX auth configsMay allow MITM or downgrade attacks
Unpatched WindowsBlueKeep or other RDP exploits possible

Known Exploits

  1. CVE-2019-0708 - BlueKeep

A critical remote code execution (RCE) vulnerability in Remote Desktop Services that allows unauthenticated attackers to execute arbitrary code without user interaction.

Affected Systems: Windows XP, Windows 7, Windows Server 2003, and Windows Server 2008.

Impact: Potential for wormable attacks similar to WannaCry.

🔗 NVD Entry

🔗 Microsoft Advisory

  1. CVE-2012-0002 - MS12-020

A vulnerability in the RDP implementation that allows remote attackers to execute arbitrary code by sending specially crafted RDP packets.

Affected Systems: Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7.

Impact: Could lead to system compromise.

🔗 NVD Entry

🔗 Microsoft Advisory

  1. CVE-2018-0886 - CredSSP Vulnerability

A vulnerability in the Credential Security Support Provider protocol (CredSSP) that could allow remote code execution if an attacker intercepts and modifies RDP sessions.

Affected Systems: Multiple versions of Windows, including Windows 7, Windows Server 2012, and Windows 10.

Impact: Man-in-the-middle attacks leading to credential theft and code execution.

🔗 NVD Entry

🔗 Microsoft Advisory

  1. CVE-2020-0609 & CVE-2020-0610 - BlueGate

Remote code execution vulnerabilities in Windows Remote Desktop Gateway (RD Gateway) that allow unauthenticated attackers to execute arbitrary code by sending specially crafted requests.

Affected Systems: Windows Server 2012, 2012 R2, 2016, and 2019.

Impact: Potential for full system compromise via RD Gateway.

🔗 CVE-2020-0609 NVD Entry

🔗 CVE-2020-0610 NVD Entry

🔗 Microsoft Advisory for CVE-2020-0609

🔗 Microsoft Advisory for CVE-2020-0610

Mitigation

  • Use RDP gateways and VPNs.
  • Enable Network Level Authentication (NLA).
  • Limit logins with account lockout policies.
  • Monitor login attempts and user behavior.

Real-World Example

The BlueKeep vulnerability was exploited in real-world attacks, allowing remote code execution on unpatched Windows machines across the internet.

TL;DR

  • Service: Remote Desktop Protocol (RDP)
  • Default Port: 3389
  • Risks: Unauthenticated RCE, wormable exploit
  • Mitigation: Apply patches, enable Network Level Authentication, restrict access