Remote Desktop Protocol (RDP) Discovery

Published: 2021-10-30
Last Updated: 2021-10-30 17:08:38 UTC
by Guy Bruneau (Version: 1)
1 comment(s)

I have noticed a surge in probe against the RDP service in the past 2 weeks. In August, a remote code execution (RCE) critical patch was released to fix an exploit related to CVE-2021-34535 which include a POC to exploit this vulnerability. This vulnerability is also affecting Microsoft Hyper-V Manager “Enhanced Session Mode” [5] and Microsoft Defender’s Application Guard (WDAG) [6].

According to Shodan [7], there are over 4.89M IPs with TCP:3389 listening and over 3.9M IPs with RDP listening on other ports but mainly on 3388 [8]. Beside TCP:3389, my honeypot logged mstshash probe against other port such as 21, 23, 80, 8000, 8080.

20211018-022140: data
\x03\x00\x00+&\xe0\x00\x00\x00\x00\x00Cookie: mstshash=hello\r\n\x01\x00\x08\x00\x03\x00\x00\x00

[2021-10-30 08:42:54] [1558] [ftp_21_tcp 16145] [] recv: .../*......Cookie: mstshash=Administr

Top 10 Usernames

Top 10 Sources

If using RDP, Microsoft provided the following information on "Security guidance for remote desktop adoption".


Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

1 comment(s)


Why do people connect RD directly to the internet? In today's environment it is fairly straight forward to setup an OpenVPN server in conjunction with a pfsense firewall. Then you add a significant layer of security to your facilities that is difficult to peal away remotely.

Diary Archives