A comprehensive exploration of RDP — from OSI layer mapping to packet structure, security vulnerabilities, and hands-on header construction.
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that provides a user with a graphical interface to connect to another computer over a network connection. It transmits the display output from the remote computer and sends keyboard/mouse input from the client.
RDP operates primarily on TCP port 3389 (and optionally UDP 3389 for enhanced performance) and supports features like clipboard sharing, file transfer, audio redirection, and multi-monitor support.
Graphical remote access • Clipboard sync • File transfer • Audio/video redirection • Printer redirection • Smart card auth • Multi-monitor • RemoteApp
RDP Client (mstsc.exe) • Remote Desktop Services (RDS) • Connection Broker • Session Host • Virtual Channel Manager • MCS Transport Layer
Port configuration & firewall rules • NLA enforcement • Group Policy for RDP • Certificate management • Network Level Authentication • Session monitoring
| Port | Protocol | Service | Description | Status |
|---|---|---|---|---|
| 3389 | TCP | RDP | Primary remote desktop connection | ✅ Required |
| 3389 | UDP | RDP | Enhanced performance, optional | ⚪ Optional |
| 443 | TCP | RD Gateway | HTTPS tunneling of RDP traffic | 🔒 Secure |
| 3391 | UDP | RD Gateway | UDP transport for RD Gateway | ⚪ Optional |
| 3388 | TCP | Legacy RDP | Older alternate port (deprecated) | ⚠️ Legacy |
RDP operates across multiple OSI layers. Click each layer to explore how RDP interacts with it.
RDP multiplexes multiple data streams over a single connection using Virtual Channels (VCs). Each channel handles a specific type of data.
Construct an RDP protocol data unit interactively. Adjust the fields below and watch the packet visualization update in real time.
Pre-authentication RCE vulnerability affecting Windows XP through Server 2008 R2. Allows unauthenticated attackers to execute code. Wormable — no user interaction required. Patched May 2019 — systems must be updated.
Similar pre-auth RCE vulnerabilities affecting Windows 7–10 and Server 2008–2019. Part of the same BlueKeep family. Heap-based buffer overflow in RDP decompression routines.
RDP exposed on port 3389 is a prime target for automated brute-force attacks. Attackers use tools like Hydra, Crowbar. Account lockout policies and NLA significantly mitigate this risk.
Without proper certificate validation, RDP sessions can be intercepted. Self-signed certificates accepted by default. Enforce TLS with validated certificates to prevent credential interception.
NTLM credentials captured from one system can be replayed to authenticate RDP sessions on other hosts. Restricted Admin Mode and Protected Users group mitigate this attack vector.