RDP Honeypot Enterprise Community
The RDP service emulates a Windows Remote Desktop Protocol server. It is one of the most targeted services in internal networks and an effective honeypot signal.
Configuration
json
"rdp": [
{
"port": 3389,
"version": "2019",
"ntlm_hostname": "WIN-RDP",
"ntlm_domain": "WORKGROUP"
}
]Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
port | integer | 3389 | TCP port |
version | string | 2019 | OS fingerprint for negotiation flags and NTLM metadata - see table |
Version values (version)
| Value | Target OS |
|---|---|
winxp | Windows XP SP3 (no NLA) |
win7 | Windows 7 SP1 / Server 2008 R2 |
win81 | Windows 8.1 / Server 2012 R2 |
win10 | Windows 10 20H1 |
win11 | Windows 11 25H2 |
2012 | Windows Server 2012 |
2012r2 | Windows Server 2012 R2 |
2016 | Windows Server 2016 |
2019 | Windows Server 2019 |
2022 | Windows Server 2022 |
What gets captured
| Event | Fields |
|---|---|
| Connection made | Source IP and port |
| Data sent | Raw client data |
| Login attempt | Username and authentication material from the RDP client (may include NTLM hashes) |
After the initial exchange the server closes the connection without granting a session.
Breadcrumb pairing
RDP breadcrumbs placed on Windows endpoints create saved RDP connections pointing to the honeypot. See RDP shortcut breadcrumb.
