This chapter covers the exploitation of the Remote Desktop Protocol (RDP), with a primary focus on the BlueKeep vulnerability (CVE-2019-0708). BlueKeep is a critical remote code execution vulnerability in Microsoft's RDP implementation that allows unauthenticated attackers to take control of vulnerable systems. On the PT0-002 exam, RDP exploitation and BlueKeep appear in Domain 3.0 (Attacks and Exploits) under Objective 3.1 (Given a scenario, exploit vulnerabilities in a network or system). Expect 2-4 questions on RDP exploitation, including BlueKeep specifics. This chapter provides the depth needed to answer any exam question on RDP attacks, including scanning, exploitation, and mitigation.
Jump to a section
Imagine a secure office building with a receptionist at the front desk. The receptionist's job is to verify visitors before allowing them into the building. The building has a RDP door: a special entrance for remote workers. Normally, visitors must knock, identify themselves, and be buzzed in. However, a flaw (BlueKeep) exists in the receptionist's verification process. The receptionist has a broken peephole: when a visitor knocks, the receptionist opens the door slightly to see who it is, but the peephole doesn't work properly, so the receptionist relies on the visitor's voice. A malicious visitor can craft a special knock that causes the receptionist to open the door fully and then freeze, leaving the door wide open. The attacker can then walk in and take control of the building. In technical terms, the RDP service (TermDD.sys) has a use-after-free vulnerability in its handling of certain packets. When an attacker sends specially crafted RDP packets, they trigger a kernel-mode memory corruption that allows arbitrary code execution with SYSTEM privileges. The attacker does not need valid credentials—just network access to port 3389. The vulnerability exists because the kernel driver does not properly validate memory references before use, allowing an attacker to free a memory object and then reference it again, leading to a privilege escalation.
What is RDP and Why is It Targeted?
Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote desktop connections to Windows systems. It listens on TCP port 3389 by default. RDP is heavily targeted by attackers because it is widely used for remote administration and often exposed to the internet. The PT0-002 exam expects you to understand how to exploit RDP vulnerabilities, including BlueKeep, and how to mitigate them.
BlueKeep (CVE-2019-0708) Overview
BlueKeep is a critical remote code execution vulnerability in the Remote Desktop Services component of Windows. It affects Windows 7, Windows Server 2008 R2, and Windows Server 2008. Windows 8 and Windows 10 are not vulnerable. The vulnerability is in the RDP kernel driver termdd.sys (Terminal Server Device Driver). It is a use-after-free vulnerability that allows an unauthenticated attacker to send specially crafted RDP packets to trigger memory corruption and execute arbitrary code with SYSTEM privileges. The vulnerability does not require user interaction or valid credentials.
How BlueKeep Works Internally
The vulnerability lies in the termdd.sys driver's handling of RDP packets during the initial connection setup. Specifically, the driver manages internal data structures called Channel objects that represent communication channels between the client and server. When a client initiates a connection, the server allocates memory for these channel objects. However, due to a flaw in the code that handles certain malformed packets, the driver can be tricked into freeing a channel object while still retaining a pointer to it. Later, when that pointer is dereferenced, the system accesses freed memory, leading to a use-after-free condition.
An attacker can exploit this by sending a sequence of RDP packets that cause the driver to free a channel object and then allocate a new object (e.g., a crafted data structure) at the same memory location. When the original pointer is used to access the freed memory, it now points to the attacker-controlled data. This allows the attacker to overwrite critical kernel structures and execute arbitrary code.
Key Components and Defaults
Port: TCP 3389 (default)
Vulnerable OS: Windows 7, Windows Server 2008 R2, Windows Server 2008
Non-vulnerable OS: Windows 8, Windows 10, Windows Server 2012 and later
CVSS Score: 10.0 (Critical)
Exploit Type: Remote Code Execution (RCE), unauthenticated
Affected Component: termdd.sys (Terminal Server Device Driver)
Patch: MS19-022 (March 2019)
Scanning for BlueKeep
Penetration testers can scan for BlueKeep vulnerability using tools like nmap with the rdp-vuln-ms12-020 script (which also detects CVE-2019-0708 in some versions) or dedicated BlueKeep scanners. The most reliable scanner is the BlueKeep Scanner by zerosum0x0, which sends specially crafted packets to test if the system is vulnerable without crashing it.
Nmap command to check RDP availability:
nmap -p 3389 <target-ip>For a more detailed scan using the rdp-vuln-ms12-020 script (note: this script primarily detects MS12-020, but can also indicate BlueKeep in some cases):
nmap -sV --script rdp-vuln-ms12-020 -p 3389 <target-ip>However, the most accurate method is to use a dedicated BlueKeep scanner, such as:
python bluekeep_scanner.py <target-ip>Exploitation Steps
Identify vulnerable systems: Use Nmap or a BlueKeep scanner to find systems with RDP open on port 3389 and running a vulnerable OS.
Prepare exploit: Use a known working exploit, such as the Metasploit module exploit/windows/rdp/cve_2019_0708_bluekeep_rce.
Set target: Configure the exploit with the target IP and optionally specify a target architecture (e.g., TARGET 2 for Windows 7 SP1 x64).
Execute exploit: Run the exploit. If successful, you will get a SYSTEM shell or a Meterpreter session.
Metasploit example:
msf6 > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set RHOSTS 192.168.1.100
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set TARGET 2
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > runInteraction with Related Technologies
BlueKeep exploits the RDP service itself, not any specific authentication mechanism. However, some mitigations like Network Level Authentication (NLA) can prevent the exploit from working because NLA requires authentication before the vulnerable code path is reached. NLA is enabled by default on newer Windows versions but may be disabled on older systems. The exploit requires that NLA is disabled or that the attacker has valid credentials (though the vulnerability is pre-authentication). In practice, most vulnerable systems have NLA disabled, making them exploitable.
Mitigation
Patch: Apply MS19-022 or later cumulative updates.
Disable RDP: If not needed, disable Remote Desktop Services.
Enable NLA: Network Level Authentication forces authentication before the RDP session is established, blocking the vulnerable code path.
Use VPN: Restrict RDP access to internal networks via VPN.
Firewall: Block port 3389 from the internet.
Detection
BlueKeep exploitation can be detected through network traffic analysis. The exploit sends a specific sequence of RDP packets that deviate from normal RDP traffic. Intrusion detection systems (IDS) like Snort or Suricata have signatures for BlueKeep. Additionally, system logs may show unexpected crashes or reboots (BSOD) if the exploit fails. Event ID 1001 (Windows Error Reporting) can indicate a crash in termdd.sys.
Exam Relevance
On the PT0-002 exam, you may be asked to:
Identify which systems are vulnerable to BlueKeep (Windows 7, Server 2008 R2, Server 2008).
Explain the impact (RCE with SYSTEM privileges).
Recommend mitigations (patch, enable NLA, firewall).
Understand that the exploit does not require authentication.
Recognize that NLA can block the exploit even on vulnerable systems.
Scan for RDP Service
Use Nmap to scan the target for open port 3389. This step identifies systems running RDP. The command `nmap -p 3389 <target>` will show if the port is open. A more thorough scan with service detection (`-sV`) can confirm the RDP service. This is the first step in any RDP exploitation attempt.
Check for BlueKeep Vulnerability
Use a dedicated BlueKeep scanner or Nmap's `rdp-vuln-ms12-020` script to determine if the target is vulnerable. The scanner sends a specific sequence of RDP packets that trigger the vulnerable code path without crashing the system. A vulnerable system will respond with a particular error or behavior. This step is critical to avoid crashing systems unnecessarily.
Configure Metasploit Exploit
Load the Metasploit module `exploit/windows/rdp/cve_2019_0708_bluekeep_rce`. Set the target IP with `set RHOSTS <ip>`. Choose the appropriate target architecture based on the OS version (e.g., TARGET 2 for Windows 7 SP1 x64). Optionally set a payload, such as `windows/x64/meterpreter/reverse_tcp`. This step prepares the exploit for execution.
Launch Exploit
Run the exploit with the `run` or `exploit` command. The exploit sends crafted RDP packets to trigger the use-after-free vulnerability. If successful, it will execute the payload and provide a shell or Meterpreter session with SYSTEM privileges. If it fails, the target may crash (BSOD). The exploit may need multiple attempts due to memory layout differences.
Post-Exploitation Actions
Once access is obtained, perform post-exploitation tasks such as privilege escalation (though SYSTEM already), lateral movement, data exfiltration, or persistence. Use Meterpreter commands like `getsystem` (if needed), `hashdump`, or `shell`. This step demonstrates full compromise of the target.
In enterprise environments, RDP is commonly used for remote administration of servers and workstations. For example, a company with hundreds of Windows 7 machines in a legacy manufacturing environment might rely on RDP for IT staff to manage these systems remotely. When BlueKeep was disclosed, such organizations faced a critical risk because their unpatched systems were directly exploitable over the network. A penetration tester would scan the internal network for port 3389 and then use a BlueKeep scanner to identify vulnerable hosts. The tester would then exploit one of these systems to demonstrate the risk to management. Another scenario involves a managed service provider (MSP) that uses RDP to support client servers. If the MSP has not patched its own management servers, an attacker could exploit BlueKeep to gain access to the MSP's infrastructure and then pivot to client networks. In production, RDP is often configured with Network Level Authentication (NLA) to require authentication before a session is established. However, many legacy systems have NLA disabled, making them vulnerable. Performance considerations include the fact that BlueKeep exploitation can cause denial of service if the exploit fails, resulting in a blue screen of death (BSOD). In a real engagement, the tester must be careful to use stable exploits and have a rollback plan. Misconfiguration often occurs when administrators expose RDP directly to the internet without VPN or multi-factor authentication. Even after patching, many organizations forget to enable NLA, leaving a residual risk. The PT0-002 exam tests your ability to recommend proper mitigations: patch, enable NLA, and restrict access via firewall.
The PT0-002 exam tests RDP exploitation under Objective 3.1 (Exploit vulnerabilities). Key points to remember: BlueKeep (CVE-2019-0708) affects Windows 7, Server 2008 R2, and Server 2008 only. It does NOT affect Windows 8, 10, or Server 2012+. The vulnerability is in termdd.sys and is a use-after-free. It does NOT require authentication. The CVSS score is 10.0. Common wrong answers include: (1) Thinking BlueKeep requires valid credentials — it does not. (2) Confusing BlueKeep with MS12-020 (another RDP vulnerability that also affects XP). MS12-020 is a different vulnerability (CVE-2012-0002) that allows denial of service or RCE but requires authentication in some cases. The exam may ask which systems are vulnerable; candidates often incorrectly include Windows 10. (3) Believing that enabling NLA alone fully mitigates BlueKeep — while NLA blocks the exploit on vulnerable systems, patching is the primary fix. (4) Assuming BlueKeep affects all RDP versions — it only affects specific older versions of Windows. The exam may present a scenario where a company has Windows 7 machines with RDP exposed; the correct answer is to patch or disable RDP. Specific numbers: port 3389, CVSS 10.0, vulnerability in termdd.sys. Edge cases: If NLA is enabled, the exploit fails even on vulnerable systems. The exam might test that a system with NLA enabled is still vulnerable but not exploitable without credentials. Another edge case: The exploit can cause BSOD if it fails, so in a penetration test, you must be cautious. How to eliminate wrong answers: If an answer mentions 'authentication required' for BlueKeep, it is wrong. If it lists Windows 10 as vulnerable, it is wrong. If it suggests that patching is unnecessary if NLA is enabled, it is wrong because NLA can be bypassed in some scenarios or may not be enforced.
BlueKeep (CVE-2019-0708) is a use-after-free vulnerability in termdd.sys affecting Windows 7, Server 2008 R2, and Server 2008.
The exploit does not require authentication; it is pre-authentication remote code execution with SYSTEM privileges.
CVSS score is 10.0 (Critical). Default RDP port is TCP 3389.
Network Level Authentication (NLA) blocks the exploit but does not patch the vulnerability.
Mitigations: apply MS19-022 patch, disable RDP if not needed, enable NLA, and restrict port 3389 with firewalls.
Common exam wrong answers: requiring authentication, affecting Windows 10, being only a DoS vulnerability.
Tools: Nmap for scanning, Metasploit module exploit/windows/rdp/cve_2019_0708_bluekeep_rce for exploitation.
Detection: IDS signatures, system crashes (BSOD) in termdd.sys, Event ID 1001.
These come up on the exam all the time. Here's how to tell them apart.
BlueKeep (CVE-2019-0708)
Affects Windows 7, Server 2008 R2, Server 2008
Use-after-free in termdd.sys
No authentication required
CVSS 10.0 (Critical)
RCE with SYSTEM privileges
MS12-020 (CVE-2012-0002)
Affects Windows XP, Server 2003, Windows 7, Server 2008 R2
Vulnerability in RDP protocol handling (not use-after-free)
May require authentication for some attack vectors
CVSS 9.3 (Critical) for RCE
RCE or DoS depending on exploit
Mistake
BlueKeep requires valid credentials to exploit.
Correct
BlueKeep is a pre-authentication vulnerability. The exploit sends specially crafted RDP packets before any authentication occurs, so no credentials are needed.
Mistake
BlueKeep affects all versions of Windows with RDP enabled.
Correct
BlueKeep only affects Windows 7, Windows Server 2008 R2, and Windows Server 2008. Windows 8, 10, and Server 2012+ are not vulnerable.
Mistake
Enabling Network Level Authentication (NLA) fully protects against BlueKeep.
Correct
NLA blocks the exploit on vulnerable systems, but the underlying vulnerability remains. Patching is the definitive fix. NLA can be bypassed in some configurations or if credentials are compromised.
Mistake
BlueKeep is a denial-of-service vulnerability only.
Correct
BlueKeep allows remote code execution with SYSTEM privileges. While a failed exploit can cause a BSOD (DoS), the primary impact is RCE.
Mistake
The BlueKeep exploit always works on the first attempt.
Correct
The exploit may require multiple attempts due to memory layout variations. It is not 100% reliable and can crash the target if it fails.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
BlueKeep (CVE-2019-0708) is a critical remote code execution vulnerability in Microsoft's Remote Desktop Protocol (RDP) affecting Windows 7, Server 2008 R2, and Server 2008. It allows an unauthenticated attacker to send specially crafted RDP packets to gain SYSTEM-level access. It is critical because it requires no user interaction and can be wormable, spreading automatically between vulnerable systems.
No, BlueKeep does not affect Windows 10, Windows 8, or Windows Server 2012 and later. It only affects Windows 7, Windows Server 2008 R2, and Windows Server 2008. On the PT0-002 exam, remember this distinction.
No, if NLA is enabled, the exploit fails because the vulnerable code path is only reached after authentication. However, the system is still vulnerable, and patching is required. NLA is a mitigation, not a fix.
RDP uses TCP port 3389 by default. You can scan for open RDP with Nmap: `nmap -p 3389 <target>`. To check for BlueKeep, use a dedicated scanner or the Metasploit module. Some Nmap scripts like `rdp-vuln-ms12-020` may detect it, but they are not always accurate.
BlueKeep (CVE-2019-0708) is a use-after-free in termdd.sys affecting Windows 7/Server 2008 R2/Server 2008, with a CVSS of 10.0. MS12-020 (CVE-2012-0002) is a separate RDP vulnerability affecting older systems like Windows XP and Server 2003, with a CVSS of 9.3. MS12-020 may require authentication for some attack vectors, while BlueKeep does not.
First, confirm the vulnerability with a stable scanner to avoid crashing the system. Then, explain the risk to the client and recommend patching (MS19-022), enabling NLA, and restricting RDP access. You may demonstrate the exploit with caution, ensuring you have permission and a rollback plan.
Detection can be done via network intrusion detection systems (IDS) with signatures for BlueKeep. System logs may show unexpected crashes or Event ID 1001 (Windows Error Reporting) referencing termdd.sys. A BSOD is a sign of a failed exploit.
You've just covered RDP Exploitation and BlueKeep — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?