The Ghost in the Machine: Using xfreerdp and Pass-the-Hash for RDP

As red team members and pen testers, we often crave the Graphical User Interface (GUI). While a reverse shell is powerful, sometimes you need to click through a server to find files on the Desktop, browse internal intranets with the victim’s browser, or simply visualize the environment.

Remote Desktop Protocol (RDP) is the standard for this. But there is a catch: RDP typically requires a plaintext password. This is the Pass-the-Hash (PtH) killer. Or is it?

In this guide, we will explore how to bypass this limitation using Microsoft’s Restricted Admin Mode and the xfreerdp toolset. We will turn the NTLM hash you dumped from SAM into a full interactive desktop session.

1. What is Pass-the-Hash?

Pass-the-Hash is a technique for authenticating to a system using the NTLM hash of a user’s password instead of the actual plaintext password. This works because the NTLM authentication protocol (challenge-response) relies on the hash, not the password itself, to prove identity.

Why does RDP usually block PtH?

Standard RDP sessions perform a full interactive logon (Logon Type 10). Accessing the desktop requires the operating system to decrypt the user’s encrypted files (like Chrome cookies or EFS files), which usually requires the plaintext password (or master key derived from it). Since the NTLM hash cannot mathematically be reversed to the password, RDP fails.

However, Microsoft introduced Restricted Admin Mode (and later Remote Credential Guard) to protect admins from leaking credentials to compromised servers. Ironically, this security feature enables our attack. When in Restricted Admin Mode, the RDP session performs a Logon Type 3 (Network Logon) authentication, which does not unseal the user’s secrets—and therefore does not require the plaintext password.

2. The Gatekeeper: Restricted Admin Mode

Before you can use PtH with RDP, the target system must have Restricted Admin Mode enabled.

If xfreerdp connects but fails with STATUS_LOGON_FAILURE despite a valid hash, Restricted Admin Mode is likely disabled.

Checking the Registry Key

The setting is controlled by this registry key: HKLM\System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin

Value 0: Restricted Admin is Allowed (PtH works).
Value 1 (or missing): Restricted Admin is Disabled (Default on older OSs, often enabled on new ones).

Enabling it Remotely (The “Punt”)

If you have a shell (e.g., via Evil-WinRM, psexec, or Cobalt Strike) and Local Admin rights, you can enable this feature to allow your pivot.

1
2
# Using PowerShell
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value 0 -PropertyType DWORD -Force

[!WARNING] This is a configuration change on the target. It persists until you revert it. Always clean up after your engagement!

1
2
# Cleanup Command
Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin"

3. The Correct `xfreerdp` Syntax for PtH

A common mistake is trying to use the /p: flag with a hash. This will not work. You must use the /pth: flag.

Basic Syntax

1
2
3
# Syntax: /p:passwd is NOT used.
# The hash format is usually NTHASH (32 chars).
xfreerdp /v:<target_ip> /u:<username> /pth:<NT_HASH>

Full Red Team Command

This is the robust command I use daily. It parses the hash correctly, ignores cert errors (which are guaranteed on internal networks), and enables clipboard sharing.

1
2
3
4
5
6
# Example
# User: Administrator
# Hash: aad3b435b51404eeaad3b435b51404ee:7b455e245e1c7f1d2c3a7d305ba65f22
# Note: xfreerdp can take just the NTHASH (2nd part) or LM:NT format.

xfreerdp /v:192.168.1.10 /u:Administrator /pth:7b455e245e1c7f1d2c3a7d305ba65f22 /cert:ignore +clipboard /dynamic-resolution

Key Flags:

/v:: Target IP.
/pth:: The NTLM hash. If you have the full LM:NT output from secretsdump, paste the whole thing. If the LM part is empty/zeros, just the NT hash usually works too.
/cert:ignore: Essential. Without this, the connection often drops on self-signed cert warnings.
/nla: Force Network Level Authentication (usually default, but good to be explicit).

4. Advanced Scenarios: Tunneling RDP

RDP (Port 3389) is rarely exposed to the internet. You are likely sitting on a C2 server, pivoting through a compromised Linux bastion.

Solution: Proxychains + xfreerdp

1
2
3
4
5
6
# 1. Establish the SOCKS proxy via SSH to your jump box
ssh -D 1080 user@bastion-host

# 2. Run xfreerdp through proxychains
# Ensure /etc/proxychains.conf points to socks5 127.0.0.1 1080
proxychains xfreerdp /v:10.0.0.50 /u:Admin /pth:[HASH] /cert:ignore

Troubleshooting Latency: RDP over SOCKS over SSH is slow.

Use /bpp:16 (lower color depth).
Use /network:modem to optimize compression.
Disable bitmap caching if you are having visual artifacts.

5. Security Boundaries and Detection

The “Type 3” Anomaly

This is the biggest Forensic Indicator of Compromise (IoC) with this technique.

Normal RDP: Generates Event ID 4624 with Logon Type 10 (RemoteInteractive).
Restricted Admin RDP: Generates Event ID 4624 with Logon Type 3 (Network logon).

Imagine a SOC analyst seeing a “Network Logon” (usually associated with file shares/SMB) that suddenly spawns explorer.exe and user init processes. It is highly suspicious.

Windows Defender Credential Guard

If the target has Credential Guard enabled, NTLM hashes are isolated in a virtualization-based security container (LSAISO). You generally cannot dump hashes from a machine with Credential Guard. However, if you have a hash (stolen from a legacy machine), you can usually still use it to authenticate TO a Credential Guard machine, provided Restricted Admin is on.

6. Alternative: The Windows-on-Windows Method

If you are operating from a Windows attack VM (e.g., Commando VM) inside the network, you can use Mimikatz to inject the hash into your current session and then launch the official Microsoft RDP client (mstsc.exe).

1
2
# In an Administrator Command Prompt running Mimikatz:
mimikatz # sekurlsa::pth /user:Administrator /domain:CORP /ntlm:7b455e245e1c7f1d2c3a7d305ba65f22 /run:"mstsc.exe /restrictedadmin"

The /restrictedadmin flag on mstsc.exe is the magic switch that tells the client to attempt the specialized handshake.

Conclusion

Pass-the-Hash for RDP is a precision technique. It turns a static hash into a dynamic, interactive session. While not always available by default due to the Restricted Admin requirement, knowing how to check for it—and enable it—gives you powerful graphical access when CLI just isn’t enough.

Just watch out for that Logon Type 3. The Blue Team is watching.

Happy hunting!

1. What is Pass-the-Hash?#

Why does RDP usually block PtH?#

2. The Gatekeeper: Restricted Admin Mode#

Checking the Registry Key#

Enabling it Remotely (The “Punt”)#

3. The Correct xfreerdp Syntax for PtH#

Basic Syntax#

Full Red Team Command#

4. Advanced Scenarios: Tunneling RDP#

5. Security Boundaries and Detection#

The “Type 3” Anomaly#

Windows Defender Credential Guard#

6. Alternative: The Windows-on-Windows Method#

Conclusion#

References#