How to detect whether a remote computer is running RDP?

Question

How do I detect if a remote client is running Remote Desktop Protocol? and it is also accepting remote desktop connections ??

Like Open an port to detect HTTP and send request, receive request headers and see in request headers information about HTTP so I will know the person is running HTTP weather if he changed the port e.g: running HTTP 6551.

Answer 1

Attempt and make a connection with something that is RDP-connection aware (RDP is not HTTP). Of course, failing to establish an initial handshake is not proof that a connection can not be established. It could be blocked by a firewall, listening on another port, etc.

The MS-RDPBCGR specification, page 16 talks about connecting which in turn defers to X.224, go figure.

It'd likely just be easiest to use Wireshark and observe in-the-wild behavior to develop a minimal detection case. I suspect only the very initial portion of the handshake needs to be generated/replayed in order to "decide" that it's a listening RDP server.

(Or, perhaps use an existing RDP client which has this "test connect" functionality or the ability to be scripted.)

Answer 2

A fast way is to pen a shell and type

telnet IPADDRESS 3389

If you get a connection, chances are good that an RDP server is on the other side. RDP can run on any port, but TCP Port 3389 is set per default.

Windows 7 requires some extra steps to enable the telnet Client.

Answer 3

You could do netstat -a in the command line and see if the default port for remote desktop connection is listening, ie. TCP:3389 but thats only if the client hasn't changed the ports for MSTSC