RDP BruteForce not working when RDP Port Forwarding

zman85 · August 20, 2019, 9:28pm

Why Bruteforce for RDP not working when I have port forwarding from standard 3389 to 3391:
add action=add-src-to-address-list address-list=RDP_Stage1 address-list-timeout=1d chain=forward connection-state=new dst-port=3391 protocol=tcp
add action=dst-nat chain=dstnat dst-port=3391 protocol=tcp to-addresses=192.168.16.10 to-ports=3389

but still working when I have:
add action=add-src-to-address-list address-list=RDP_Stage1 address-list-timeout=1d chain=forward connection-state=new dst-port=3389 protocol=tcp
add action=dst-nat chain=dstnat dst-port=3389 protocol=tcp to-addresses=192.168.16.10 to-ports=3389

Sob · August 20, 2019, 9:44pm

Forward chain is after dstnat which changes destination port => you need to be looking for new destination port (= 3389), even if the original was different.

zman85 · August 20, 2019, 9:47pm

But my RDP port is not changed. Still is 3389.
I would like change it and frowarding to 3389 only to connect from Internet.

Sob · August 20, 2019, 11:33pm

Let’s try once more. Packet to :3391 comes to router and is processed by this rule:

add action=dst-nat chain=dstnat dst-port=3391 protocol=tcp to-addresses=192.168.16.10 to-ports=3389

Its destination gets changed, now it’s 192.168.16.10:3389. Next is this rule:

add action=add-src-to-address-list address-list=RDP_Stage1 address-list-timeout=1d chain=forward connection-state=new dst-port=3391 protocol=tcp

Will it match this packet? The answer is no.