nmap -p 2308 --script rdp-ntlm-info <target> Or manually:
Standard RDP uses port 3389 (0xD3D). Port 2308 (0x904) is not an official IANA-registered port for RDP. In cybersecurity and system administration, its use with RDP implies port redirection , tunneling , or obfuscation —typically for security evasion or network segmentation. Write-Up: Analysis of RDP on Non-Standard Port 0x904 (2308/TCP) 1. Overview | Attribute | Value | |-----------|-------| | Port number (hex) | 0x904 | | Port number (decimal) | 2308 | | Protocol | TCP (typically) | | Standard service | Unassigned / ephemeral range (IANA) | | Observed use | Alternative port for Microsoft RDP | | Risk context | Evasion, lateral movement, misconfiguration | 0x904 rdp
| Reason | Explanation | |--------|-------------| | | Bots scan 3389; 2308 is less targeted. | | Bypass port-based firewalls | Outbound 3389 may be blocked; 2308 may be allowed. | | Multiple RDP instances | Hosting several RDP sessions on different ports (e.g., 3389, 2308, 3390). | | Tunneling over HTTPS/SSH | Local forward: ssh -L 2308:localhost:3389 user@host makes RDP appear on 0x904. | | Red team lateral movement | Using netsh portproxy or socat to pivot through a compromised host. | 3. Detection & Fingerprinting 3.1 Banner Grabbing Connect to port 2308 and observe response: Write-Up: Analysis of RDP on Non-Standard Port 0x904
| Risk | Impact | |------|--------| | | Pre-authentication RCE, port-agnostic. | | CredSSP oracle (CVE-2018-0886) | Man-in-the-middle or RCE if patching missed. | | Password spraying | Attacker scans 2308 instead of 3389. | | NLA bypass | If Network Level Authentication is disabled. | | Tunnel detection evasion | Logging may ignore non-standard ports. | 5. Forensic Artifacts (If Compromised via 0x904) On a Windows host where RDP was accessed through port 2308: 5.1 Registry Check for custom RDP port: | | Multiple RDP instances | Hosting several
When RDP is found listening on 0x904 , it is almost always the result of an intentional configuration change, a port forward, or a tunnel (e.g., SSH, stunnel, or a reverse proxy). Administrators or attackers may move RDP from 3389 to 0x904 for the following reasons: