Sign in Subscribe
Concepts

Finding Remote Desktops with Nmap

Andrios Robert

1 min read

Nmap is the fastest way to find and audit Remote Desktop Protocol (RDP) endpoints at scale. Whether you manage hundreds of machines or need to test a single host, its scanning capabilities make it possible to discover exposed ports, verify services, and assess security in minutes. Understanding how to use Nmap for remote desktops is essential for both rapid troubleshooting and proactive defense.

Finding Remote Desktops with Nmap

The most common RDP port is 3389. To locate active remote desktops, run:

nmap -p 3389 <target-range> --open

This queries only the RDP port, speeding up results. The --open flag filters to hosts with the port accepting connections.

For more detail on each open RDP service, use:

nmap -p 3389 -sV <target-range>

The -sV option attempts service version detection, helping you confirm RDP services and identify older, vulnerable implementations.

Scanning Large Networks

When scanning large IP ranges, timing matters. Use aggressive timing with caution:

nmap -p 3389 -T4 <CIDR>

The -T4 profile increases speed but still keeps accuracy acceptable for most environments. Be aware that scanning external networks without permission can trigger alerts or be considered unauthorized activity. Always scan responsibly.

Securing Discovered RDP Endpoints

Once you find exposed RDP services, remediate by limiting access to specific IPs via firewall rules. Disable RDP where it is not required. Use strong authentication, network-level authentication (NLA), and consider tunneling RDP through a VPN. Publicly exposed RDP endpoints are a prime target for brute-force attacks and ransomware operators.

Automating RDP Discovery

For recurring audits, Nmap scripts can automate RDP detection and fingerprinting. The Nmap Scripting Engine (NSE) includes modules like rdp-enum-encryption to confirm encryption levels:

nmap --script rdp-enum-encryption -p 3389 <target>

This allows you to verify that remote desktops meet encryption baselines without manual checks.

Use Nmap to map your attack surface before someone else does. Spot every remote desktop, lock down access, and keep control of your infrastructure.

Run secure, automated port scanning with zero setup using hoop.dev—see it live in minutes and know exactly where your remote desktops are exposed.