| Reason | Explanation | |--------|-------------| | | Bots scan 3389; 2308 is less targeted. | | Bypass port-based firewalls | Outbound 3389 may be blocked; 2308 may be allowed. | | Multiple RDP instances | Hosting several RDP sessions on different ports (e.g., 3389, 2308, 3390). | | Tunneling over HTTPS/SSH | Local forward: ssh -L 2308:localhost:3389 user@host makes RDP appear on 0x904. | | Red team lateral movement | Using netsh portproxy or socat to pivot through a compromised host. | 3. Detection & Fingerprinting 3.1 Banner Grabbing Connect to port 2308 and observe response:
nmap -p 2308 --script rdp-ntlm-info <target> Or manually: 0x904 rdp
When RDP is found listening on 0x904 , it is almost always the result of an intentional configuration change, a port forward, or a tunnel (e.g., SSH, stunnel, or a reverse proxy). Administrators or attackers may move RDP from 3389 to 0x904 for the following reasons: | Reason | Explanation | |--------|-------------| | |