0x904 Rdp [best] ❲4K❳

nmap -p 2308 --script rdp-ntlm-info <target> Or manually:

| Reason | Explanation | |--------|-------------| | | Bots scan 3389; 2308 is less targeted. | | Bypass port-based firewalls | Outbound 3389 may be blocked; 2308 may be allowed. | | Multiple RDP instances | Hosting several RDP sessions on different ports (e.g., 3389, 2308, 3390). | | Tunneling over HTTPS/SSH | Local forward: ssh -L 2308:localhost:3389 user@host makes RDP appear on 0x904. | | Red team lateral movement | Using netsh portproxy or socat to pivot through a compromised host. | 3. Detection & Fingerprinting 3.1 Banner Grabbing Connect to port 2308 and observe response: 0x904 rdp

Standard RDP uses port 3389 (0xD3D). Port 2308 (0x904) is not an official IANA-registered port for RDP. In cybersecurity and system administration, its use with RDP implies port redirection , tunneling , or obfuscation —typically for security evasion or network segmentation. Write-Up: Analysis of RDP on Non-Standard Port 0x904 (2308/TCP) 1. Overview | Attribute | Value | |-----------|-------| | Port number (hex) | 0x904 | | Port number (decimal) | 2308 | | Protocol | TCP (typically) | | Standard service | Unassigned / ephemeral range (IANA) | | Observed use | Alternative port for Microsoft RDP | | Risk context | Evasion, lateral movement, misconfiguration | | | Tunneling over HTTPS/SSH | Local forward:

socat TCP-LISTEN:2308,fork TCP:10.0.0.100:3389 Detection & Fingerprinting 3

When RDP is found listening on 0x904 , it is almost always the result of an intentional configuration change, a port forward, or a tunnel (e.g., SSH, stunnel, or a reverse proxy). Administrators or attackers may move RDP from 3389 to 0x904 for the following reasons: