A clear, paragraph-by-paragraph walkthrough of our video POC where Pentest Copilot deploys an agent on a Linux server, detects an ms-wbt-server RDP service on a Windows host, validates an exposed credential, establishes an RDP session, and drops a second agent—automatically—with every step evidenced in the UI.
This demonstration runs inside GOAD (Game of Active Directory), a deliberately vulnerable lab intended for safe, authorized testing. The objective is to show a single, coherent chain: start with an agent on a Linux machine, let Pentest Copilot automatically discover a Windows RDP surface, validate an exposed credential against it, use that access to open a live RDP session, and deploy a lightweight agent on the target—while the product UI records every decision in real time. No guesswork, no manual pivoting; the interface and exploit graph preserve the full storyline.
The flow begins with Pentest Copilot already connected to an agent on a Linux server. In the header, the product indicates that one agent is connected, and the Submodule Testing panel on the left is ready to drive actions. From this moment, Copilot orchestrates discovery and decision-making automatically, updating the graph as it learns new facts about the environment.
Service enumeration reveals a Windows target exposing RDP. In the Exploit Graph, a Service node connected to the host displays port 3389/tcp, state: open, and Service: ms-wbt-server, along with the host’s IP address. This confirms a reachable RDP endpoint on that machine and anchors the rest of the chain to a specific, observable fact in the UI.
Pentest Copilot then correlates an exposed credential to this RDP service and proves it works. In the Submodule Testing drawer, CHK_RDP_AUTH is selected with the discovered RDP service as the input entity. After execution, the graph expands to include a Secret node linked to the service and a Vulnerability node created by the successful check. The details panel clearly states “Successful RDP authentication,” and the result is shown as privileged in the demo. The important point is that Copilot does not assume anything—it validates that this specific credential logs in to this specific host’s RDP service.
With the credential validated, the operator switches to the EXP_RDP submodule and uses the newly created Vulnerability as the input. The desktop view then shows a window titled FreeRDP connected to the same target IP, and inside it the Windows Server 2019 desktop appears. This is visual confirmation of a live, interactive session. As part of this workflow, Pentest Copilot deploys a second agent on the Windows machine. Back in the UI, the Submodule Activity view reports the run as Completed, a banner indicates the submodule test completed successfully, and the header’s Agents Connected indicator increases—showing that the Windows agent is now online. The on-screen caption summarizes the outcome: “RDP Connection Successful; Agent Dropped Successfully.”
The second (Windows) agent transforms a proven login into a stable foothold on the target. First, it improves fidelity: because it runs on the Windows host, Pentest Copilot can observe realities that remote probing can miss, and it can do so with less noise and tighter scope. Second, it expands reach from the right vantage point: subsequent, approved steps can now be executed from inside the Windows session—such as examining what the logged-in context can see, which shares or services are reachable, and which paths might exist for lateral movement—all reflected back into the exploit graph. Third, it enables repeatability: instead of ad-hoc clicks in a remote desktop window, Copilot triggers the next submodules from the UI, captures evidence in a consistent format, and makes before/after comparisons straightforward if the environment is hardened and the test is rerun. Throughout, every action executed via the agent is tied to the exact entity and preserved in the Submodule Activity log, giving teams clean provenance and a reliable audit trail.
The exploit graph clearly lays out the chain as seen in the POC: a Service node for RDP on the host, a Secret that proves valid, a CHK_RDP_AUTH step that creates a Vulnerability, and an EXP_RDP step that uses that path to obtain interactive access and deploy the agent. The activity timeline echoes this narrative with explicit statuses and references to the inputs used. Together, they provide a concise, defensible storyline that stakeholders can review without digging through raw console history.
1) What was automated versus manual in this demo?
After starting with an agent on Linux, Pentest Copilot automatically identified the ms-wbt-server service on the Windows host, correlated and validated an exposed credential via CHK_RDP_AUTH, initiated an RDP session with EXP_RDP, and deployed a second agent. The UI reflected each step as it happened.
2) Did the POC use brute-force or password spraying?
No. The demo shows Copilot validating an already exposed credential against the RDP service. The evidence appears in the details panel as “Successful RDP authentication” and in the graph as a Secret → Vulnerability chain.
3) Where did the credential come from?
The video treats it as an exposed credential that Copilot could associate with the discovered service. Its precise source is outside the video’s scope; the important part demonstrated is the validation and use of that credential against the specific host.
4) How do we know the RDP access and agent drop succeeded?
You see the Windows desktop inside a FreeRDP window, the Submodule Activity view shows Completed, the header’s Agents Connected count increases, and the caption reads “RDP Connection Successful; Agent Dropped Successfully.”
5) What practical advantage does the second (Windows) agent provide?
It turns “we can log in” into a systematic foothold for higher-fidelity discovery and controlled next steps. Findings and actions executed from the Windows host feed back into the exploit graph and activity logs, giving teams better visibility, cleaner evidence, and a repeatable process for verification and hardening.
Watch the full demo: [https://youtu.be/Z7dKrwF-LoQ]