From e3e5c33b9bc9a799bd9b018f7ac003cb964906fa Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Fri, 14 Jul 2017 13:02:43 -0700 Subject: [PATCH 1/4] WIP commit of RDP scanner --- modules/auxiliary/scanner/rdp/rdp_scanner.rb | 75 ++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 modules/auxiliary/scanner/rdp/rdp_scanner.rb diff --git a/modules/auxiliary/scanner/rdp/rdp_scanner.rb b/modules/auxiliary/scanner/rdp/rdp_scanner.rb new file mode 100644 index 0000000000..a5a7637826 --- /dev/null +++ b/modules/auxiliary/scanner/rdp/rdp_scanner.rb @@ -0,0 +1,75 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::Tcp + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Identify endpoints speaking the Remote Desktop Protocol (RDP)', + 'Description' => %q( + This module attempts to connect to the specified Remote Desktop Protocol port + and determines if it speaks RDP. + ), + 'Author' => 'Jon Hart ', + 'References' => + [ + ], + 'License' => MSF_LICENSE + ) + ) + + register_options( + [ + Opt::RPORT(3389) + # XXX: add options to turn on/off TLS, CredSSP, early user, cookies, etc. + ] + ) + end + + # simple TPKT v3 + x.224 COTP Connect Request + RDP negotiation request with TLS and CredSSP requested + RDP_PROBE = "\x03\x00\x00\x13\x0e\xe0\x00\x00\x00\x00\x00\x01\x00\x08\x00\x03\x00\x00\x00" + # any TPKT v3 + x.2224 COTP Connect Confirm + RDP_RE = /^\x03\x00.{3}\xd0.{7}.*$/ + def rdp? + sock.put(RDP_PROBE) + response = sock.get_once(-1) + if response + if RDP_RE.match?(response) + # XXX: it might be helpful to decode the response and show what was selected. + print_good("Identified RDP") + return true + else + vprint_status("No match for '#{Rex::Text.to_hex_ascii(response)}'") + end + else + vprint_status("No response") + end + end + + def run_host(_ip) + begin + connect + return unless rdp? + rescue Rex::AddressInUse, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, \ + ::Errno::ETIMEDOUT, ::Timeout::Error, ::EOFError => e + vprint_error("error while connecting and negotiating RDP: #{e}") + return + ensure + disconnect + end + + service = report_service( + host: rhost, + port: rport, + proto: 'tcp', + name: 'RDP' + ) + end +end From 43e04c889483a911b11d0f60763a1511af417a51 Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Mon, 17 Jul 2017 13:14:47 -0700 Subject: [PATCH 2/4] Improve RDP probe packet --- modules/auxiliary/scanner/rdp/rdp_scanner.rb | 41 +++++++++++++++++--- 1 file changed, 35 insertions(+), 6 deletions(-) diff --git a/modules/auxiliary/scanner/rdp/rdp_scanner.rb b/modules/auxiliary/scanner/rdp/rdp_scanner.rb index a5a7637826..50c4cb8c01 100644 --- a/modules/auxiliary/scanner/rdp/rdp_scanner.rb +++ b/modules/auxiliary/scanner/rdp/rdp_scanner.rb @@ -20,6 +20,7 @@ class MetasploitModule < Msf::Auxiliary 'Author' => 'Jon Hart ', 'References' => [ + ['URL', 'https://msdn.microsoft.com/en-us/library/cc240445.aspx'] ], 'License' => MSF_LICENSE ) @@ -27,18 +28,18 @@ class MetasploitModule < Msf::Auxiliary register_options( [ - Opt::RPORT(3389) - # XXX: add options to turn on/off TLS, CredSSP, early user, cookies, etc. + Opt::RPORT(3389), + OptBool.new('TLS', [true, 'Wheter or not request TLS security', true]), + OptBool.new('CredSSP', [true, 'Whether or not to request CredSSP', true]), + OptBool.new('EarlyUser', [true, 'Whether to support Earlier User Authorization Result PDU', false]) ] ) end - # simple TPKT v3 + x.224 COTP Connect Request + RDP negotiation request with TLS and CredSSP requested - RDP_PROBE = "\x03\x00\x00\x13\x0e\xe0\x00\x00\x00\x00\x00\x01\x00\x08\x00\x03\x00\x00\x00" # any TPKT v3 + x.2224 COTP Connect Confirm - RDP_RE = /^\x03\x00.{3}\xd0.{7}.*$/ + RDP_RE = /^\x03\x00.{3}\xd0.{5}.*$/ def rdp? - sock.put(RDP_PROBE) + sock.put(@probe) response = sock.get_once(-1) if response if RDP_RE.match?(response) @@ -53,6 +54,34 @@ class MetasploitModule < Msf::Auxiliary end end + def setup + # build a simple TPKT v3 + x.224 COTP Connect Request. optionally append + # RDP negotiation request with TLS, CredSSP and Early User as requesteste + requestedProtocols = 0 + if datastore['TLS'] + requestedProtocols = requestedProtocols ^ 0b1 + end + if datastore['CredSSP'] + requestedProtocols = requestedProtocols ^ 0b10 + end + if datastore['EarlyUser'] + requestedProtocols = requestedProtocols ^ 0b1000 + end + + if requestedProtocols == 0 + tpkt_len = 11 + cotp_len = 6 + pack = [ 3, 0, tpkt_len, cotp_len, 0xe0, 0, 0, 0 ] + pack_string = "CCnCCnnC" + else + tpkt_len = 19 + cotp_len = 14 + pack = [ 3, 0, tpkt_len, cotp_len, 0xe0, 0, 0, 0, 1, 0, 8, 0, requestedProtocols ] + pack_string = "CCnCCnnCCCCCV" + end + @probe = pack.pack(pack_string) + end + def run_host(_ip) begin connect From e5ef737c21ef00d801e3b76392760062b54f4c63 Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Mon, 17 Jul 2017 13:45:12 -0700 Subject: [PATCH 3/4] Add documentation --- .../auxiliary/scanner/rdp/rdp_scanner.md | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 documentation/modules/auxiliary/scanner/rdp/rdp_scanner.md diff --git a/documentation/modules/auxiliary/scanner/rdp/rdp_scanner.md b/documentation/modules/auxiliary/scanner/rdp/rdp_scanner.md new file mode 100644 index 0000000000..068377810b --- /dev/null +++ b/documentation/modules/auxiliary/scanner/rdp/rdp_scanner.md @@ -0,0 +1,66 @@ +## Vulnerable Application + + Any system exposing the remote desktop protocol, RDP, typically on 3389/TCP. + +## Verification Steps + + 1. Do: ```use auxiliary/scanner/rdp/rdp_scanner``` + 2. Do: ```set [RHOSTS]```, replacing ```[RHOSTS]``` with a list of hosts to test for the presence of RDP + 3. Do: ```run``` + 4. If the host is exposing an identifiable RDP instance, it will print the endpoint. + +## Options + + There are three options currently supported that control what security protocols to + send in the RDP negotiation request, which can be helpful in identifying RDP + endpoints that might be locked down or configured differently: + + **TLS** Set to true to request TLS security support + **CredSSP** Set to true to request CredSSP support + **EarlyUser** Set to true to request Early User Authorization Result PDU support + +## Scenarios + + ``` +msf auxiliary(rdp_scanner) > run + +[+] 10.4.18.26:3389 - Identified RDP +[+] 10.4.18.22:3389 - Identified RDP +[+] 10.4.18.89:3389 - Identified RDP +[+] 10.4.18.9:3389 - Identified RDP +[+] 10.4.18.67:3389 - Identified RDP +[+] 10.4.18.80:3389 - Identified RDP +[+] 10.4.18.34:3389 - Identified RDP +[+] 10.4.18.70:3389 - Identified RDP +[+] 10.4.18.30:3389 - Identified RDP +[+] 10.4.18.76:3389 - Identified RDP +[+] 10.4.18.13:3389 - Identified RDP +[+] 10.4.18.91:3389 - Identified RDP +[+] 10.4.18.5:3389 - Identified RDP +[+] 10.4.18.47:3389 - Identified RDP +[+] 10.4.18.41:3389 - Identified RDP +[+] 10.4.18.105:3389 - Identified RDP +[*] Scanned 44 of 256 hosts (17% complete) +[*] Scanned 55 of 256 hosts (21% complete) +[+] 10.4.18.118:3389 - Identified RDP +[+] 10.4.18.108:3389 - Identified RDP +[+] 10.4.18.139:3389 - Identified RDP +[*] Scanned 94 of 256 hosts (36% complete) +[*] Scanned 110 of 256 hosts (42% complete) +[+] 10.4.18.157:3389 - Identified RDP +[+] 10.4.18.166:3389 - Identified RDP +[+] 10.4.18.164:3389 - Identified RDP +[+] 10.4.18.170:3389 - Identified RDP +[+] 10.4.18.185:3389 - Identified RDP +[+] 10.4.18.209:3389 - Identified RDP +[+] 10.4.18.188:3389 - Identified RDP +[*] Scanned 156 of 256 hosts (60% complete) +[+] 10.4.18.237:3389 - Identified RDP +[+] 10.4.18.225:3389 - Identified RDP +[*] Scanned 186 of 256 hosts (72% complete) +[*] Scanned 194 of 256 hosts (75% complete) +[*] Scanned 208 of 256 hosts (81% complete) +[*] Scanned 253 of 256 hosts (98% complete) +[*] Scanned 256 of 256 hosts (100% complete) +[*] Auxiliary module execution completed +``` From 45f81f3c98ba8779a327c19aabe88a2344186224 Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Tue, 18 Jul 2017 12:45:02 -0700 Subject: [PATCH 4/4] Squash some style issues --- modules/auxiliary/scanner/rdp/rdp_scanner.rb | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/auxiliary/scanner/rdp/rdp_scanner.rb b/modules/auxiliary/scanner/rdp/rdp_scanner.rb index 50c4cb8c01..d38c87dc14 100644 --- a/modules/auxiliary/scanner/rdp/rdp_scanner.rb +++ b/modules/auxiliary/scanner/rdp/rdp_scanner.rb @@ -57,18 +57,18 @@ class MetasploitModule < Msf::Auxiliary def setup # build a simple TPKT v3 + x.224 COTP Connect Request. optionally append # RDP negotiation request with TLS, CredSSP and Early User as requesteste - requestedProtocols = 0 + requested_protocols = 0 if datastore['TLS'] - requestedProtocols = requestedProtocols ^ 0b1 + requested_protocols = requested_protocols ^ 0b1 end if datastore['CredSSP'] - requestedProtocols = requestedProtocols ^ 0b10 + requested_protocols = requested_protocols ^ 0b10 end if datastore['EarlyUser'] - requestedProtocols = requestedProtocols ^ 0b1000 + requested_protocols = requested_protocols ^ 0b1000 end - if requestedProtocols == 0 + if requested_protocols == 0 tpkt_len = 11 cotp_len = 6 pack = [ 3, 0, tpkt_len, cotp_len, 0xe0, 0, 0, 0 ] @@ -76,7 +76,7 @@ class MetasploitModule < Msf::Auxiliary else tpkt_len = 19 cotp_len = 14 - pack = [ 3, 0, tpkt_len, cotp_len, 0xe0, 0, 0, 0, 1, 0, 8, 0, requestedProtocols ] + pack = [ 3, 0, tpkt_len, cotp_len, 0xe0, 0, 0, 0, 1, 0, 8, 0, requested_protocols ] pack_string = "CCnCCnnCCCCCV" end @probe = pack.pack(pack_string) @@ -94,7 +94,7 @@ class MetasploitModule < Msf::Auxiliary disconnect end - service = report_service( + report_service( host: rhost, port: rport, proto: 'tcp',