Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BKscan fixed "x11: failed to open display" issue #1

Closed
wants to merge 4 commits into from

Conversation

nikallass
Copy link

@nikallass nikallass commented Jun 14, 2019

1) Issue with x11:

$ sudo ./bkscan.sh -t 192.168.119.137
[+] Targeting 192.168.119.137:3389...
[+] No credential provided, won't support NLA
[07:58:35:866] [1:1] [ERROR][com.freerdp.client.x11] - failed to open display: :0
[07:58:35:866] [1:1] [ERROR][com.freerdp.client.x11] - Please check that the $DISPLAY environment variable is properly set.

Fixed with information from here

Working good now:
image

If you are using ssh to kali where is BKscan so you need to redefine $DISPLAY variable:
export DISPLAY=:1

2) Issue with xfreerdp asking username/password on hosts without NLA

Also added xfreerdp -sec-nla /u:"" flag so scan now works on hosts without NLA, it is not asking username\password any more.

image

If username\pass not provided, but NLA is enabled on host:
image

In --debug mode it is clear:
image

@saidelike
Copy link
Collaborator

Hi nikallass,

Thanks for your PR, much appreciated.

  1. I still have the issue in my environment, unfortunately. I could still merge it as long as other people confirm it solves the problem for them too.
BKScan$ git log | head -n 12
commit 77b27fc9697a448224641a56cd64ff840a7c9c43
Author: nikallass <XXX>
Date:   Fri Jun 14 13:33:22 2019 +0300

    Disabling nla in xfreerdp while connecting without credentials to support not NLA checks.

commit 37754a1d0d20596961956b8325459a0e85f13869
Author: nikallass <XXX>
Date:   Fri Jun 14 13:32:57 2019 +0300

    Fixed "... failed to open display: ..." issue.

BKScan$ sudo ./bkscan.sh -t 192.168.119.141
[+] Targeting 192.168.119.141:3389...
[+] No credential provided, won't support NLA
[12:36:54:503] [1:1] [ERROR][com.freerdp.client.x11] - failed to open display: :0
[12:36:54:504] [1:1] [ERROR][com.freerdp.client.x11] - Please check that the $DISPLAY environment variable is properly set.
  1. I am yet to replicate this issue. Can you show the output before your patch? What Windows version have you used for the server? and what RDP setting? NLA enabled? I am particularly interested in what you have checked as in below:

image

Also what users have you specified in "Select Users"?

image

Thanks again for improving BKScan.

@nikallass
Copy link
Author

nikallass commented Jun 14, 2019

My error before patch is the same:
image

Systeminfo:
image

I also checked with enabled NLA and disabled NLA. Before patch there was the same issue, and everything is working with patch.
image
image

Users:
image

I think the problem in your environment is not in Windows machine, but in attacker machine where docker service is running. Maybe you need to install
sudo apt-get install xauth #client
or
sudo apt-get install xorg openbox #server

@nikallass
Copy link
Author

If you need, I also can provide an access to my machine on 3389 port for you to check. PM of course. :)

@saidelike
Copy link
Collaborator

I have fixed 2) in 55bbb55. Thanks.

One thing to note about adding -sec-nla i.e not supporting NLA on the client side is that we force the client to not support NLA so:

  • if the server enforces NLA, we can detect it based on the response which we do now
  • if the server does not enforce NLA, we don't use NLA and detect it is vulnerable or not

Before adding -sec-nla, we supported NLA on the client side and:

  • if the server enforces NLA, we would have been asked for credentials interactively
  • if the server does not enforce NLA, but supports it (e.g. Windows 7 but not XP), then the negotiation done by FreeRDP would actually negotiate NLA as well by default, and we would have been asked for credentials interactively as well (which is not required)

The only drawback of -sec-nla is that is means we need to:

  • scan a host with no NLA support on the client side first
  • then scan it with NLA support on the client side
    This is because in a case where Windows 7 is configured with NLA not enforced, if we scan only with NLA support on the client side, and don't have right credentials, we will miss the detection even though we can detect it by disabling NLA on the client side.

@nikallass
Copy link
Author

nikallass commented Jun 14, 2019

Yeah, thats true. Not very good to scan twice. But it is the only way, as I see.

@nikallass
Copy link
Author

Hey, in your last commit in bkscan.sh you missed:
--user=$USER \
Its important for solving x11 issue .

@saidelike
Copy link
Collaborator

Just to clarify, the fix you proposed for the DISPLAY/X11 issue didn't work on my environment. Also you confirmed me by DM that it didn't completely worked after your computer went out of hibernation.

So am not going to merge the changes until we confirm it actually works.

@seajaysec seajaysec mentioned this pull request Jul 15, 2019
@seajaysec
Copy link

This fixed the issue for me. Thanks, @nikallass!

@saidelike
Copy link
Collaborator

Thanks for confirming chrsjhnsn. I've merged the changes due to multiple people confirming it helped them, even if it does not work with my distrib.

Closing this. Please open another issue if you still have the problem, and detail your environment.

@saidelike saidelike closed this Jul 18, 2019
@nikallass
Copy link
Author

Check latest commit.
There are some excessive arguments.
1b5103e

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants