rdp-enum-encryption.nse hangs on single host #1737
(Nmap 7.80 and Nmap 7.80SVN of today)
After using " nmap -n -p 3389 -Pn --script=rdp-enum-encryption.nse -d9 --script-trace ..." on hundreds of host it always hang on two systems, CPU usage increased to 100% for the nmap process and it never came back like in an endless loop.
Fun fact: I've scanned those hosts a month ago and it worked back then, old output:
PORT STATE SERVICE
As far as I can tell, neither nmap, rdp-enum-encryption.nse nor rdp.lua have been changed since then. Only difference I found so far is that the boxes have probably been dejablue patched because SMB shows their reboot date some days after the patch publication. There was no interference from a net firewall or NIPS.
Debugging showed that the last packet received before hamging was 2184 or 2225 bytes. All the packets before had max. 533 bytes.
00000190: 00 00 a0 c0 72 64 70 73 6e 64 00 00 00 00 00 c0 rdpsnd
ok, in rpd.lua it loops forever because block_len is 0:
Tell me if there's anything I can check.
I've tracked it down to the point that the last line of rdp.lua of this snippets gets 0,0 returned for block_type, block_len and then it loops forever:
-- Hackery to avoid writing ASN.1 PER decoding. Skip over fixed length
So maybe the hackery doesn't work anymore for these 2 servers. The error might as well be in the ASN1Decoder.
My workaround is:
... which doesn't help solve the underlying problem but might anyway be a good problem because it prevents rdp-enum-encryption to hang there on garbage.