Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rdp-enum-encryption.nse hangs on single host #1737

Open
2d4d opened this issue Sep 11, 2019 · 5 comments

Comments

@2d4d
Copy link

commented Sep 11, 2019

(Nmap 7.80 and Nmap 7.80SVN of today)

After using " nmap -n -p 3389 -Pn --script=rdp-enum-encryption.nse -d9 --script-trace ..." on hundreds of host it always hang on two systems, CPU usage increased to 100% for the nmap process and it never came back like in an endless loop.

Fun fact: I've scanned those hosts a month ago and it worked back then, old output:

PORT STATE SERVICE
3389/tcp open ms-wbt-server
| rdp-enum-encryption:
| Security layer
| CredSSP: SUCCESS
| Native RDP: SUCCESS
| SSL: SUCCESS
| RDP Encryption level: High
| 128-bit RC4: SUCCESS
|_ FIPS 140-1: SUCCESS

As far as I can tell, neither nmap, rdp-enum-encryption.nse nor rdp.lua have been changed since then. Only difference I found so far is that the boxes have probably been dejablue patched because SMB shows their reboot date some days after the patch publication. There was no interference from a net firewall or NIPS.

Debugging showed that the last packet received before hamging was 2184 or 2225 bytes. All the packets before had max. 533 bytes.

00000190: 00 00 a0 c0 72 64 70 73 6e 64 00 00 00 00 00 c0 rdpsnd
NSOCK DEBUG [6.9060s] event_new(): event_new (IOD #8) (EID #307)
NSOCK INFO [6.9060s] nsock_write(): Write request for 416 bytes to IOD #8 EID 307 [10.103.111.89:3389]
NSOCK DEBUG [6.9060s] nsock_pool_add_event(): NSE #307: Adding event (timeout in 5000ms)
NSOCK DEBUG [6.9060s] nsock_set_loglevel(): Set log level to FULL DEBUG
NSOCK DEBUG [6.9060s] nsock_loop(): nsock_loop() started (timeout=50ms). 1 events pending
NSOCK DEBUG FULL [6.9060s] epoll_loop(): wait for events
NSOCK DEBUG FULL [6.9060s] process_iod_events(): Processing events on IOD 8 (ev=2)
NSOCK DEBUG FULL [6.9060s] process_event(): Processing event 307 (timeout in 5000ms, done=0)
NSOCK DEBUG FULL [6.9060s] process_event(): NSE #307: Sending event
NSOCK INFO [6.9060s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 307 [10.103.111.89:3389]
NSE: TCP 57.56.33.190:54374 > 10.103.111.89:3389 | SEND
NSOCK DEBUG [6.9060s] event_delete(): event_delete (IOD #8) (EID #307)
NSOCK DEBUG [6.9060s] event_new(): event_new (IOD #8) (EID #314)
NSOCK INFO [6.9060s] nsock_read(): Read request from IOD #8 [10.103.111.89:3389] (timeout: 5000ms) EID 314
NSOCK DEBUG [6.9060s] nsock_pool_add_event(): NSE #314: Adding event (timeout in 5000ms)
NSOCK DEBUG [6.9060s] nsock_set_loglevel(): Set log level to FULL DEBUG
NSOCK DEBUG [6.9060s] nsock_loop(): nsock_loop() started (timeout=50ms). 1 events pending
NSOCK DEBUG FULL [6.9060s] epoll_loop(): wait for events
NSOCK DEBUG FULL [6.9080s] process_iod_events(): Processing events on IOD 8 (ev=1)
NSOCK DEBUG FULL [6.9080s] process_event(): Processing event 314 (timeout in 4999ms, done=0)
NSOCK DEBUG FULL [6.9080s] process_event(): NSE #314: Sending event
NSOCK INFO [6.9080s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 314 [10.103.111.89:3389] (2225 bytes)
NSE: TCP 57.56.33.190:54374 < 10.103.111.89:3389 | 00000000: 03 00 08 b1 02 f0 80 7f 66 82 08 a5 0a 01 00 02 f
00000010: 01 00 30 1a 02 01 22 02 01 03 02 01 00 02 01 01 0 "
00000020: 02 01 00 02 01 01 02 03 00 ff f8 02 01 02 04 82
...
000008a0: 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000008b0: 00

NSOCK DEBUG [6.9080s] event_delete(): event_delete (IOD #8) (EID #314)

@2d4d

This comment has been minimized.

Copy link
Author

commented Sep 11, 2019

Both remote systems are Win 2008 R2 without NLA enforced (rdesktop shows a screen)

@2d4d

This comment has been minimized.

Copy link
Author

commented Sep 11, 2019

ok, in rpd.lua it loops forever because block_len is 0:

  while userdata:len() > pos do
    block_type, block_len  = string.unpack("<I2I2", userdata, pos)
    if block_type == 0x0c01 then
      -- 2.2.1.42 Server Core Data - TS_UD_SC_CORE
      local proto_ver = string.unpack("<I4",userdata, pos + 4)
      ccr.proto_version = ("RDP Protocol Version: %s"):format(PROTO_VERSION[proto_ver] or "Unknown")
    elseif block_type == 0x0c02 then
      -- 2.2.1.4.3 Server Security Data - TS_UD_SC_SEC1
      ccr.enc_level = string.unpack("B", userdata, pos + 8)
      ccr.enc_cipher= string.unpack("B", userdata, pos + 4)
    end
    pos = pos + block_len
  end
@cldrn

This comment has been minimized.

Copy link
Member

commented Sep 12, 2019

I'm thinking this might be related to the NSE sockets issue I've been tracking @nnposter

@2d4d

This comment has been minimized.

Copy link
Author

commented Sep 12, 2019

Tell me if there's anything I can check.

I've tracked it down to the point that the last line of rdp.lua of this snippets gets 0,0 returned for block_type, block_len and then it loops forever:

-- Hackery to avoid writing ASN.1 PER decoding. Skip over fixed length
-- T.124 ConnectData header. Decode the length since it can be multiple
-- bytes. Drops us where we need to be.
_, pos = asn1.ASN1Decoder.decodeLength(userdata, 22 )
local block_type, block_len
while userdata:len() > pos do
block_type, block_len = string.unpack("<I2I2", userdata, pos)

So maybe the hackery doesn't work anymore for these 2 servers. The error might as well be in the ASN1Decoder.

My workaround is:
local block_type, block_len
block_len=1
while userdata:len() > pos and block_len > 0 do

... which doesn't help solve the underlying problem but might anyway be a good problem because it prevents rdp-enum-encryption to hang there on garbage.

@nnposter

This comment has been minimized.

Copy link

commented Sep 13, 2019

It looks like @TomSellers has authored this code not so long ago in 95f9e2c and a4f3c85 so he might be the best party to determine what is going on.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.