Address exception and decoding issue in rdp-enum-encryption #1611
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR addresses a few bugs in RDP protocol parsing in
scripts/rdp-enum-encryption.nse
andnselib/rdp.lua
.It should also address the following issue:
Feature Request: rdp-enum-encryption should check if NLA is required #174
Exception vs Windows XP
There was an exception caused by
rdp-enum-encryption.nse
attempting to unpack data that doesn't exist. This was noticed when running the script against Windows XP SP3 which doesn't return a certain layer in the protocol during the initial negotiation packet exchange.Testing
Before fix
After fix
Incorrectly decoding ServerData
The existing code was incorrectly decoding the ServerData section of the ConferenceCreateResponse packet. This was due to assuming a certain block was a fixed size. This broke when certain optional fields were included. The impact was that certain encryption level options were not being detected. This primarily impacted Windows XP.
The fix was adding decoding of the type and lengths for the sections in ServerData.
Before fix
Technically, before the fix this section was empty due to the first bug fixed above. But after fixing that bug here is what the output looked like.
After fix
Added output
Now that ServerData is being decoded we can determine which RDP protocol is being advertised. When detected this will now show up in the
RDP Protocol Version:
section. Since the library doesn't currently support TLS negotiation this will be missing for hosts that require TLS until this feature is added. The same applies for CredSSP.In the Security layer section of the output
CredSSP
has been changed toCredSSP (NLA)
to clarify that this is NLA for those who are using the script to audit networks for things like CVE-2019-0708.CredSSP with Early User Auth
andRDSTLS
have been added.Output
Windows XP SP3
Windows 2008 with NLA optional and configured for client compatible ciphers
Windows 2019