Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add TLS support for rdp-enum-encryption #1614

Closed
wants to merge 2 commits into from

Conversation

TomSellers
Copy link

This PR adds TLS support to rdp-enum-encryption. The value that it adds is that it enables determining the RDP protocol version against servers that require TLS and potentially lays the ground work for CredSSP. It also corrects a few values in the RDP payload that were incorrect.

Windows Server 2016 with TLS required, NLA optional

PORT     STATE SERVICE       REASON
3389/tcp open  ms-wbt-server syn-ack ttl 128
| rdp-enum-encryption: 
|   Security layer
|     CredSSP (NLA): SUCCESS
|     CredSSP with Early User Auth: SUCCESS
|     Native RDP: FAILED (SSL_REQUIRED_BY_SERVER)
|     RDSTLS: SUCCESS
|     SSL: SUCCESS
|_  RDP Protocol Version:  RDP 10.2 server

Windows Server 2016 with NLA required

NLA is required so we don't see RDP Protocol Version

3389/tcp open  ms-wbt-server syn-ack ttl 128
| rdp-enum-encryption: 
|   Security layer
|     CredSSP (NLA): SUCCESS
|     CredSSP with Early User Auth: SUCCESS
|     Native RDP: FAILED (HYBRID_REQUIRED_BY_SERVER)
|     RDSTLS: SUCCESS
|_    SSL: FAILED (HYBRID_REQUIRED_BY_SERVER)

Windows Server 2019 with TLS required, NLA optional

PORT     STATE SERVICE       REASON
3389/tcp open  ms-wbt-server syn-ack ttl 128
| rdp-enum-encryption: 
|   Security layer
|     CredSSP (NLA): SUCCESS
|     CredSSP with Early User Auth: SUCCESS
|     Native RDP: FAILED (SSL_REQUIRED_BY_SERVER)
|     RDSTLS: SUCCESS
|     SSL: SUCCESS
|_  RDP Protocol Version:  RDP 10.6 server

Windows XP

No change in behavior

PORT     STATE SERVICE       REASON
3389/tcp open  ms-wbt-server syn-ack ttl 128
| rdp-enum-encryption: 
|   Security layer
|     CredSSP (NLA): Unknown
|     CredSSP with Early User Auth: Unknown
|     Native RDP: Unknown
|     RDSTLS: Unknown
|     SSL: Unknown
|   RDP Encryption level: Client Compatible
|     40-bit RC4: SUCCESS
|     56-bit RC4: SUCCESS
|     128-bit RC4: SUCCESS
|     FIPS 140-1: FAILURE
|_  RDP Protocol Version:  RDP 5.x, 6.x, 7.x, or 8.x server

@TomSellers TomSellers changed the title Add TLS support for RDP Add TLS support for rdp-enum-encryption May 30, 2019
@TomSellers
Copy link
Author

I looked into CredSSP. I can a see the basic auth flow and I've created a script that doesn't fully authenticate but does allow determining host info pre-auth. It's very similar to other scripts. I'll clean up tonight and submit via a separate PR.

Rough output from the unfinished script.

PORT     STATE SERVICE       REASON
3389/tcp open  ms-wbt-server syn-ack ttl 128
| rdp-credssp-info: 
|   Target_Name: W2016
|   NetBIOS_Domain_Name: W2016
|   NetBIOS_Computer_Name: W16GA-SRV01
|   DNS_Domain_Name: W2016.lab
|   DNS_Computer_Name: W16GA-SRV01.W2016.lab
|   DNS_Tree_Name: W2016.lab
|   Product_Version: 10.0.14393
|_  System_Time: 2019-05-30T13:02:39

Copy link

@dmiller-nmap dmiller-nmap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm really excited about this. Only very minor issues in the comments. Thanks!

@@ -183,7 +239,7 @@ Request = {

local data = stdnse.fromhex(
"7f 65" .. -- BER: Application-Defined Type = APPLICATION 101,
"82 01 90" .. -- BER: Type Length = 404 bytes
"82 01 94" .. -- BER: Type Length = 404 bytes

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you update the comment, too? or just leave the decimal value out. Same on line 273.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The value is correct as are most of the others. I'll fixed the one error I found.

-- version to negotiate TLS or NLA. This section does that for TLS. There
-- is no NLA currently.
if status and (v == 1) then
status, err = comm.socket:reconnect_ssl()

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just want to put a bug in your ear: if this part can be extracted into a "StartTLS" function in sslcert.lua it opens up access to all the ssl-* scripts to work on RDP, too. It sounded on Twitter like you were thinking of extracting SSL cert, and if so, this would be a great way to do that.

Don't hold up merging this PR to do that, though: it's better to commit a working intermediate (especially when it has such an impact as this) and then work on expanding it later.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It thought about that.. and then I ran ssl-cert and saw that it pulled the certificates without any changes. I'll revisit that.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh, IIRC, it just connects TLS directly without doing preliminary handshaking. That seems to work on some implementations, but I'm not sure how robust it is for all the configurations you're testing.

nselib/rdp.lua Outdated
decoder:registerTagDecoders( tag_decoder )

local response_result, userdata
_, pos = decoder.decodeLength(data, pos)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

_ needs to be local here. You could do local _, pos = decoder.decodeLength(data, 3) and eliminate the extra declaration on line 146.

-- version to negotiate TLS or NLA. This section does that for TLS. There
-- is no NLA currently.
if status and (v == 1) then
status, err = comm.socket:reconnect_ssl()

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

err needs to be declared local, too. I find things like this with my Lua check script from the Code Standards page on SecWiki.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I use luacheck but forgot to do so after refactoring.

@TomSellers
Copy link
Author

@dmiller-nmap
Feedback addressed. I've retested with Windows Server 2008, 2016, 2019, and Windows XP SP3.

@nmap-bot nmap-bot closed this in a4f3c85 Jun 4, 2019
@TomSellers TomSellers deleted the rdp_support_tls branch June 4, 2019 20:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants