Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add TLS support for rdp-enum-encryption #1614

Closed
wants to merge 2 commits into from

Conversation

Projects
None yet
3 participants
@TomSellers
Copy link

commented May 30, 2019

This PR adds TLS support to rdp-enum-encryption. The value that it adds is that it enables determining the RDP protocol version against servers that require TLS and potentially lays the ground work for CredSSP. It also corrects a few values in the RDP payload that were incorrect.

Windows Server 2016 with TLS required, NLA optional

PORT     STATE SERVICE       REASON
3389/tcp open  ms-wbt-server syn-ack ttl 128
| rdp-enum-encryption: 
|   Security layer
|     CredSSP (NLA): SUCCESS
|     CredSSP with Early User Auth: SUCCESS
|     Native RDP: FAILED (SSL_REQUIRED_BY_SERVER)
|     RDSTLS: SUCCESS
|     SSL: SUCCESS
|_  RDP Protocol Version:  RDP 10.2 server

Windows Server 2016 with NLA required

NLA is required so we don't see RDP Protocol Version

3389/tcp open  ms-wbt-server syn-ack ttl 128
| rdp-enum-encryption: 
|   Security layer
|     CredSSP (NLA): SUCCESS
|     CredSSP with Early User Auth: SUCCESS
|     Native RDP: FAILED (HYBRID_REQUIRED_BY_SERVER)
|     RDSTLS: SUCCESS
|_    SSL: FAILED (HYBRID_REQUIRED_BY_SERVER)

Windows Server 2019 with TLS required, NLA optional

PORT     STATE SERVICE       REASON
3389/tcp open  ms-wbt-server syn-ack ttl 128
| rdp-enum-encryption: 
|   Security layer
|     CredSSP (NLA): SUCCESS
|     CredSSP with Early User Auth: SUCCESS
|     Native RDP: FAILED (SSL_REQUIRED_BY_SERVER)
|     RDSTLS: SUCCESS
|     SSL: SUCCESS
|_  RDP Protocol Version:  RDP 10.6 server

Windows XP

No change in behavior

PORT     STATE SERVICE       REASON
3389/tcp open  ms-wbt-server syn-ack ttl 128
| rdp-enum-encryption: 
|   Security layer
|     CredSSP (NLA): Unknown
|     CredSSP with Early User Auth: Unknown
|     Native RDP: Unknown
|     RDSTLS: Unknown
|     SSL: Unknown
|   RDP Encryption level: Client Compatible
|     40-bit RC4: SUCCESS
|     56-bit RC4: SUCCESS
|     128-bit RC4: SUCCESS
|     FIPS 140-1: FAILURE
|_  RDP Protocol Version:  RDP 5.x, 6.x, 7.x, or 8.x server

@TomSellers TomSellers changed the title Add TLS support for RDP Add TLS support for rdp-enum-encryption May 30, 2019

@TomSellers

This comment has been minimized.

Copy link
Author

commented May 30, 2019

I looked into CredSSP. I can a see the basic auth flow and I've created a script that doesn't fully authenticate but does allow determining host info pre-auth. It's very similar to other scripts. I'll clean up tonight and submit via a separate PR.

Rough output from the unfinished script.

PORT     STATE SERVICE       REASON
3389/tcp open  ms-wbt-server syn-ack ttl 128
| rdp-credssp-info: 
|   Target_Name: W2016
|   NetBIOS_Domain_Name: W2016
|   NetBIOS_Computer_Name: W16GA-SRV01
|   DNS_Domain_Name: W2016.lab
|   DNS_Computer_Name: W16GA-SRV01.W2016.lab
|   DNS_Tree_Name: W2016.lab
|   Product_Version: 10.0.14393
|_  System_Time: 2019-05-30T13:02:39
@dmiller-nmap
Copy link

left a comment

I'm really excited about this. Only very minor issues in the comments. Thanks!

@@ -183,7 +239,7 @@ Request = {

local data = stdnse.fromhex(
"7f 65" .. -- BER: Application-Defined Type = APPLICATION 101,
"82 01 90" .. -- BER: Type Length = 404 bytes
"82 01 94" .. -- BER: Type Length = 404 bytes

This comment has been minimized.

Copy link
@dmiller-nmap

dmiller-nmap May 30, 2019

Can you update the comment, too? or just leave the decimal value out. Same on line 273.

This comment has been minimized.

Copy link
@TomSellers

TomSellers May 31, 2019

Author

The value is correct as are most of the others. I'll fixed the one error I found.

-- version to negotiate TLS or NLA. This section does that for TLS. There
-- is no NLA currently.
if status and (v == 1) then
status, err = comm.socket:reconnect_ssl()

This comment has been minimized.

Copy link
@dmiller-nmap

dmiller-nmap May 30, 2019

Just want to put a bug in your ear: if this part can be extracted into a "StartTLS" function in sslcert.lua it opens up access to all the ssl-* scripts to work on RDP, too. It sounded on Twitter like you were thinking of extracting SSL cert, and if so, this would be a great way to do that.

Don't hold up merging this PR to do that, though: it's better to commit a working intermediate (especially when it has such an impact as this) and then work on expanding it later.

This comment has been minimized.

Copy link
@tsellers-r7

tsellers-r7 May 30, 2019

It thought about that.. and then I ran ssl-cert and saw that it pulled the certificates without any changes. I'll revisit that.

This comment has been minimized.

Copy link
@dmiller-nmap

dmiller-nmap May 30, 2019

oh, IIRC, it just connects TLS directly without doing preliminary handshaking. That seems to work on some implementations, but I'm not sure how robust it is for all the configurations you're testing.

decoder:registerTagDecoders( tag_decoder )

local response_result, userdata
_, pos = decoder.decodeLength(data, pos)

This comment has been minimized.

Copy link
@dmiller-nmap

dmiller-nmap May 30, 2019

_ needs to be local here. You could do local _, pos = decoder.decodeLength(data, 3) and eliminate the extra declaration on line 146.

-- version to negotiate TLS or NLA. This section does that for TLS. There
-- is no NLA currently.
if status and (v == 1) then
status, err = comm.socket:reconnect_ssl()

This comment has been minimized.

Copy link
@dmiller-nmap

dmiller-nmap May 30, 2019

err needs to be declared local, too. I find things like this with my Lua check script from the Code Standards page on SecWiki.

This comment has been minimized.

Copy link
@TomSellers

TomSellers May 31, 2019

Author

I use luacheck but forgot to do so after refactoring.

@TomSellers

This comment has been minimized.

Copy link
Author

commented May 31, 2019

@dmiller-nmap
Feedback addressed. I've retested with Windows Server 2008, 2016, 2019, and Windows XP SP3.

@nmap-bot nmap-bot closed this in a4f3c85 Jun 4, 2019

@TomSellers TomSellers deleted the TomSellers:rdp_support_tls branch Jun 4, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.