Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[NSE] Add rdp-ntlm-info.nse #1633

Closed
wants to merge 2 commits into from

Conversation

Projects
None yet
3 participants
@TomSellers
Copy link

commented Jun 13, 2019

This PR adds an NSE script, rdp-ntlm-info.nse, which enumerates information from remote RDP services that have CredSSP (NLA) authentication enabled. It is modeled after Justin Cacak's *-ntlm-info.nse scripts. I'm not a fan of the output format and using ntlm in the script name isn't intuitive here but I've kept them in this case in order to be consistent with his existing scripts and to enable someone to run them all using --script *-ntlm-info.

Note: No authentication is required and no logon attempts were made.

Example output

Run against a Windows 2019 server with NLA ( CredSSP ) enabled.

3389/tcp open  ms-wbt-server
| rdp-ntlm-info: 
|   Target_Name: W19GA-SRV01
|   NetBIOS_Domain_Name: W19GA-SRV01
|   NetBIOS_Computer_Name: W19GA-SRV01
|   DNS_Domain_Name: W19GA-SRV01
|   DNS_Computer_Name: W19GA-SRV01
|   Product_Version: 10.0.17763
|_  System_Time: 2019-06-13T11:20:33+00:00

Here is output that also includes output from htlm-ntlm-info.nse so that you can compare the results.

sudo nmap -sSCV --script=*-ntlm-info -p 80,3389 <target>

80/tcp   open     http          syn-ack ttl 128 Microsoft IIS httpd 10.0
| http-ntlm-info: 
|   Target_Name: W2016
|   NetBIOS_Domain_Name: W2016
|   NetBIOS_Computer_Name: W16GA-SRV01
|   DNS_Domain_Name: W2016.lab
|   DNS_Computer_Name: W16GA-SRV01.W2016.lab
|   DNS_Tree_Name: W2016.lab
|_  Product_Version: 10.0.14393
|_http-server-header: Microsoft-IIS/10.0
3389/tcp open     ms-wbt-server syn-ack ttl 128 Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: W2016
|   NetBIOS_Domain_Name: W2016
|   NetBIOS_Computer_Name: W16GA-SRV01
|   DNS_Domain_Name: W2016.lab
|   DNS_Computer_Name: W16GA-SRV01.W2016.lab
|   DNS_Tree_Name: W2016.lab
|   Product_Version: 10.0.14393
|_  System_Time: 2019-06-13T10:38:35+00:00

Against Windows 2008 with a few more services configured to use NTLM
sudo nmap -sSC --script=*-ntlm-info -p 23,25,80,3389 <target>

PORT     STATE SERVICE
23/tcp   open  telnet
| telnet-ntlm-info: 
|   Target_Name: W008GA-DC01
|   NetBIOS_Domain_Name: W008GA-DC01
|   NetBIOS_Computer_Name: W008GA-DC01
|   DNS_Domain_Name: W008GA-DC01.difflab.lab
|   DNS_Computer_Name: W008GA-DC01.difflab.lab
|_  Product_Version: 6.0.6002
25/tcp   open  smtp
| smtp-ntlm-info: 
|   Target_Name: W008GA-DC01
|   NetBIOS_Domain_Name: W008GA-DC01
|   NetBIOS_Computer_Name: W008GA-DC01
|   DNS_Domain_Name: W008GA-DC01.difflab.lab
|   DNS_Computer_Name: W008GA-DC01.difflab.lab
|_  Product_Version: 6.0.6002
80/tcp   open  http
| http-ntlm-info: 
|   Target_Name: W008GA-DC01
|   NetBIOS_Domain_Name: W008GA-DC01
|   NetBIOS_Computer_Name: W008GA-DC01
|   DNS_Domain_Name: W008GA-DC01.difflab.lab
|   DNS_Computer_Name: W008GA-DC01.difflab.lab
|_  Product_Version: 6.0.6002
3389/tcp open  ms-wbt-server
| rdp-ntlm-info: 
|   Target_Name: W008GA-DC01
|   NetBIOS_Domain_Name: W008GA-DC01
|   NetBIOS_Computer_Name: W008GA-DC01
|   DNS_Domain_Name: W008GA-DC01.difflab.lab
|   DNS_Computer_Name: W008GA-DC01.difflab.lab
|   Product_Version: 6.0.6002
|_  System_Time: 2019-06-13T11:50:50+00:00
@dmiller-nmap
Copy link

left a comment

Exciting stuff! Just a couple minor change requests, and please run luacheck once more before committing to be sure it passes. Looking forward to seeing this merged!


local comm = rdp.Comm:new(host, port)
if ( not(comm:connect()) ) then
return false, fail("Failed to connect to server")

This comment has been minimized.

Copy link
@dmiller-nmap

dmiller-nmap Jun 13, 2019

fail is not defined, and we should just return nil here. You can use stdnse.format_output(false, "message") to output an error message in verbose/debug mode instead, if you like.

end

-- Request CredSSP protocol = 3
local cr = rdp.Request.ConnectionRequest:new(11)

This comment has been minimized.

Copy link
@dmiller-nmap

dmiller-nmap Jun 13, 2019

What is this 11 here? The comment mentions 3 instead. Maybe these constants could be in a table in rdp.lua?

-- Continue only if NTLMSSP response is returned
local start = response:find("NTLMSSP")
response = response:sub(start)
if not string.match(response, "^NTLMSSP") then

This comment has been minimized.

Copy link
@dmiller-nmap

dmiller-nmap Jun 13, 2019

If "NTLMSSP" is not in response, then start will be nil, which we can check instead of using string.match() here. If it is in response, then after the sub() call above, this string.match() will always be true.

@TomSellers

This comment has been minimized.

Copy link
Author

commented Jun 14, 2019

Thanks for the feedback @dmiller-nmap
Barring any other feedback I'll likely commit this tomorrow.

@nmap-bot nmap-bot closed this in 19c756a Jun 14, 2019

@TomSellers TomSellers deleted the TomSellers:add_rdp-credssp-info branch Jun 14, 2019

@TomSellers

This comment has been minimized.

Copy link
Author

commented Jun 15, 2019

@CaledoniaProject

This comment has been minimized.

Copy link

commented Jun 15, 2019

Yes, it worked with master branch. Back then I was testing the lua script with nmap-7.70.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.