Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add RDP Fingerprinting #12183

Merged
merged 4 commits into from Aug 21, 2019

Conversation

@zeroSteiner
Copy link
Contributor

commented Aug 12, 2019

This PR adds a new rdp_fingerprint method to the RDP mixin. The fingerprint method, uses the same CredSSP technique that Tom Sellers outlined in his blog post Using Nmap to extract Windows host and domain information via RDP. This PR also updates the auxiliary/scanner/rdp/rdp_scanner module to use the new fingerprinting technique. Because the technique effectively requests NLA, the DETECT_NLA data store option was also added to detect if the server requires NLA. When configured, this causes the module to connect a second time to determine if NLA is required. The second connection is skipped if either the remote service isn't RDP or doesn't support NLA (specifically PROTOCOL_HYBRID | PROTOCOL_HYBRID_EX). The scanner module also includes whether NLA is required or not when adding the service to the database.

Testing

To test this module:

  • Start msfconsole
  • Use scanner/rdp/rdp_scanner
  • Set the RHOSTS option to one or more RDP servers to scan
  • Run the module and see the expected results1

1 I have noticed that scanning Windows XP repeatedly will yield false negative results. Waiting a couple of minutes between scans seems to fix the issue.

Example

metasploit-framework (S:0 J:1) auxiliary(scanner/rdp/rdp_scanner) > show options 

Module options (auxiliary/scanner/rdp/rdp_scanner):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   DETECT_NLA       true             yes       Detect Network Level Authentication (NLA)
   RDP_CLIENT_IP    192.168.0.100    yes       The client IPv4 address to report during connect
   RDP_CLIENT_NAME  rdesktop         no        The client computer name to report during connect, UNSET = random
   RDP_DOMAIN                        no        The client domain name to report during connect
   RDP_USER                          no        The username to report during connect, UNSET = random
   RHOSTS           192.168.90.10    yes       The target address range or CIDR identifier
   RPORT            3389             yes       The target port (TCP)
   THREADS          32               yes       The number of concurrent threads

metasploit-framework (S:0 J:1) auxiliary(scanner/rdp/rdp_scanner) > exploit
metasploit-framework (S:0 J:1) auxiliary(scanner/rdp/rdp_scanner) > exploit

[*] [2019.08.11-15:48:43] 192.168.90.10:3389    - Verifying RDP protocol...
[*] [2019.08.11-15:48:43] 192.168.90.10:3389    - Attempting to connect using TLS security
[*] [2019.08.11-15:48:43] 192.168.90.10:3389    - Verifying RDP protocol...
[*] [2019.08.11-15:48:43] 192.168.90.10:3389    - Attempting to connect using TLS security
[*] [2019.08.11-15:48:43] 192.168.90.10:3389    - Detected RDP on 192.168.90.10:3389    (Windows v6.1.7601) (Requires NLA: No)
[*] [2019.08.11-15:48:43] 192.168.90.10:3389    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
metasploit-framework (S:0 J:1) auxiliary(scanner/rdp/rdp_scanner) > services 
Services
========

host           port  proto  name  state  info
----           ----  -----  ----  -----  ----
192.168.90.10  3389  tcp    rdp   open   Requires NLA: No

metasploit-framework (S:0 J:1) auxiliary(scanner/rdp/rdp_scanner) >
@bwatters-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 12, 2019

TL;DR: 34 windows hosts in the range, from Windows 7-Windows 10, all with RDP open. The scanner found all 34.

Removed incorrect output because I can't type in the morning....

@zeroSteiner

This comment has been minimized.

Copy link
Contributor Author

commented Aug 12, 2019

@bwatters-r7 It doesn't look like the scanner included the PR changes though. The messages should have been different and included:

  • The Windows version for all but XP systems
  • Whether or not NLA was required (if the default configuration was used)
@bwatters-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 12, 2019

/me Checks command history....
Well, yes, I did fat finger the checkout command.....

@bwatters-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 12, 2019

This time, with feeling (and the right commit)

commit 63dfa2a8bdd2c59188baeacd211364cdcd8d43ed
Author: Spencer McIntyre <zeroSteiner@gmail.com>
Date:   Sun Aug 11 19:23:29 2019 -0700

    Fix the RDP NLA protocol detection

msf5 auxiliary(scanner/rdp/rdp_scanner) > show options

Module options (auxiliary/scanner/rdp/rdp_scanner):

   Name             Current Setting   Required  Description
   ----             ---------------   --------  -----------
   DETECT_NLA       true              yes       Detect Network Level Authentication (NLA)
   RDP_CLIENT_IP    192.168.0.100     yes       The client IPv4 address to report during connect
   RDP_CLIENT_NAME  rdesktop          no        The client computer name to report during connect, UNSET = random
   RDP_DOMAIN                         no        The client domain name to report during connect
   RDP_USER                           no        The username to report during connect, UNSET = random
   RHOSTS           192.168.134.0/24  yes       The target address range or CIDR identifier
   RPORT            3389              yes       The target port (TCP)
   THREADS          25                yes       The number of concurrent threads

msf5 auxiliary(scanner/rdp/rdp_scanner) > run

[*] 192.168.134.0/24:3389 - Scanned  26 of 256 hosts (10% complete)
[*] 192.168.134.0/24:3389 - Scanned  53 of 256 hosts (20% complete)
[*] 192.168.134.0/24:3389 - Scanned  77 of 256 hosts (30% complete)
[*] 192.168.134.109:3389  - Detected RDP on 192.168.134.109:3389  (Windows version: 10.0.14393) (Requires NLA: Yes)
[*] 192.168.134.120:3389  - Detected RDP on 192.168.134.120:3389  (Windows version: 6.1.7601) (Requires NLA: No)
[*] 192.168.134.113:3389  - Detected RDP on 192.168.134.113:3389  (Windows version: 6.1.7600) (Requires NLA: No)
[*] 192.168.134.117:3389  - Detected RDP on 192.168.134.117:3389  (Windows version: 10.0.10240) (Requires NLA: Yes)
[*] 192.168.134.106:3389  - Detected RDP on 192.168.134.106:3389  (Windows version: 10.0.17134) (Requires NLA: Yes)
[*] 192.168.134.121:3389  - Detected RDP on 192.168.134.121:3389  (Windows version: 10.0.10586) (Requires NLA: Yes)
[*] 192.168.134.123:3389  - Detected RDP on 192.168.134.123:3389  (Windows version: 6.2.9200) (Requires NLA: Yes)
[*] 192.168.134.104:3389  - Detected RDP on 192.168.134.104:3389  (Windows version: 10.0.17763) (Requires NLA: Yes)
[*] 192.168.134.115:3389  - Detected RDP on 192.168.134.115:3389  (Windows version: 10.0.16299) (Requires NLA: Yes)
[*] 192.168.134.118:3389  - Detected RDP on 192.168.134.118:3389  (Windows version: 10.0.15063) (Requires NLA: Yes)
[*] 192.168.134.114:3389  - Detected RDP on 192.168.134.114:3389  (Windows version: 10.0.15063) (Requires NLA: Yes)
[*] 192.168.134.119:3389  - Detected RDP on 192.168.134.119:3389  (Windows version: 10.0.17134) (Requires NLA: Yes)
[*] 192.168.134.0/24:3389 - Scanned 114 of 256 hosts (44% complete)
[*] 192.168.134.130:3389  - Detected RDP on 192.168.134.130:3389  (Windows version: 6.1.7601) (Requires NLA: No)
[*] 192.168.134.133:3389  - Detected RDP on 192.168.134.133:3389  (Windows version: 6.1.7601) (Requires NLA: No)
[*] 192.168.134.142:3389  - Detected RDP on 192.168.134.142:3389  (Windows version: 6.1.7600) (Requires NLA: No)
[*] 192.168.134.0/24:3389 - Scanned 128 of 256 hosts (50% complete)
[*] 192.168.134.132:3389  - Detected RDP on 192.168.134.132:3389  (Windows version: 10.0.16299) (Requires NLA: Yes)
[*] 192.168.134.149:3389  - Detected RDP on 192.168.134.149:3389  (Windows version: 10.0.14393) (Requires NLA: Yes)
[*] 192.168.134.151:3389  - Detected RDP on 192.168.134.151:3389  (Windows version: 6.2.9200) (Requires NLA: Yes)
[*] 192.168.134.146:3389  - Detected RDP on 192.168.134.146:3389  (Windows version: 10.0.17763) (Requires NLA: Yes)
[*] 192.168.134.129:3389  - Detected RDP on 192.168.134.129:3389  (Windows version: 10.0.10240) (Requires NLA: Yes)
[*] 192.168.134.161:3389  - Detected RDP on 192.168.134.161:3389  (Windows version: 6.3.9600) (Requires NLA: Yes)
[*] 192.168.134.162:3389  - Detected RDP on 192.168.134.162:3389  (Windows version: 6.3.9600) (Requires NLA: Yes)
[*] 192.168.134.172:3389  - Detected RDP on 192.168.134.172:3389  (Windows version: 6.3.9600) (Requires NLA: Yes)
[*] 192.168.134.164:3389  - Detected RDP on 192.168.134.164:3389  (Windows version: 10.0.17763) (Requires NLA: Yes)
[*] 192.168.134.177:3389  - Detected RDP on 192.168.134.177:3389  (Windows version: 10.0.17134) (Requires NLA: Yes)
[*] 192.168.134.165:3389  - Detected RDP on 192.168.134.165:3389  (Windows version: 10.0.16299) (Requires NLA: Yes)
[*] 192.168.134.169:3389  - Detected RDP on 192.168.134.169:3389  (Windows version: 6.3.9600) (Requires NLA: Yes)
[*] 192.168.134.171:3389  - Detected RDP on 192.168.134.171:3389  (Windows version: 6.3.9600) (Requires NLA: Yes)
[*] 192.168.134.0/24:3389 - Scanned 162 of 256 hosts (63% complete)
[*] 192.168.134.187:3389  - Detected RDP on 192.168.134.187:3389  (Windows version: 6.3.9600) (Requires NLA: Yes)
[*] 192.168.134.199:3389  - Detected RDP on 192.168.134.199:3389  (Windows version: 6.1.7600) (Requires NLA: No)
[*] 192.168.134.192:3389  - Detected RDP on 192.168.134.192:3389  (Windows version: 10.0.14393) (Requires NLA: Yes)
[*] 192.168.134.185:3389  - Detected RDP on 192.168.134.185:3389  (Windows version: 6.2.9200) (Requires NLA: Yes)
[*] 192.168.134.191:3389  - Detected RDP on 192.168.134.191:3389  (Windows version: 10.0.17763) (Requires NLA: Yes)
[*] 192.168.134.193:3389  - Detected RDP on 192.168.134.193:3389  (Windows version: 10.0.10586) (Requires NLA: Yes)
[*] 192.168.134.0/24:3389 - Scanned 185 of 256 hosts (72% complete)
[*] 192.168.134.0/24:3389 - Scanned 208 of 256 hosts (81% complete)
[*] 192.168.134.0/24:3389 - Scanned 231 of 256 hosts (90% complete)
[*] 192.168.134.0/24:3389 - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/rdp_scanner) > 
@OJ

This comment has been minimized.

Copy link
Contributor

commented Aug 21, 2019

I'm going to get on this today, I PROMISE!

@OJ

This comment has been minimized.

Copy link
Contributor

commented Aug 21, 2019

Took me a while, but I finally got the lab going so I could test it..

image

Looking good to me. Thanks @zeroSteiner, landing now.

@OJ OJ merged commit d676f98 into rapid7:master Aug 21, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.