Skip to content

Commit 43e04c8

Browse files
jhart-r7jhart-r7
committed
Improve RDP probe packet
1 parent e3e5c33 commit 43e04c8

File tree

1 file changed

+35
-6
lines changed

1 file changed

+35
-6
lines changed

modules/auxiliary/scanner/rdp/rdp_scanner.rb

Lines changed: 35 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -20,25 +20,26 @@ def initialize(info = {})
2020
'Author' => 'Jon Hart <jon_hart[at]rapid7.com>',
2121
'References' =>
2222
[
23+
['URL', 'https://msdn.microsoft.com/en-us/library/cc240445.aspx']
2324
],
2425
'License' => MSF_LICENSE
2526
)
2627
)
2728

2829
register_options(
2930
[
30-
Opt::RPORT(3389)
31-
# XXX: add options to turn on/off TLS, CredSSP, early user, cookies, etc.
31+
Opt::RPORT(3389),
32+
OptBool.new('TLS', [true, 'Wheter or not request TLS security', true]),
33+
OptBool.new('CredSSP', [true, 'Whether or not to request CredSSP', true]),
34+
OptBool.new('EarlyUser', [true, 'Whether to support Earlier User Authorization Result PDU', false])
3235
]
3336
)
3437
end
3538

36-
# simple TPKT v3 + x.224 COTP Connect Request + RDP negotiation request with TLS and CredSSP requested
37-
RDP_PROBE = "\x03\x00\x00\x13\x0e\xe0\x00\x00\x00\x00\x00\x01\x00\x08\x00\x03\x00\x00\x00"
3839
# any TPKT v3 + x.2224 COTP Connect Confirm
39-
RDP_RE = /^\x03\x00.{3}\xd0.{7}.*$/
40+
RDP_RE = /^\x03\x00.{3}\xd0.{5}.*$/
4041
def rdp?
41-
sock.put(RDP_PROBE)
42+
sock.put(@probe)
4243
response = sock.get_once(-1)
4344
if response
4445
if RDP_RE.match?(response)
@@ -53,6 +54,34 @@ def rdp?
5354
end
5455
end
5556

57+
def setup
58+
# build a simple TPKT v3 + x.224 COTP Connect Request. optionally append
59+
# RDP negotiation request with TLS, CredSSP and Early User as requesteste
60+
requestedProtocols = 0
61+
if datastore['TLS']
62+
requestedProtocols = requestedProtocols ^ 0b1
63+
end
64+
if datastore['CredSSP']
65+
requestedProtocols = requestedProtocols ^ 0b10
66+
end
67+
if datastore['EarlyUser']
68+
requestedProtocols = requestedProtocols ^ 0b1000
69+
end
70+
71+
if requestedProtocols == 0
72+
tpkt_len = 11
73+
cotp_len = 6
74+
pack = [ 3, 0, tpkt_len, cotp_len, 0xe0, 0, 0, 0 ]
75+
pack_string = "CCnCCnnC"
76+
else
77+
tpkt_len = 19
78+
cotp_len = 14
79+
pack = [ 3, 0, tpkt_len, cotp_len, 0xe0, 0, 0, 0, 1, 0, 8, 0, requestedProtocols ]
80+
pack_string = "CCnCCnnCCCCCV"
81+
end
82+
@probe = pack.pack(pack_string)
83+
end
84+
5685
def run_host(_ip)
5786
begin
5887
connect

0 commit comments

Comments
 (0)