Land rapid7#8734, Add RDP scanner module

Author: bwatters-r7

documentation/modules/auxiliary/scanner/rdp/rdp_scanner.md

@@ -0,0 +1,66 @@
+## Vulnerable Application
+
+  Any system exposing the remote desktop protocol, RDP, typically on 3389/TCP.
+
+## Verification Steps
+
+  1. Do: ```use auxiliary/scanner/rdp/rdp_scanner```
+  2. Do: ```set [RHOSTS]```, replacing ```[RHOSTS]``` with a list of hosts to test for the presence of RDP
+  3. Do: ```run```
+  4. If the host is exposing an identifiable RDP instance, it will print the endpoint.
+
+## Options
+
+  There are three options currently supported that control what security protocols to
+  send in the RDP negotiation request, which can be helpful in identifying RDP
+  endpoints that might be locked down or configured differently:
+
+  **TLS** Set to true to request TLS security support
+  **CredSSP** Set to true to request CredSSP support
+  **EarlyUser** Set to true to request Early User Authorization Result PDU support
+
+## Scenarios
+
+  ```
+msf auxiliary(rdp_scanner) > run
+
+[+] 10.4.18.26:3389       - Identified RDP
+[+] 10.4.18.22:3389       - Identified RDP
+[+] 10.4.18.89:3389       - Identified RDP
+[+] 10.4.18.9:3389        - Identified RDP
+[+] 10.4.18.67:3389       - Identified RDP
+[+] 10.4.18.80:3389       - Identified RDP
+[+] 10.4.18.34:3389       - Identified RDP
+[+] 10.4.18.70:3389       - Identified RDP
+[+] 10.4.18.30:3389       - Identified RDP
+[+] 10.4.18.76:3389       - Identified RDP
+[+] 10.4.18.13:3389       - Identified RDP
+[+] 10.4.18.91:3389       - Identified RDP
+[+] 10.4.18.5:3389        - Identified RDP
+[+] 10.4.18.47:3389       - Identified RDP
+[+] 10.4.18.41:3389       - Identified RDP
+[+] 10.4.18.105:3389      - Identified RDP
+[*] Scanned  44 of 256 hosts (17% complete)
+[*] Scanned  55 of 256 hosts (21% complete)
+[+] 10.4.18.118:3389      - Identified RDP
+[+] 10.4.18.108:3389      - Identified RDP
+[+] 10.4.18.139:3389      - Identified RDP
+[*] Scanned  94 of 256 hosts (36% complete)
+[*] Scanned 110 of 256 hosts (42% complete)
+[+] 10.4.18.157:3389      - Identified RDP
+[+] 10.4.18.166:3389      - Identified RDP
+[+] 10.4.18.164:3389      - Identified RDP
+[+] 10.4.18.170:3389      - Identified RDP
+[+] 10.4.18.185:3389      - Identified RDP
+[+] 10.4.18.209:3389      - Identified RDP
+[+] 10.4.18.188:3389      - Identified RDP
+[*] Scanned 156 of 256 hosts (60% complete)
+[+] 10.4.18.237:3389      - Identified RDP
+[+] 10.4.18.225:3389      - Identified RDP
+[*] Scanned 186 of 256 hosts (72% complete)
+[*] Scanned 194 of 256 hosts (75% complete)
+[*] Scanned 208 of 256 hosts (81% complete)
+[*] Scanned 253 of 256 hosts (98% complete)
+[*] Scanned 256 of 256 hosts (100% complete)
+[*] Auxiliary module execution completed
+```

modules/auxiliary/scanner/rdp/rdp_scanner.rb

@@ -0,0 +1,104 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'           => 'Identify endpoints speaking the Remote Desktop Protocol (RDP)',
+        'Description'    => %q(
+          This module attempts to connect to the specified Remote Desktop Protocol port
+          and determines if it speaks RDP.
+        ),
+        'Author'         => 'Jon Hart <jon_hart[at]rapid7.com>',
+        'References'     =>
+          [
+            ['URL', 'https://msdn.microsoft.com/en-us/library/cc240445.aspx']
+          ],
+        'License'        => MSF_LICENSE
+      )
+    )
+
+    register_options(
+      [
+        Opt::RPORT(3389),
+        OptBool.new('TLS', [true, 'Wheter or not request TLS security', true]),
+        OptBool.new('CredSSP', [true, 'Whether or not to request CredSSP', true]),
+        OptBool.new('EarlyUser', [true, 'Whether to support Earlier User Authorization Result PDU', false])
+      ]
+    )
+  end
+
+  # any TPKT v3 + x.2224 COTP Connect Confirm
+  RDP_RE = /^\x03\x00.{3}\xd0.{5}.*$/
+  def rdp?
+    sock.put(@probe)
+    response = sock.get_once(-1)
+    if response
+      if RDP_RE.match?(response)
+        # XXX: it might be helpful to decode the response and show what was selected.
+        print_good("Identified RDP")
+        return true
+      else
+        vprint_status("No match for '#{Rex::Text.to_hex_ascii(response)}'")
+      end
+    else
+      vprint_status("No response")
+    end
+  end
+
+  def setup
+    # build a simple TPKT v3 + x.224 COTP Connect Request.  optionally append
+    # RDP negotiation request with TLS, CredSSP and Early User as requesteste
+    requested_protocols = 0
+    if datastore['TLS']
+      requested_protocols = requested_protocols ^ 0b1
+    end
+    if datastore['CredSSP']
+      requested_protocols = requested_protocols ^ 0b10
+    end
+    if datastore['EarlyUser']
+      requested_protocols = requested_protocols ^ 0b1000
+    end
+
+    if requested_protocols == 0
+      tpkt_len = 11
+      cotp_len = 6
+      pack = [ 3, 0, tpkt_len, cotp_len, 0xe0, 0, 0, 0 ]
+      pack_string = "CCnCCnnC"
+    else
+      tpkt_len = 19
+      cotp_len = 14
+      pack  = [ 3, 0, tpkt_len, cotp_len, 0xe0, 0, 0, 0, 1, 0, 8, 0, requested_protocols ]
+      pack_string = "CCnCCnnCCCCCV"
+    end
+    @probe = pack.pack(pack_string)
+  end
+
+  def run_host(_ip)
+    begin
+      connect
+      return unless rdp?
+    rescue Rex::AddressInUse, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, \
+           ::Errno::ETIMEDOUT, ::Timeout::Error, ::EOFError => e
+      vprint_error("error while connecting and negotiating RDP: #{e}")
+      return
+    ensure
+      disconnect
+    end
+
+    report_service(
+      host: rhost,
+      port: rport,
+      proto: 'tcp',
+      name: 'RDP'
+    )
+  end
+end