|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | + Any system exposing the remote desktop protocol, RDP, typically on 3389/TCP. |
| 4 | + |
| 5 | +## Verification Steps |
| 6 | + |
| 7 | + 1. Do: ```use auxiliary/scanner/rdp/rdp_scanner``` |
| 8 | + 2. Do: ```set [RHOSTS]```, replacing ```[RHOSTS]``` with a list of hosts to test for the presence of RDP |
| 9 | + 3. Do: ```run``` |
| 10 | + 4. If the host is exposing an identifiable RDP instance, it will print the endpoint. |
| 11 | + |
| 12 | +## Options |
| 13 | + |
| 14 | + There are three options currently supported that control what security protocols to |
| 15 | + send in the RDP negotiation request, which can be helpful in identifying RDP |
| 16 | + endpoints that might be locked down or configured differently: |
| 17 | + |
| 18 | + **TLS** Set to true to request TLS security support |
| 19 | + **CredSSP** Set to true to request CredSSP support |
| 20 | + **EarlyUser** Set to true to request Early User Authorization Result PDU support |
| 21 | + |
| 22 | +## Scenarios |
| 23 | + |
| 24 | + ``` |
| 25 | +msf auxiliary(rdp_scanner) > run |
| 26 | +
|
| 27 | +[+] 10.4.18.26:3389 - Identified RDP |
| 28 | +[+] 10.4.18.22:3389 - Identified RDP |
| 29 | +[+] 10.4.18.89:3389 - Identified RDP |
| 30 | +[+] 10.4.18.9:3389 - Identified RDP |
| 31 | +[+] 10.4.18.67:3389 - Identified RDP |
| 32 | +[+] 10.4.18.80:3389 - Identified RDP |
| 33 | +[+] 10.4.18.34:3389 - Identified RDP |
| 34 | +[+] 10.4.18.70:3389 - Identified RDP |
| 35 | +[+] 10.4.18.30:3389 - Identified RDP |
| 36 | +[+] 10.4.18.76:3389 - Identified RDP |
| 37 | +[+] 10.4.18.13:3389 - Identified RDP |
| 38 | +[+] 10.4.18.91:3389 - Identified RDP |
| 39 | +[+] 10.4.18.5:3389 - Identified RDP |
| 40 | +[+] 10.4.18.47:3389 - Identified RDP |
| 41 | +[+] 10.4.18.41:3389 - Identified RDP |
| 42 | +[+] 10.4.18.105:3389 - Identified RDP |
| 43 | +[*] Scanned 44 of 256 hosts (17% complete) |
| 44 | +[*] Scanned 55 of 256 hosts (21% complete) |
| 45 | +[+] 10.4.18.118:3389 - Identified RDP |
| 46 | +[+] 10.4.18.108:3389 - Identified RDP |
| 47 | +[+] 10.4.18.139:3389 - Identified RDP |
| 48 | +[*] Scanned 94 of 256 hosts (36% complete) |
| 49 | +[*] Scanned 110 of 256 hosts (42% complete) |
| 50 | +[+] 10.4.18.157:3389 - Identified RDP |
| 51 | +[+] 10.4.18.166:3389 - Identified RDP |
| 52 | +[+] 10.4.18.164:3389 - Identified RDP |
| 53 | +[+] 10.4.18.170:3389 - Identified RDP |
| 54 | +[+] 10.4.18.185:3389 - Identified RDP |
| 55 | +[+] 10.4.18.209:3389 - Identified RDP |
| 56 | +[+] 10.4.18.188:3389 - Identified RDP |
| 57 | +[*] Scanned 156 of 256 hosts (60% complete) |
| 58 | +[+] 10.4.18.237:3389 - Identified RDP |
| 59 | +[+] 10.4.18.225:3389 - Identified RDP |
| 60 | +[*] Scanned 186 of 256 hosts (72% complete) |
| 61 | +[*] Scanned 194 of 256 hosts (75% complete) |
| 62 | +[*] Scanned 208 of 256 hosts (81% complete) |
| 63 | +[*] Scanned 253 of 256 hosts (98% complete) |
| 64 | +[*] Scanned 256 of 256 hosts (100% complete) |
| 65 | +[*] Auxiliary module execution completed |
| 66 | +``` |
0 commit comments