Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
nu11secur1ty
GitHub Repository: nu11secur1ty/Kali-Linux
 Path: blob/master/BlueKeep/cve_2019_0708_bluekeep_rce/rdp_scanner.rb
1306 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::RDP

8
  include Msf::Auxiliary::Scanner

9
  include Msf::Auxiliary::Report

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name'           => 'Identify endpoints speaking the Remote Desktop Protocol (RDP)',

16
        'Description'    => %q(

17
          This module attempts to connect to the specified Remote Desktop Protocol port

18
          and determines if it speaks RDP.

19


20
          When available, the Credential Security Support Provider (CredSSP) protocol will be used to identify the

21
          version of Windows on which the server is running. Enabling the DETECT_NLA option will cause a second

22
          connection to be made to the server to identify if Network Level Authentication (NLA) is required.

23
        ),

24
        'Author'         => 'Jon Hart <jon_hart[at]rapid7.com>',

25
        'References'     =>

26
          [

27
            ['URL', 'https://msdn.microsoft.com/en-us/library/cc240445.aspx']

28
          ],

29
        'License'        => MSF_LICENSE

30
      )

31
    )

32


33
    register_options(

34
      [

35
        Opt::RPORT(3389),

36
        OptBool.new('DETECT_NLA', [true, 'Detect Network Level Authentication (NLA)', true])

37
      ]

38
    )

39
  end

40


41
  def check_rdp

42
    begin

43
      rdp_connect

44
      is_rdp, version_info = rdp_fingerprint

45
    rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError

46
      return false, nil

47
    ensure

48
      rdp_disconnect

49
    end

50


51
    service_info = nil

52
    if is_rdp

53
      product_version = (version_info && version_info[:product_version]) ? version_info[:product_version] : 'N/A'

54
      info = "Detected RDP on #{peer} (Windows version: #{product_version})"

55


56
      if datastore['DETECT_NLA']

57
        service_info = "Requires NLA: #{(!version_info[:product_version].nil? && requires_nla?) ? 'Yes' : 'No'}"

58
        info << " (#{service_info})"

59
      end

60


61
      print_status(info)

62
    end

63


64
    return is_rdp, service_info

65
  end

66


67
  def requires_nla?

68
    begin

69
      rdp_connect

70
      is_rdp, server_selected_proto = rdp_check_protocol

71
    rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError

72
      return false

73
    ensure

74
      rdp_disconnect

75
    end

76


77
    return false unless is_rdp

78
    return [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include? server_selected_proto

79
  end

80


81
  def run_host(_ip)

82
    is_rdp = false

83
    begin

84
      rdp_connect

85
      is_rdp, service_info = check_rdp

86
    rescue Rex::ConnectionError => e

87
      vprint_error("Error while connecting and negotiating RDP: #{e}")

88
      return

89
    ensure

90
      rdp_disconnect

91
    end

92
    return unless is_rdp

93


94
    report_service(

95
      host: rhost,

96
      port: rport,

97
      proto: 'tcp',

98
      name: 'RDP',

99
      info: service_info

100
    )

101
  end

102
end

103


104


105