Rdpscan - A Quick Scanner For The Cve-2019-0708 Bluekeep Vulnerability


This is a quick-and-dirty scanner for the CVE-2019-0708 vulnerability inward Microsoft Remote Desktop. Right now, at that topographic point are well-nigh 900,000 machines on Blue Planet Internet vulnerable to this vulnerability, thence many are to await a worm presently similar WannaCry together with notPetya. Therefore, scan your networks together with spell (or at least, enable NLA) on vulnerable systems.
This is a command-line tool. You tin download the source together with compile it yourself, or you lot tin download i of the pre-compiled binaries for Windows or macOS from the link above.
This tool is based exclusively on the rdesktop spell from https://github.com/zerosum0x0/CVE-2019-0708.

Primary use
To scan a network, run it similar the following:
rdpscan 192.168.1.1-192.168.1.255
This produces i of 3 results for each address:
  • SAFE - if target has determined bot travel patched or at to the lowest degree require CredSSP/NLA
  • VULNERABLE - if the target has been confirmed to travel vulnerable
  • UNKNOWN - if the target doesn't answer or has some protocol failure
When aught exists at a target IP address, the older versions pritned the message "UNKNOWN - connexion timed out". When scanning large networks, this produces an overload of also much information well-nigh systems you lot don't aid about. Therefore, the novel version yesteryear default doesn't create this information unless you lot add together -v (for verbose) on the command-line.
You tin increase the speed at which it scans large networks yesteryear increasing the number of workers:
rdpscan --workers 10000 10.0.0.0/8
However, on my computer, it only produces well-nigh 1500 workers, because of arrangement limitations, no thing how high I configure this parameter.
You tin increase the speed fifty-fifty to a greater extent than yesteryear using this inward conjunction amongst masscan, described inward the instant below.

Interpreting the results
There are 3 full general responses:
  • SAFE - which agency the target is in all likelihood patched or otherwise non vulnerable to the bug.
  • VULNERABLE: which agency we've confirmed the target is vulnerable to this bug, together with that when the worm hits, volition probable larn infected.
  • UNKNOWN: agency nosotros can't confirm either way, ordinarily because the target doesn't answer or isn't running RDP, which is the vast bulk of responses. Also, when targets are out of resources or experiencing network problems, we'll larn a lot of these. Finally, protocol errors are responsble for a lot. While the 3 primary responses are SAFE, VULNERABLE, together with UNKNOWN, they comprise additional text explaining the diagnosis. This department describes the diverse strings you'll see.

SAFE
There are 3 primary reaons nosotros recollect a target is safe:
  • SAFE - Target appears patched This happens when the target doesn't answer to the triggering request. This agency it's a Windows arrangement that's been patched, or a arrangement that wasn't vulnerable to laid about with, similar Windows 10 or Unix.
  • SAFE - CredSSP/NLA required This agency that the target commencement requires Network Level Authentication earlier the RDP connexion tin travel established. The tool cannot transcend this point, without leigitimate credentials, thence cannot create upward one's hear whether the target has been patched. However, hackers can't expire along yesteryear this betoken to exploit vulnerable systems, either, thence you lot are probable "safe". However, when exploits appear, insiders amongst valid usernames/passwords volition travel able to exploit the arrangement if it's un-patched.
  • SAFE - non RDP This agency the arrangement is non RDP, but has another service that happens to utilization this same port, together with produces a response that's clearly non RDP. Common examples are HTTP together with SSH. Note nonetheless that instead of an identifiable protocol, a server may answer amongst a RST or FIN packet. These are identified every bit UNKNOWN instead of SAFE/

VULNERABLE
This agency we've confirmed the arrangement is vulnerable to the bug.
  • VULNERABLE - got appid There is only i response when the arrangement is vulnerable, this one.

UNKNOWN
There are a zillion variations for unknown
  • UNKNOWN - no connexion - timeout This is yesteryear far the most mutual response, together with happens when the target IP address makes no response whatsoever. In fact, it's thence mutual that when scanning large ranges of addresses, it's ordinarily ommited. You have got to add together the -v (verbose) flag inward companionship to enable it.
  • UNKNOWN - no connexion - refused (RST) This is yesteryear far the instant most mutual response, together with happens when the target exists together with responds to network traffic, but isn't running RDP, thence refuses the connexion amongst a TCP RST packet.
  • UNKNOWN - RDP protocol error - have timeout This is the 3rd most mutual response, together with happens when we've successfully established an RDP connection, but thence the server stops responding to us. This is due to network errors together with when the target arrangement is overloaded for some reason. It could also travel network errors on this end, such every bit when you lot are behind a NAT together with overloading it amongst also many connections.
  • UNKNOWN - no connexion - connexion closed This agency we've established a connexion (TCP SYN-ACK), but thence the connexion is instantly unopen (with a RST or FIN). There are many reasons this happen, which nosotros cannot distinguish:
    • It's running RDP, but for some argue closes the connection, peradventure because it's out-of-resources.
    • It's non RDP, together with doesn't similar the RDP asking nosotros mail it, thence instad of sending us a overnice error message (which would trigger SAFE - non RDP), it abruptly closes the connection.
    • Some intervening device, similar an IPS, firewall, or NAT unopen the connexion because it identified this every bit hostile, or ran out of resources.
    • Some other argue I haven't identified, there's a lot of weird materials happening when I scan the Internet.
  • UNKNOWN - no connexion - host unreachable (ICMP error) The remote network reports the host cannot travel reached or is non running. Try in i trial again after if you lot recollect that host should travel alive.
  • UNKNOWN - no connexion - network unreachable (ICMP error) There is a (transient) network error on the far end, attempt in i trial again after if you lot believe that network should travel running.
  • UNKNOWN - RDP protocol error This agency some corruption happened inward the RDP protocol, either because the remote side implents it incorrect (not a Windows system), because it's treatment a transient network error badly, or something else.
  • UNKNOWN - SSL protocol error Since Windows Vista, RDP uses the STARTTLS protocol to run over SSL. This layer has it's ain problems similar above, which includes treatment underlying network errors badly, or trying to communicate amongst systems that have got some form of incompatibility. If you lot larn a really long error message hither (like SSL3_GET_RECORD:wrong version), it's because the other side has a põrnikas inward SSL, or your ain SSL library that you lot are using has a bug.

Using amongst masscan
This rdpscan tool is fairly slow, only scanning a few hundred targets per second. You tin instead utilization masscan to speed things up. The masscan tool is roughly G times faster, but only gives express information on the target.
The steps are:
  • First scan the address ranges amongst masscan to chop-chop discovery hosts that answer on port 3389 (or whatever port you lot use).
  • Second feed the output of masscan into rdpscan, thence it only has to scan targets nosotros know are active.
The unproblematic way to run this is precisely to combine them on the command-line:
masscan 10.0.0.0/8 -p3389 | rdpscan --file -
The way I do it is inward 2 steps:
masscan 10.0.0.0/8 -p3389 > ips.txt rdpscan --file ips.txt --workers 10000 >results.txt

Building
The hard purpose is getting the OpenSSL libraries installed, together with non conflicting amongst other versions on the system. Some examples for versions of Linux I've tested on are the following, but they maintain changing packet names from i distribution to the next. Also, at that topographic point are many options for an OpenSSL-compatible API, such every bit BoringSSL together with LibreSSL.
$ sudo apt install libssl-dev $ sudo yum install openssl-devel
Once you've solved that problem, you lot precisely compile all the .c files together similar this:
$ gcc *.c -lssl -lcrypto -o rdpscan
I've pose a Makefile inward the directory that does this, thence you lot tin probable do just:
$ make
The code is written inward C, thence needs a C compiler installed, such every bit doing the following:
$ sudo apt install build-essential

Common construct errors
This department describes the to a greater extent than obvious construct errors.
ssl.h:24:25: fatal error: openssl/rc4.h: No such file or directory
This agency you lot either don't have got the OpensSSL headers installed, or they aren't inward a path somewhere. Remember that fifty-fifty if you lot have got OpenSSL binaries installed, this doesn't hateful you've got the evolution materials installed. You necessitate both the headers together with libraries installed.
To install these things on Debian, do:
$ sudo apt install libssl-dev
To ready the path issue, add together a compilation flag -I/usr/local/include, or something similar.
An instance linker work is the following:
Undefined symbols for architecture x86_64: "_OPENSSL_init_ssl", referenced from:     _tcp_tls_connect inward tcp-fac73c.o "_RSA_get0_key", referenced from:     _rdssl_rkey_get_exp_mod inward ssl-d5fdf5.o "_SSL_CTX_set_options", referenced from:     _tcp_tls_connect inward tcp-fac73c.o "_X509_get_X509_PUBKEY", referenced from:     _rdssl_cert_to_rkey inward ssl-d5fdf5.o
I larn this on macOS because there's multiple versions of OpenSSL. I ready this yesteryear hard-coding the paths:
$ gcc *.c -lssl -lcrypto -I/usr/local/include -L/usr/local/lib -o rdpscan
According to comments yesteryear others, the next command-line powerfulness operate on macOS if you've used Homebrew to install things. I soundless larn the linking errors above, though, because I've installed other OpenSSL components that are conflicting.
gcc $(brew --prefix)/opt/openssl/lib/libssl.a $(brew --prefix)/opt/openssl/lib/libcrypto.a -o rdpscan *.c

Running
The department to a higher house gives quickstart tips for running the program. This department gives to a greater extent than in-depth help.
To scan a unmarried target, precisely transcend the address of the target:
./rdpscan 192.168.10.101
You tin transcend inward IPv6 addresses together with DNS names. You tin transcend inward multiple targets. An instance of this would be:
./rdpscan 192.168.10.101 exchange.example.com 2001:0db8:85a3::1
You tin also scan ranges of addresses, using either begin-end IPv4 addresses, or IPv4 CIDR spec. IPv6 ranges aren't supported because they are thence big.
./rdpscan 10.0.0.1-10.0.0.25 192.168.0.0/16
By default, it scans only 100 targets at a time. You tin increase this number amongst the --workers parameter. However, no thing how high you lot laid this parameter, inward exercise you'll larn a max of around 500 to 1500 workers running at once, depending upon your system.
./rdpscan --workers G 10.0.0.0/24
Instead of specifying targets on the command-line, you lot tin charge them from a file instead, using the well-named --file parameter:
./rdpscan --file ips.txt
The format of the file is i address, name, or arrive at per line. It tin also eat the text generated yesteryear masscan. Extra whitespace is trimmed, blank lines ignored, whatever any comment lines are ignored. Influenza A virus subtype H5N1 comment is a business starting amongst the # character, or // characters.
The output is sent to stdout giving the condition of VULNERABLE, SAFE, or UNKNOWN. There could travel additional reasons for each. These reasons are described above.
211.101.37.250 - SAFE - CredSSP/NLA required 185.11.124.79 - SAFE - non RDP - SSH response seen 125.121.137.42 - UNKNOWN - no connexion - refused (RST) 40.117.191.215 - SAFE - CredSSP/NLA required 121.204.186.182 - SAFE - CredSSP/NLA required 99.8.11.148 - SAFE - CredSSP/NLA required 121.204.186.114 - SAFE - CredSSP/NLA required 49.50.145.236 - SAFE - CredSSP/NLA required 106.12.74.155 - VULNERABLE - got appid 222.84.253.26 - SAFE - CredSSP/NLA required 144.35.133.109 - UNKNOWN - RDP protocol error - have timeout 199.212.226.196 - UNKNOWN - RDP protocol error - have timeout 183.134.58.152 - UNKNOWN - no connexion - refused (RST) 83.162.246.149 - VULNERABLE - got appid
You tin procedure this amongst additional unix commands similar grep together with cut. To larn a listing of precisely vulnerable machines:
./rdpscan 10.0.0.0/8 | grep 'VULN' | cutting -f1 -d'-'
The parameter -dddd agency diagnostic information, where the to a greater extent than ds you lot add, the to a greater extent than details are printed. This is sent to stderr instead of stdout thence that you lot tin split upward the streams. Using bash this is done similar this:
./rdpscan --file myips.txt -ddd 2> diag.txt 1> results.txt

Diagnostic info
Adding the -d parameter dumps diagnostic information on the connections to stderr.
./rdpscan 62.15.34.157 -d  [+] [62.15.34.157]:3389 - connecting... [+] [62.15.34.157]:3389 - connected from [10.1.10.133]:49211 [+] [62.15.34.157]:3389 - SSL connexion [+] [62.15.34.157]:3389 - version = v4.8 [+] [62.15.34.157]:3389 - Sending MS_T120 cheque packet [-] [62.15.34.157]:3389 - Max sends reached, waiting... 62.15.34.157    - SAFE - Target appears patched
On macOS/Linux, you lot tin redirect stdout together with stderr separately to dissimilar files inward the green manner:
./rdpscan --file ips.txt 2> diag.txt 1> results.txt

SOCKS5 together with Tor lulz
So it includes SOCKS5 support:
./rdpscan --file ips.txt --socks5 localhost --socks5port 9050
It makes connexion problems worse thence you lot larn a lot to a greater extent than "UNKNOWN" results.

Statically link OpenSSL
For releasing the Windows together with macOS binaries attached every bit releases to this projection I statically link OpenSSL, thence that it doesn't necessitate to travel included separately, together with the programs just work. This department describes some notes on how to do this, specially since the description on OpenSSL's ain page seems to travel out of date.
Both these steps start amongst downloading the OpenSSL source together with putting it adjacent to the rdpscan directory:
git clone https://github.com/openssl/openssl

Windows
For Windows, you lot necessitate to commencement install some version of Perl. I utilization the i from ActiveState.
Next, you'll necessitate a special "assembler". I utilization the recommended i called NASM)
Next, you'll necessitate a compiler. I utilization VisualStudio 2010. You tin download the latest "Visual Studio Community Edition" (which is 2019) instead from Microsoft.
Now you lot necessitate to construct the makefile. This is done yesteryear going into the OpenSSL directory together with running the Configure Perl program:
perl Configure VC-WIN32
I chose 32-bit for Windows because there's a lot of quondam Windows out there, together with I desire to brand the programme every bit compaitble every bit possible amongst quondam versions.
I desire a completely static build, including the C runtime. To do that, I opened the resulting makefile inward an editor, together with changed the C compilation flag from /MD (meaning utilization DLLs) to /MT. While I was there, I added the next to the CPPFLAGS -D_WIN32_WINNT=0x501, which limit OpenSSL to features that operate dorsum on Windows XP together with Server 2003. Otherwise, you lot larn errors that bcrypt.dll was non found if your run on those older systems.
Now you'll necessitate to brand certain everything is inward your path. I copied nasm.exe to the a directory inward the PATH. For Visual Studio 2010, I ran the programme vcvars32.bat to setup the path variables for the compiler.
At this betoken on the command-line, I typed:
nmake
This makes the libraries. The static ones are libssl_static.lib together with libcrypto_static.lib, which I utilization to link to inward rdpscan.

macOS
First of all, you lot necessitate to install a compiler. I utilization the Developer Tools from Apple, installing XCode together with the compiler. I recollect you lot tin utilization Homebrew to install gcc instead.
Then larn int othe source directory for OpenSSL together with create a makefile:
perl Configure darwin64-x86_64-cc
Now but brand it:
make depend make
At this point, it's created both dynamic (.dylib) together with static (.lib) libraries. I deleted the dynamic libraries thence that it'll grab the static ones yesteryear default.
Now inward rdpscan, precisely construct the macOS makefile:
make -f Makefile.macos
This volition compile all the rdpscan source files, thence link to the OpenSSL libraries inward the directory ../openssl that you lot precisely built.
This should create a 3-megabyte exexeutable. If you lot instead only got a 200-kilobyte executable, thence you lot made a fault together with linked to the dynamic libraries instead.