Portcullis Labs
Research and Development

Checking RDP support across an internal network

Published 10/02/2014 | By BRC

We’ve recently added some new features to rdp-sec-check, which is a Perl script to enumerate security settings of an RDP Service (AKA Terminal Services). The tool download is available in the rdp-sec-check page.

The following new features were added to rdp-sec-check:

  • Support for targets file
  • Support for saving the tool output to a specified logfile
  • Control over the connection and responses timeouts
  • Control over the number of retries when timeouts occurs

rdp-sec-check command line help

$ rdp-sec-check.pl
Starting rdp-sec-check v0.9-beta ( https://labs.portcullis.co.uk/application/rdp-sec-check/ )
Copyright (C) 2014 Mark Lowe (mrl@portcullis-security.com)

/usr/local/bin/rdp-sec-check.pl [ options ]  ( --file hosts.txt | host | host:port )

options are:

  --file hosts.txt	targets, one ip:port per line
  --outfile out.log	output logfile
  --timeout sec		receive timeout (default 10s)
  --retries times	number of retries after timeout
  --verbose
  --debug
  --help

Example:
         /usr/local/bin/rdp-sec-check.pl 192.168.1.1
         /usr/local/bin/rdp-sec-check.pl --file hosts.txt --timeout 15 --retries 3
         /usr/local/bin/rdp-sec-check.pl --outfile rdp.log 192.168.69.69:3389
         /usr/local/bin/rdp-sec-check.pl --file hosts.txt --outfile rdp.log --verbose

Example output: A single Windows 2003 R2 RDP service scan

The following is an example of a single machine scan using 3 seconds as timeout for connections and responses and output saving using the file named out.log:

$ ./rdp-sec-check.pl --outfile out.log --timeout 3 192.168.13.13
Starting rdp-sec-check v0.9-beta ( https://labs.portcullis.co.uk/application/rdp-sec-check/ ) at Thu Jan 23 12:16:26 2014

[+] Scanning 1 hosts

Target:    192.168.13.13
IP:        192.168.13.13
Port:      3389

[+] Checking supported protocols

[-] Checking if RDP Security (PROTOCOL_RDP) is supported...Supported
[-] Checking if TLS Security (PROTOCOL_SSL) is supported...Not supported - SSL_CERT_NOT_ON_SERVER
[-] Checking if CredSSP Security (PROTOCOL_HYBRID) is supported [uses NLA]...Not supported - SSL_CERT_NOT_ON_SERVER

[+] Checking RDP Security Layer

[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_NONE...Not supported
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_40BIT...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_128BIT...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_56BIT...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_FIPS...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE

[+] Summary of protocol support

[-] 192.168.13.13:3389 supports PROTOCOL_RDP   : TRUE
[-] 192.168.13.13:3389 supports PROTOCOL_SSL   : FALSE
[-] 192.168.13.13:3389 supports PROTOCOL_HYBRID: FALSE

[+] Summary of RDP encryption support

[-] 192.168.13.13:3389 has encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] 192.168.13.13:3389 supports ENCRYPTION_METHOD_NONE   : FALSE
[-] 192.168.13.13:3389 supports ENCRYPTION_METHOD_40BIT  : TRUE
[-] 192.168.13.13:3389 supports ENCRYPTION_METHOD_128BIT : TRUE
[-] 192.168.13.13:3389 supports ENCRYPTION_METHOD_56BIT  : TRUE
[-] 192.168.13.13:3389 supports ENCRYPTION_METHOD_FIPS   : TRUE

[+] Summary of security issues

[-] 192.168.13.13:3389 has issue FIPS_SUPPORTED_BUT_NOT_MANDATED
[-] 192.168.13.13:3389 has issue WEAK_RDP_ENCRYPTION_SUPPORTED
[-] 192.168.13.13:3389 has issue ONLY_RDP_SUPPORTED_MITM
[-] 192.168.13.13:3389 has issue NLA_NOT_SUPPORTED_DOS

rdp-sec-check v0.9-beta completed at Thu Jan 23 12:16:27 2014

Example: A fast network scan using timeouts and retries

In this example, a targets file to test the network 172.18.19.0/24 is generated using a shell one liner:

$ for i in $(seq 1 254); do echo 172.18.19.$i; done >> targets.txt

Then rdp-sec-check is fed with the targets file targets.txt and a 3 second limit is set on the connections and responses; if the connections times out, rdp-sec-check will retry 2 times before exiting. Finally, the scan log will be saved in the file out.log.

$ ./rdp-sec-check.pl --file targets.txt --outfile out.log --timeout 3 --retries 2

In this example, the timeout and retries parameters are set for a fast local network scan. When scanning machines through the Internet or VPN, the timeout should be set to a higher value. Also, depending on the stability of the targets and/or the pentester’s Internet connection, the value of the parameter retries should be tuned.

Example: A Internet network scan using timeouts and retries

In this example, I have configured rdp-sec-check with a targets file named targets.txt and a 15 seconds time limit on the connections and responses (with a fault tolerance of 5). Again, all the output will be saved in the file named out.log. This parameter settings should help rdp-sec-check to succeed where the network connectivity is unreliable: 

$ ./rdp-sec-check.pl --file targets.txt --outfile out.log --timeout 15 --retries 5

Request to be added to the Portcullis Labs newsletter

We will email you whenever a new tool, or post is added to the site.

Your Name (required)

Your Email (required)