Add a remote desktop protocol (RDP) scanner

[jhart-r7]

This adds a simple RDP scanner to metasploit. It sends the first in a series of packets necessary to establish an RDP connection and simply confirms whether the target endpoint is RDP or not.

Verification

• Start msfconsole
• use modules/auxiliary/scanner/rdp/rdp_scanner.rb
• set RHOSTS <some hosts without RDP>
• run
• Verify that no hosts have RDP identified
• set RHOSTS <some hosts with RDP>
• run
• Verify that all hosts have RDP identified
• Document the thing and how it works

[bwatters-r7]

Windows 10 test Range Results:

Inside the range were 12 Windows 10 machines, two each of
Win 10x86 Build 1511
Win 10x86 Build 1607
Win 10x86 Build 1703
Win 10x64 Build 1511
Win 10x64 Build 1607
Win 10x64 Build 1703
Each pair was identical except that one had RDP enabled and one did not.
TL;DR: I expect six matches.

msf > use auxiliary/scanner/rdp/
use auxiliary/scanner/rdp/ms12_020_check  use auxiliary/scanner/rdp/rdp_scanner     
msf > use auxiliary/scanner/rdp/rdp_scanner 
msf auxiliary(rdp_scanner) > show options

Module options (auxiliary/scanner/rdp/rdp_scanner):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   CredSSP    true             yes       Whether or not to request CredSSP
   EarlyUser  false            yes       Whether to support Earlier User Authorization Result PDU
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      3389             yes       The target port (TCP)
   THREADS    1                yes       The number of concurrent threads
   TLS        true             yes       Wheter or not request TLS security

msf auxiliary(rdp_scanner) > set rhosts 192.168.134.0/24
rhosts => 192.168.134.0/24
msf auxiliary(rdp_scanner) > run

[*] Scanned  26 of 256 hosts (10% complete)
[*] Scanned  52 of 256 hosts (20% complete)
[*] Scanned  77 of 256 hosts (30% complete)
[*] Scanned 103 of 256 hosts (40% complete)
[*] Scanned 128 of 256 hosts (50% complete)
[*] Scanned 154 of 256 hosts (60% complete)
[+] 192.168.134.160:3389  - Identified RDP
[+] 192.168.134.161:3389  - Identified RDP
[+] 192.168.134.162:3389  - Identified RDP
[+] 192.168.134.163:3389  - Identified RDP
[+] 192.168.134.165:3389  - Identified RDP
[*] Scanned 180 of 256 hosts (70% complete)
[+] 192.168.134.189:3389  - Identified RDP
[*] Scanned 205 of 256 hosts (80% complete)
[*] Scanned 231 of 256 hosts (90% complete)

Success

[jhart-r7]

@bwatters-r7 one additional test that might be helpful is by disabling TLS, CredSSP and EarlyUser. It is my understanding that Windows 10 will no longer respond in such a way that indicates that it is open -- I can't recall if it just RSTs the connection or if we get some error response back. IMO it is worth testing as that is sort of the point of the options, to tailor the scan to the particulars of the configuration you are hoping to identify, or be as compatible as possible by default.

[bcoles]

It's probably outside the scope of this PR, but it would be awesome if this module scraped usernames from systems which did not make use of "Do not display last username" configuration.

[bwatters-r7]

@bcoles, that would be cool, but you're right, it would probably be better to add it later. I was kind of surprised that we did not already have an RDP scanner in metasploit, so I was planning on landing this ASAP.
@jhart-r7 thanks for the quick turnaround, and you're right; I should have exercised those options a bit more.....

[bwatters-r7]

Testing 45f81f3

Win 10

msf > use auxiliary/scanner/rdp/rdp_scanner 
msf auxiliary(rdp_scanner) > set rhosts 192.168.134.0/24
rhosts => 192.168.134.0/24
msf auxiliary(rdp_scanner) > show options

Module options (auxiliary/scanner/rdp/rdp_scanner):

   Name       Current Setting   Required  Description
   ----       ---------------   --------  -----------
   CredSSP    true              yes       Whether or not to request CredSSP
   EarlyUser  false             yes       Whether to support Earlier User Authorization Result PDU
   RHOSTS     192.168.134.0/24  yes       The target address range or CIDR identifier
   RPORT      3389              yes       The target port (TCP)
   THREADS    1                 yes       The number of concurrent threads
   TLS        true              yes       Wheter or not request TLS security

msf auxiliary(rdp_scanner) > run

[*] Scanned  26 of 256 hosts (10% complete)
[*] Scanned  52 of 256 hosts (20% complete)
[*] Scanned  77 of 256 hosts (30% complete)
[*] Scanned 103 of 256 hosts (40% complete)
[*] Scanned 128 of 256 hosts (50% complete)
[*] Scanned 154 of 256 hosts (60% complete)
[+] 192.168.134.163:3389  - Identified RDP
[+] 192.168.134.165:3389  - Identified RDP
[*] Scanned 180 of 256 hosts (70% complete)
[+] 192.168.134.189:3389  - Identified RDP
[+] 192.168.134.197:3389  - Identified RDP
[+] 192.168.134.198:3389  - Identified RDP
[+] 192.168.134.200:3389  - Identified RDP
[*] Scanned 205 of 256 hosts (80% complete)
[*] Scanned 231 of 256 hosts (90% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

Win 10 CredSSP and TLS disabled

msf > use auxiliary/scanner/rdp/rdp_scanner 
msf auxiliary(rdp_scanner) > set rhosts 192.168.134.0/24
rhosts => 192.168.134.0/24
msf auxiliary(rdp_scanner) > show options

Module options (auxiliary/scanner/rdp/rdp_scanner):

   Name       Current Setting   Required  Description
   ----       ---------------   --------  -----------
   CredSSP    true              yes       Whether or not to request CredSSP
   EarlyUser  false             yes       Whether to support Earlier User Authorization Result PDU
   RHOSTS     192.168.134.0/24  yes       The target address range or CIDR identifier
   RPORT      3389              yes       The target port (TCP)
   THREADS    1                 yes       The number of concurrent threads
   TLS        true              yes       Wheter or not request TLS security

msf auxiliary(rdp_scanner) > run

[*] Scanned  26 of 256 hosts (10% complete)
[*] Scanned  52 of 256 hosts (20% complete)
[*] Scanned  77 of 256 hosts (30% complete)
[*] Scanned 103 of 256 hosts (40% complete)
[*] Scanned 128 of 256 hosts (50% complete)
[*] Scanned 154 of 256 hosts (60% complete)
[+] 192.168.134.163:3389  - Identified RDP
[+] 192.168.134.165:3389  - Identified RDP
[*] Scanned 180 of 256 hosts (70% complete)
[+] 192.168.134.189:3389  - Identified RDP
[+] 192.168.134.197:3389  - Identified RDP
[+] 192.168.134.198:3389  - Identified RDP
[+] 192.168.134.200:3389  - Identified RDP
[*] Scanned 205 of 256 hosts (80% complete)

Win7x64 SP0

Remote Access with NLA Enabled

msf > use auxiliary/scanner/rdp/rdp_scanner 
msf auxiliary(rdp_scanner) > set rhosts 192.168.134.133
rhosts => 192.168.134.133
msf auxiliary(rdp_scanner) > run

[+] 192.168.134.133:3389  - Identified RDP
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(rdp_scanner) > set TLS false
TLS => false
msf auxiliary(rdp_scanner) > run

[+] 192.168.134.133:3389  - Identified RDP
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(rdp_scanner) > set CredSSP false
CredSSP => false
msf auxiliary(rdp_scanner) > run

Changed Remote Access not to require NLA requirement

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(rdp_scanner) > run

[+] 192.168.134.133:3389  - Identified RDP
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(rdp_scanner) > 

[bwatters-r7]

Release Notes

The ability to enumerate Remote Desktop Protocol services has been added, with support for varying levels of authentication.

[jhart-r7]

Thanks for the testing and feedback, @bwatters-r7 and @bcoles. There is definitely a lot of room for future improvement with regards to RDP coverage in Metasploit. This is just a start :)