Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[NSE] Add rdp-ntlm-info.nse #1633

Closed
wants to merge 2 commits into from
Closed

[NSE] Add rdp-ntlm-info.nse #1633

wants to merge 2 commits into from

Conversation

TomSellers
Copy link

@TomSellers TomSellers commented Jun 13, 2019
edited

This PR adds an NSE script, rdp-ntlm-info.nse, which enumerates information from remote RDP services that have CredSSP (NLA) authentication enabled. It is modeled after Justin Cacak's *-ntlm-info.nse scripts. I'm not a fan of the output format and using ntlm in the script name isn't intuitive here but I've kept them in this case in order to be consistent with his existing scripts and to enable someone to run them all using --script *-ntlm-info.

Note: No authentication is required and no logon attempts were made.

Example output

Run against a Windows 2019 server with NLA ( CredSSP ) enabled.

3389/tcp open  ms-wbt-server
| rdp-ntlm-info: 
|   Target_Name: W19GA-SRV01
|   NetBIOS_Domain_Name: W19GA-SRV01
|   NetBIOS_Computer_Name: W19GA-SRV01
|   DNS_Domain_Name: W19GA-SRV01
|   DNS_Computer_Name: W19GA-SRV01
|   Product_Version: 10.0.17763
|_  System_Time: 2019-06-13T11:20:33+00:00

Here is output that also includes output from htlm-ntlm-info.nse so that you can compare the results.

sudo nmap -sSCV --script=*-ntlm-info -p 80,3389 <target>

80/tcp   open     http          syn-ack ttl 128 Microsoft IIS httpd 10.0
| http-ntlm-info: 
|   Target_Name: W2016
|   NetBIOS_Domain_Name: W2016
|   NetBIOS_Computer_Name: W16GA-SRV01
|   DNS_Domain_Name: W2016.lab
|   DNS_Computer_Name: W16GA-SRV01.W2016.lab
|   DNS_Tree_Name: W2016.lab
|_  Product_Version: 10.0.14393
|_http-server-header: Microsoft-IIS/10.0
3389/tcp open     ms-wbt-server syn-ack ttl 128 Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: W2016
|   NetBIOS_Domain_Name: W2016
|   NetBIOS_Computer_Name: W16GA-SRV01
|   DNS_Domain_Name: W2016.lab
|   DNS_Computer_Name: W16GA-SRV01.W2016.lab
|   DNS_Tree_Name: W2016.lab
|   Product_Version: 10.0.14393
|_  System_Time: 2019-06-13T10:38:35+00:00

Against Windows 2008 with a few more services configured to use NTLM
sudo nmap -sSC --script=*-ntlm-info -p 23,25,80,3389 <target>

PORT     STATE SERVICE
23/tcp   open  telnet
| telnet-ntlm-info: 
|   Target_Name: W008GA-DC01
|   NetBIOS_Domain_Name: W008GA-DC01
|   NetBIOS_Computer_Name: W008GA-DC01
|   DNS_Domain_Name: W008GA-DC01.difflab.lab
|   DNS_Computer_Name: W008GA-DC01.difflab.lab
|_  Product_Version: 6.0.6002
25/tcp   open  smtp
| smtp-ntlm-info: 
|   Target_Name: W008GA-DC01
|   NetBIOS_Domain_Name: W008GA-DC01
|   NetBIOS_Computer_Name: W008GA-DC01
|   DNS_Domain_Name: W008GA-DC01.difflab.lab
|   DNS_Computer_Name: W008GA-DC01.difflab.lab
|_  Product_Version: 6.0.6002
80/tcp   open  http
| http-ntlm-info: 
|   Target_Name: W008GA-DC01
|   NetBIOS_Domain_Name: W008GA-DC01
|   NetBIOS_Computer_Name: W008GA-DC01
|   DNS_Domain_Name: W008GA-DC01.difflab.lab
|   DNS_Computer_Name: W008GA-DC01.difflab.lab
|_  Product_Version: 6.0.6002
3389/tcp open  ms-wbt-server
| rdp-ntlm-info: 
|   Target_Name: W008GA-DC01
|   NetBIOS_Domain_Name: W008GA-DC01
|   NetBIOS_Computer_Name: W008GA-DC01
|   DNS_Domain_Name: W008GA-DC01.difflab.lab
|   DNS_Computer_Name: W008GA-DC01.difflab.lab
|   Product_Version: 6.0.6002
|_  System_Time: 2019-06-13T11:50:50+00:00

dmiller-nmap
dmiller-nmap requested changes Jun 13, 2019
View reviewed changes
Copy link

@dmiller-nmap dmiller-nmap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Exciting stuff! Just a couple minor change requests, and please run luacheck once more before committing to be sure it passes. Looking forward to seeing this merged!

scripts/rdp-ntlm-info.nse Outdated

local comm = rdp.Comm:new(host, port)
if ( not(comm:connect()) ) then
return false, fail("Failed to connect to server")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fail is not defined, and we should just return nil here. You can use stdnse.format_output(false, "message") to output an error message in verbose/debug mode instead, if you like.

scripts/rdp-ntlm-info.nse Outdated
end

-- Request CredSSP protocol = 3
local cr = rdp.Request.ConnectionRequest:new(11)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is this 11 here? The comment mentions 3 instead. Maybe these constants could be in a table in rdp.lua?

scripts/rdp-ntlm-info.nse Outdated
-- Continue only if NTLMSSP response is returned
local start = response:find("NTLMSSP")
response = response:sub(start)
if not string.match(response, "^NTLMSSP") then
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If "NTLMSSP" is not in response, then start will be nil, which we can check instead of using string.match() here. If it is in response, then after the sub() call above, this string.match() will always be true.

@TomSellers
Copy link
Author

Thanks for the feedback @dmiller-nmap
Barring any other feedback I'll likely commit this tomorrow.

@nmap-bot nmap-bot closed this in 19c756a Jun 14, 2019
@TomSellers TomSellers deleted the add_rdp-credssp-info branch June 14, 2019 12:10
@TomSellers
Copy link
Author

TomSellers commented Jun 15, 2019 via email

@CaledoniaProject
Copy link

Yes, it worked with master branch. Back then I was testing the lua script with nmap-7.70.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmiller-nmap dmiller-nmap dmiller-nmap requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@TomSellers @CaledoniaProject @dmiller-nmap