BlueTeam, CredSSP, Information Security, Nmap, RDP, Windows

Using Nmap to extract Windows host and domain information via RDP

I’ve recently spent some time in various code bases working on Windows RDP related discovery. This post is going to talk about using a new Nmap script, rdp-ntlm-info.nse, against RDP services to discover the target’s hostname, domain name, DNS name, and version.

3389/tcp open     ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: W2016
|   NetBIOS_Domain_Name: W2016
|   NetBIOS_Computer_Name: W16GA-SRV01
|   DNS_Domain_Name: W2016.lab
|   DNS_Computer_Name: W16GA-SRV01.W2016.lab
|   DNS_Tree_Name: W2016.lab
|   Product_Version: 10.0.14393
|_  System_Time: 2019-06-13T10:38:35+00:00

This post was updated 2019.06.14 to reflect that the script had been committed to the official repo, update the usage instructions to reflect this, and include the NSEDoc link for the script.

This post was updated 2019.06.18 to indicate that users of 7.70 need updated nselib/datetime.lua as well.

Before you get started

The new script has been committed to the Nmap SVN repository which is also mirrored in GitHub. Until a new version of Nmap is released you will have two options for using the script.

The first option is to just copy the script into your existing Nmap installation. For the best results you will need a modern version of Nmap. I recommend the latest version which is 7.70 released in March 2018. The easiest way to get the required files is likely downloading them from GitHub.

  1. Copy rdp-ntlm-info.nse to the scripts directory of your Nmap installation.
  2. Copy rdp.lua to the nselib directory of your Nmap installation.
  3. Copy datetime.lua to the nselib directory of your Nmap installation.

The second option is to build from GitHub or the authoritative Subversion repo [3].  This takes a bit more work but you also end up with the other new features and bug fixes that have happened since the last release.

Basic Usage

This script is actually pretty straightforward as it doesn’t require any additional arguments. You can see information about the script’s usage in NSEDoc.

sudo nmap -p 3389 --script rdp-ntlm-info target_ip
3389/tcp open  ms-wbt-server
| rdp-ntlm-info: 
|   Target_Name: W19GA-SRV01
|   NetBIOS_Domain_Name: W19GA-SRV01
|   NetBIOS_Computer_Name: W19GA-SRV01
|   DNS_Domain_Name: W19GA-SRV01
|   DNS_Computer_Name: W19GA-SRV01
|   Product_Version: 10.0.17763
|_  System_Time: 2019-06-13T11:20:33+00:00

It is important to note that no authentication is required to gather this information and no login attempts were made. 

For consistency’s sake I’ve kept the output in the same format as the other *-ntlm-info scripts which were written by Justin Cacak. I’ve also used his naming scheme instead of calling the script rdp-credssp-info or rdp-nla-info. This allows you to gather information on a target by running this family of scripts at the same time by using the Nmap argument –script *-ntlm-info.

You can find out more about these other scripts by looking them up on Nmap’s NSEDoc page.

In the example below I’m running them all against a rather poorly configured Windows 2008 Service Pack 2 server in my lab.

sudo nmap -sSC --script=*-ntlm-info -p 23,25,80,3389 target_ip
PORT     STATE SERVICE
23/tcp   open  telnet
| telnet-ntlm-info: 
|   Target_Name: W008GA-DC01
|   NetBIOS_Domain_Name: W008GA-DC01
|   NetBIOS_Computer_Name: W008GA-DC01
|   DNS_Domain_Name: W008GA-DC01.difflab.lab
|   DNS_Computer_Name: W008GA-DC01.difflab.lab
|_  Product_Version: 6.0.6002
25/tcp   open  smtp
| smtp-ntlm-info: 
|   Target_Name: W008GA-DC01
|   NetBIOS_Domain_Name: W008GA-DC01
|   NetBIOS_Computer_Name: W008GA-DC01
|   DNS_Domain_Name: W008GA-DC01.difflab.lab
|   DNS_Computer_Name: W008GA-DC01.difflab.lab
|_  Product_Version: 6.0.6002
80/tcp   open  http
| http-ntlm-info: 
|   Target_Name: W008GA-DC01
|   NetBIOS_Domain_Name: W008GA-DC01
|   NetBIOS_Computer_Name: W008GA-DC01
|   DNS_Domain_Name: W008GA-DC01.difflab.lab
|   DNS_Computer_Name: W008GA-DC01.difflab.lab
|_  Product_Version: 6.0.6002
3389/tcp open  ms-wbt-server
| rdp-ntlm-info: 
|   Target_Name: W008GA-DC01
|   NetBIOS_Domain_Name: W008GA-DC01
|   NetBIOS_Computer_Name: W008GA-DC01
|   DNS_Domain_Name: W008GA-DC01.difflab.lab
|   DNS_Computer_Name: W008GA-DC01.difflab.lab
|   Product_Version: 6.0.6002
|_  System_Time: 2019-06-13T11:50:50+00:00

You would get additional useful information by turning on service version detection using -sV.

Bonus Info: Windows 2008 configuration quirk

While testing this I discovered an interesting fact. Windows 2008 will negotiate TLS and CredSSP authentication even when explicitly configured to use the Standard RDP Security Layer.  The server in the scan output above has this RDP configuration:

RDP_Security_2008_SP2_Standard_Security

While it’s generally beneficial to be able to negotiate more secure authentication protocols this behavior was certainly unexpected.

 

Bonus Info: Using NTLM to fingerprint Microsoft Exchange

There are a variety of Windows services that support NTLM authentication but, fortunately for defenders, the services generally have NTLM disabled by default (IIS, FTP), have been deprecated in recent versions (TELNET), or should be less frequently exposed to the Internet (Microsoft SQL).

An exception to this is Microsoft Exchange. Exchange is tightly integrated with Active Directory and so is often configured to allow Windows Authentication (NTLM) with it’s various services. Since many of these are intended for use across the public Internet it makes for a useful target.

The Nmap command to do this is similar to the one above but with a couple of changes. First we’re going to add in the TLS wrapped ports for SMTP (587/tcp) and IMAP (993/tcp). You could also add POP3 (995/tcp)

We’re also going to add HTTPS (443/tcp) and tell the http-ntlm-info script to use the path for Exchange Web Services (EWS). EWS generally requires Windows Authentication and so should provide useful information.


sudo nmap -sSCV --script=*-ntlm-info --script-args http-ntlm-info.root=/ews/ -p 443,587,993 owa.viccorp.com

 


PORT STATE SERVICE VERSION
443/tcp open https Microsoft IIS
| http-ntlm-info:
| Target_Name: VICCORP
| NetBIOS_Domain_Name: VICCORP
| NetBIOS_Computer_Name: LAXDC000-CAS02
| DNS_Domain_Name: viccorp.com
| DNS_Computer_Name: LAXDC000-CAS02.viccorp.com
| DNS_Tree_Name: viccorp.com
|_ Product_Version: 6.3.9600
587/tcp open smtp Microsoft Exchange smtpd
| smtp-ntlm-info:
| Target_Name: VICCORP
| NetBIOS_Domain_Name: VICCORP
| NetBIOS_Computer_Name: LAXDC000-CAS02
| DNS_Domain_Name: viccorp.com
| DNS_Computer_Name: LAXDC000-CAS02.viccorp.com
| DNS_Tree_Name: viccorp.com
|_ Product_Version: 6.3.9600
993/tcp open ssl/imap Microsoft Exchange 2007-2010 imapd
| imap-ntlm-info:
| Target_Name: VICCORP
| NetBIOS_Domain_Name: VICCORP
| NetBIOS_Computer_Name: LAXDC000-CAS02
| DNS_Domain_Name: viccorp.com
| DNS_Computer_Name: LAXDC000-CAS02.viccorp.com
| DNS_Tree_Name: viccorp.com
|_ Product_Version: 6.3.9600

Now we know some useful information about the host and Active Directory environment. It’s always interesting to be able to get the OS version information from a remote service. In this case 6.3.9600 = Windows Server 2012 R2.

Hopefully you will find this information useful. Please don’t hesitate to reach out to me if something isn’t clear.

Good luck!

– Tom Sellers ( @TomSellers )


 

References:

    1. Nmap PR for NSE script rdp-ntlm-info.nse #1633
    2. Nmap GitHub repository
    3. Installing Nmap from Subversion
      1. Checking out the code
      2. Building Nmap
    4. Nmap NSE Documentation (NSEDoc)
    5. Nmap NSEDoc for rdp-ntlm-info

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s