BlueTeam, CredSSP, Information Security, Nmap, RDP, Windows

Using Nmap to extract Windows host and domain information via RDP

I’ve recently spent some time in various code bases working on Windows RDP related discovery. This post is going to talk about using a new Nmap script, rdp-ntlm-info.nse, against RDP services to discover the target’s hostname, domain name, DNS name, and version.

3389/tcp open     ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: W2016
|   NetBIOS_Domain_Name: W2016
|   NetBIOS_Computer_Name: W16GA-SRV01
|   DNS_Domain_Name: W2016.lab
|   DNS_Computer_Name: W16GA-SRV01.W2016.lab
|   DNS_Tree_Name: W2016.lab
|   Product_Version: 10.0.14393
|_  System_Time: 2019-06-13T10:38:35+00:00

This post was updated 2019.06.14 to reflect that the script had been committed to the official repo, update the usage instructions to reflect this, and include the NSEDoc link for the script.

This post was updated 2019.06.18 to indicate that users of 7.70 need updated nselib/datetime.lua as well.

Continue reading

Advertisements
BlueTeam, Information Security, RDP, TLS

Hardening Microsoft Remote Desktop Services (RDS)

As systems administrators we are often tasked with implementing countermeasures to mitigate risks that we can’t completely address. The intent of this post is to cover methods of reducing the risk presented by having Remote Desktop Services (formerly Terminal Services) available on the network.

The risks that I will cover are:

  • Man in the Middle attacks
  • Sniffing / Traffic capture
  • Brute Force Attacks
  • Information Disclosure

This post was updated 2019.05.28 to fix broken links, add commentary for Windows 2016 and Windows 2019, and add instructions for enabling CredSSP for WinXP as a client since the Microsoft link is dead.

Continue reading