Skip to content

Latest commit

 

History

History
65 lines (46 loc) · 3.43 KB

Readme.md

File metadata and controls

65 lines (46 loc) · 3.43 KB

Scanning for Remote Desktop Gateways (Potentially unpatched CVE-2020-0609 and CVE-2020-0610)

The scanner has 2 modes of operation:

Check for systems vulnerable to CVE-2020-0609 on UDP 3391

Uses the vuln scan code of https://github.com/MalwareTech/RDGScanner

Disclaimer

Scanning for memory corruption vulnerabilities is dangerous and can potentially crash systems. Whilst this tool has been designed to avoid causing a crash, stability can't be 100% guaranteed. Use at your own risk and only scan systems you have permission to test.

The scanner is multithreaded and can parse files cotaining CIDR netmasks, but for bigger networks you still might want to use nmap for finding open UDP 3391 ports before vuln scanning them. This doens't work out of the box at the moment. You need to add 3391 to the DTLS section in nmap-payloads (usually in /usr/share/nmap, PR on the way) and scan using e.g.: nmap -Pn -p 3391 -sU -oA rdg_scan_yyyymmdd 10.0.0.0/24 (Needs root permissions)

Default port for vuln scanning is UDP 3391, change with --port.

Search for Remote Desktop Gateways via HTTPS on TCP 443

Not all RD gateways have UDP 3391 active or exposed on the firewall, probably because it also works with HTTPS only and the admins didn't bother to read the documentation. If you also want to find those RD gateways, use the webcheck (Maybe you're afraid of a server with CVE-2020-0609 unpatched and the operators opening UDP 3391 in 6 months because of the "better performance over high latency networks".)

To scan using HTTPS, use the parameter --webcheck or -w Default port for webcheck is TCP 443, change with --port.

On OpenSSL and vuln scanning

Be aware, that e.g. a recent Debian/Kali has default openssl settings, which prevent any program including python, curl, ... from making connections to insecure SSL implementations, including anything lower than TLSv1.2. This is reasonable for home banking but not for vulnerability scanning, where you also want to find that old host still using SSLv3. I didn't find any better solution than chaning this in /etc/ssl/openssl.cnf. Find/insert the section [system_default_sect] and change it to:

[system_default_sect]
MinProtocol = SSLv3
CipherString = DEFAULT@SECLEVEL=1

Remember to change it back for sensitive stuff! If you know a solution which would only change this settings for a python script, please let me know ;)

SSL errors showing up during scanning might be from IPS systems.

Usage

The scanner can parse:

  • IPs
  • CIDR notations, for example: 192.168.1.0/24
  • Hostnames
  • Routing AS, e.g. as1234
  • Plaintext files containing anything of the above, one entry per line, passed as file:netlist.txt
Example:  python3 rdg_scanner_cve-2020-0609.py 192.168.1.1/24            # vuln scan for cve-2020-0609 on UDP 3391
Example2  python3 rdg_scanner_cve-2020-0609.py 192.168.1.1/24 --webcheck # check webpage for RD gateway
Example3: python3 rdg_scanner_cve-2020-0609.py 192.168.1.1 
Example4: python3 rdg_scanner_cve-2020-0609.py fakewebsiteaddress.com 
Example5: python3 rdg_scanner_cve-2020-0609.py as15169 
Example6: python3 rdg_scanner_cve-2020-0609.py file:hostfile.txt

usage: rdg_scanner_cve-2020-0609.py [-h] [--port PORT] [--webcheck]
                                    [--verbose]
                                    target

No installation required. 
Debian/Kali needs: apt-get install python3-netaddr

TODO:

  • Check each IP twice because of UDP (repeated scans give slightly different results)