Skip to content

RDP module#644

Open
Seanstoppable wants to merge 6 commits intozmap:masterfrom
Seanstoppable:ssmith/rdp
Open

RDP module#644
Seanstoppable wants to merge 6 commits intozmap:masterfrom
Seanstoppable:ssmith/rdp

Conversation

@Seanstoppable
Copy link
Contributor

@Seanstoppable Seanstoppable commented Nov 21, 2025

Adds a module for RDP

At least a starting point for #17

phillip-stephens
phillip-stephens requested changes Nov 24, 2025
View reviewed changes
Copy link
Contributor

@phillip-stephens phillip-stephens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great, really appreciate this effort to get this functionality added.
I haven't fully dug into this, but I'm wondering if there's a non-secure mode that can be used as well. I added a dockerized RDP service (TEST_MODULES=rdp make integration-test) on local port 3389 (username = username, pwd = password) which works through the Microsoft RDP app but not with the scanner. I tried just a simple toggle off of TLS but looks like something deeper is going on.

I can circle back to this as I get some free time, but I think this would be good to add support for since we may be most interested in such un-secured RDP services.

modules/rdp/types.go Outdated
}

type RDPResult struct {
OSVersion string `json:"os_version,omitempty"`
Copy link
Contributor

@phillip-stephens phillip-stephens Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this is the RDP Version based on testing a couple known public IPs

Suggested change
OSVersion string `json:"os_version,omitempty"`
RDPVersion string `json:"rdp_version,omitempty"`

Copy link
Contributor Author

@Seanstoppable Seanstoppable Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is actually os_version.
Example:
10.0.17763 is:
https://learn.microsoft.com/en-us/windows/uwp/whats-new/windows-10-build-17763

@Seanstoppable
Copy link
Contributor Author

Seanstoppable commented Nov 24, 2025

This is great, really appreciate this effort to get this functionality added. I haven't fully dug into this, but I'm wondering if there's a non-secure mode that can be used as well. I added a dockerized RDP service (TEST_MODULES=rdp make integration-test) on local port 3389 (username = username, pwd = password) which works through the Microsoft RDP app but not with the scanner. I tried just a simple toggle off of TLS but looks like something deeper is going on.

I can circle back to this as I get some free time, but I think this would be good to add support for since we may be most interested in such un-secured RDP services.

Interesting, I'll try to poke at it this week too

@Seanstoppable
Copy link
Contributor Author

Seanstoppable commented Nov 25, 2025

So, because I am using NTLM to get version information, this doesn't work for xrdp.
Let me do some research into what more generic detection would be.

@Seanstoppable
Copy link
Contributor Author

Seanstoppable commented Feb 27, 2026

I'm not sure how we feel about LLMs here, but I developed a set of changes with one in order to handle other RDP auth types.

I added a test for no tls, but the other 3 mechanisms are windows specific, so appropriate containers not available.

As a bonus, added NTLM detection for SMB as well, which I am more than happy to pull out and do a round of "what can we extract NTLM out of" as a seperate PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@phillip-stephens phillip-stephens phillip-stephens requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Seanstoppable @phillip-stephens