rdp-sec-check Usage

rdp-sec-check -h

Starting rdp-sec-check v0.9-beta (joeware.net V02.00.00) ( http://labs.portcullis.co.uk/application/rdp-sec-check/ )
Copyright (C) 2014 Mark Lowe (mrl@portcullis-security.com)

======joeware notes======
*This version (joeware.net V02.00.00) modified from 0.9-beta by www.joeware.net*
*Available at http://www.joeware.net/freetools/tools/rdp-sec-check/*

Specific changes V01.00.00 made:
    1. Changed much of the output to only be included with -v(erbose)
    2. Changed security summary output to only be included with -v(erbose)
    3. Set up errorlevel output bit flag enumeration 1- RDP enabled, 2 - TLS, 4 - CredSSP
       Value of 1 means RDP accepted but not TLS,CredSSP, 7 means all protocols are accepted
    4. Bug fix, script was setting RDP Protocol to TRUE for unknown response
    5. If specifying -v(erbose) and -d(ebug) gives really verbose debug info
    6. Modified some output to be cleaner (IMO) in normal mode. :)
    7. Expanded usage info screen, substantially. ;)
Specific changes V01.01.00 made:
    1. Fixed debug option so it requires an integer
    2. Added --useip option and default to connecting with hostname instead of IP
           This is important for things like DirectAccess which route on names
    3. Always output connecting to xxxx:port string
    3. Added --ipv6 option; however doesn't perform ipv6 resolution for --useip
Specific changes V02.00.00 made:
    1. Used 0.9-beta as base code instead of 0.8-beta
    2. Implemented (most) changes from v01.00.00/v01.01.00
            * V01.01.00 auto-switched to try ipv6, this version does not
    3. Check if socket connected in get_connect, bail if not
        seems to be an IPv6 issue only to get out without actually being connected sometimes

Note about errorlevel:
If an error is thrown such as the target machine actively refusing a connection the errorlevel
value will be set to that error (in this case 10061). The values I use for specifying the type
of RDP available will not collide with valid Windows error numbers. Just verify that the error
number is 7 or less before assuming what it means. If the usage is output - e.g. say you didn't
specify a host, errorlevel will be 255.

non-inclusive list of errorlevel values
0 - Ran successfully. Port listening. No RDP available.
1 - RDP available
2 - TLS RDP available
3 - RDP and TLS RDP available
4 - CredSSP RDP available
5 - RDP and CredSSP RDP available
6 - TLS RDP and CredSSP RDP available
7 - RDP, TLS RDP, and CredSSP RDP available
255 - Usage displayed
256 - Socket opened but not connected (only seen with IPv6 in testing)
10060 - host didn't respond to request on desigated port. Port not listening.
10061 - host actively refused connection
11001 - Can't resolve specified hostname

A huge massive THANK YOU to Portcullis Security and specifically Mark Lowe for this script
======end joeware notes======

rdp-sec-check.exe [ options ]  ( --file hosts.txt | host | host:port )

options are:

  --file hosts.txt      targets, one ip:port per line
  --outfile out.log     output logfile
  --timeout sec         receive timeout (default 10s)
  --retries times       number of retries after timeout
  --verbose
  --useip                       Lookup the IP address first and then use it for the connection
  --ipv6                        Use IPv6 for the connection
  --debug
  --help

Example:
         rdp-sec-check.exe 192.168.1.1
         rdp-sec-check.exe --file hosts.txt --timeout 15 --retries 3
         rdp-sec-check.exe --outfile rdp.log 192.168.69.69:3389
         rdp-sec-check.exe --file hosts.txt --outfile rdp.log --verbose