Starting rdp-sec-check v0.9-beta (joeware.net V02.00.00) ( http://labs.portcullis.co.uk/application/rdp-sec-check/ )
Copyright (C) 2014 Mark Lowe (mrl@portcullis-security.com)
======joeware notes======
*This version (joeware.net V02.00.00) modified from 0.9-beta by www.joeware.net*
*Available at http://www.joeware.net/freetools/tools/rdp-sec-check/*
Specific changes V01.00.00 made:
1. Changed much of the output to only be included with -v(erbose)
2. Changed security summary output to only be included with -v(erbose)
3. Set up errorlevel output bit flag enumeration 1- RDP enabled, 2 - TLS, 4 - CredSSP
Value of 1 means RDP accepted but not TLS,CredSSP, 7 means all protocols are accepted
4. Bug fix, script was setting RDP Protocol to TRUE for unknown response
5. If specifying -v(erbose) and -d(ebug) gives really verbose debug info
6. Modified some output to be cleaner (IMO) in normal mode. :)
7. Expanded usage info screen, substantially. ;)
Specific changes V01.01.00 made:
1. Fixed debug option so it requires an integer
2. Added --useip option and default to connecting with hostname instead of IP
This is important for things like DirectAccess which route on names
3. Always output connecting to xxxx:port string
3. Added --ipv6 option; however doesn't perform ipv6 resolution for --useip
Specific changes V02.00.00 made:
1. Used 0.9-beta as base code instead of 0.8-beta
2. Implemented (most) changes from v01.00.00/v01.01.00
* V01.01.00 auto-switched to try ipv6, this version does not
3. Check if socket connected in get_connect, bail if not
seems to be an IPv6 issue only to get out without actually being connected sometimes
Note about errorlevel:
If an error is thrown such as the target machine actively refusing a connection the errorlevel
value will be set to that error (in this case 10061). The values I use for specifying the type
of RDP available will not collide with valid Windows error numbers. Just verify that the error
number is 7 or less before assuming what it means. If the usage is output - e.g. say you didn't
specify a host, errorlevel will be 255.
non-inclusive list of errorlevel values
0 - Ran successfully. Port listening. No RDP available.
1 - RDP available
2 - TLS RDP available
3 - RDP and TLS RDP available
4 - CredSSP RDP available
5 - RDP and CredSSP RDP available
6 - TLS RDP and CredSSP RDP available
7 - RDP, TLS RDP, and CredSSP RDP available
255 - Usage displayed
256 - Socket opened but not connected (only seen with IPv6 in testing)
10060 - host didn't respond to request on desigated port. Port not listening.
10061 - host actively refused connection
11001 - Can't resolve specified hostname
A huge massive THANK YOU to Portcullis Security and specifically Mark Lowe for this script
======end joeware notes======
rdp-sec-check.exe [ options ] ( --file hosts.txt | host | host:port )
options are:
--file hosts.txt targets, one ip:port per line
--outfile out.log output logfile
--timeout sec receive timeout (default 10s)
--retries times number of retries after timeout
--verbose
--useip Lookup the IP address first and then use it for the connection
--ipv6 Use IPv6 for the connection
--debug
--help
Example:
rdp-sec-check.exe 192.168.1.1
rdp-sec-check.exe --file hosts.txt --timeout 15 --retries 3
rdp-sec-check.exe --outfile rdp.log 192.168.69.69:3389
rdp-sec-check.exe --file hosts.txt --outfile rdp.log --verbose