Starting rdp-sec-check v0.9-beta (joeware.net V02.00.00) ( http://labs.portcullis.co.uk/application/rdp-sec-check/ ) Copyright (C) 2014 Mark Lowe (mrl@portcullis-security.com) ======joeware notes====== *This version (joeware.net V02.00.00) modified from 0.9-beta by www.joeware.net* *Available at http://www.joeware.net/freetools/tools/rdp-sec-check/* Specific changes V01.00.00 made: 1. Changed much of the output to only be included with -v(erbose) 2. Changed security summary output to only be included with -v(erbose) 3. Set up errorlevel output bit flag enumeration 1- RDP enabled, 2 - TLS, 4 - CredSSP Value of 1 means RDP accepted but not TLS,CredSSP, 7 means all protocols are accepted 4. Bug fix, script was setting RDP Protocol to TRUE for unknown response 5. If specifying -v(erbose) and -d(ebug) gives really verbose debug info 6. Modified some output to be cleaner (IMO) in normal mode. :) 7. Expanded usage info screen, substantially. ;) Specific changes V01.01.00 made: 1. Fixed debug option so it requires an integer 2. Added --useip option and default to connecting with hostname instead of IP This is important for things like DirectAccess which route on names 3. Always output connecting to xxxx:port string 3. Added --ipv6 option; however doesn't perform ipv6 resolution for --useip Specific changes V02.00.00 made: 1. Used 0.9-beta as base code instead of 0.8-beta 2. Implemented (most) changes from v01.00.00/v01.01.00 * V01.01.00 auto-switched to try ipv6, this version does not 3. Check if socket connected in get_connect, bail if not seems to be an IPv6 issue only to get out without actually being connected sometimes Note about errorlevel: If an error is thrown such as the target machine actively refusing a connection the errorlevel value will be set to that error (in this case 10061). The values I use for specifying the type of RDP available will not collide with valid Windows error numbers. Just verify that the error number is 7 or less before assuming what it means. If the usage is output - e.g. say you didn't specify a host, errorlevel will be 255. non-inclusive list of errorlevel values 0 - Ran successfully. Port listening. No RDP available. 1 - RDP available 2 - TLS RDP available 3 - RDP and TLS RDP available 4 - CredSSP RDP available 5 - RDP and CredSSP RDP available 6 - TLS RDP and CredSSP RDP available 7 - RDP, TLS RDP, and CredSSP RDP available 255 - Usage displayed 256 - Socket opened but not connected (only seen with IPv6 in testing) 10060 - host didn't respond to request on desigated port. Port not listening. 10061 - host actively refused connection 11001 - Can't resolve specified hostname A huge massive THANK YOU to Portcullis Security and specifically Mark Lowe for this script ======end joeware notes====== rdp-sec-check.exe [ options ] ( --file hosts.txt | host | host:port ) options are: --file hosts.txt targets, one ip:port per line --outfile out.log output logfile --timeout sec receive timeout (default 10s) --retries times number of retries after timeout --verbose --useip Lookup the IP address first and then use it for the connection --ipv6 Use IPv6 for the connection --debug --help Example: rdp-sec-check.exe 192.168.1.1 rdp-sec-check.exe --file hosts.txt --timeout 15 --retries 3 rdp-sec-check.exe --outfile rdp.log 192.168.69.69:3389 rdp-sec-check.exe --file hosts.txt --outfile rdp.log --verbose