This is a quick-and-dirty scanner for the CVE-2019-0708 vulnerability in Microsoft Remote Desktop. Right now, there are about 700,000 machines on the public Internet vulnerable to this vulnerability, compared to about 2,000,000 machines that have Remote Desktop exposed, but are patched/safe from exploitation. Many expect that in the next few months a devestating Internet worm will appear similar to WannaCry and notPetya. Therefore, scan your networks and patch your systems. This tool makes it easy to scan your networks to find vulnerable machines.

To use this tool, you can download a "binary" to run from the command line, or you can download the source and compile it. For Windows, there's a precompiled binary available.

This tool is based entirely on the rdesktop patch from https://github.com/zerosum0x0/CVE-2019-0708. I've simply trimmed the code so that I can easily compile on macOS and Windows, as well as added the ability to scan multiple targets.

This is only a couple days old and experimental. However, I am testing it by scanning the entire Internet (with the help of masscan, so I'm working through a lot of problems pretty quickly. You can try contacting me on twttier(@erratarob) for help/comments.

• 2019-05-27 - Windows and macOS binaries released (click on badges above). You Linux peeps get only source as usual. It seems to be working well on all three platforms.
• 2019-05-26 - fixing the Windows networking issues
• 2019-05-25 - Linux and macOS working well, Windows has a few network errors
• 2019-05-24 - works on Linux and macOS, Windows has a few compilation bugs
• 2019-05-23 - currently working on macOS within XCode

To scan a network, run it like the following:

rdpscan 192.168.1.1-192.168.1.1.255

This will print a one-line result per address, indicating VULNERABLE if it's vulnerable to the bug, SAFE if it's (probably) safe, or UNKNOWN if the program couldn't figureo ut the status, such as getting no response from the target. Since most targets won't respond, statistically, most will be *UNKNOWN".

It's fairly slow. You can increase the speed by adding the command-line parameter --workers 1000. But you can increase the speed even further by front-ending it with masscan first to quickly finding with port 3389 available, and then only using rdpscan to scan those resulting machines for the vulnerability.

masscan 10.0.0.0/8 -p3389 --rate 1000000 >ips.txt
rdpscan --file ips.txt > results.txt

Or, in one step, piping the output of one to the other:

masscan 10.0.0.0/8 -p3389 --rate 1000000 | rdpscan --file -

You can get more verbose diagnostic details using the -d parameter, which gets printed to sterr. This is how I usually run the program:

rdpscan --file ips.txt 2> diag.txt 1> results.txt

The difficult part is getting the OpenSSL libraries installed, and not conflicting with other versions on the system. On Debian Linux, I do:

$ sudo apt install libssl-dev

Once you've solved that problem, you just compile all the .c files together like this:

$ gcc *.c -lssl -lcrypto -o rdpscan

I've put a Makefile in the directory that does this, so you can likely do just:

$ make

The code is written in C, so needs a C compiler installed, such as doing the following:

$ sudo apt install build-essential

This section describes the more obvious build errors.

ssl.h:24:25: fatal error: openssl/rc4.h: No such file or directory

This means you either don't have the OpensSSL headers installed, or they aren't in a path somewhere. Remember that even if you have OpenSSL binaries installed, this doesn't mean you've got the development stuff installed. You need both the headers and libraries installed.

To install these things on Debian, do:

$ sudo apt install libssl-dev

To fix the path issue, add a compilation flag -I/usr/local/include, or something similar.

An example linker problem is the following:

Undefined symbols for architecture x86_64:
"_OPENSSL_init_ssl", referenced from:
    _tcp_tls_connect in tcp-fac73c.o
"_RSA_get0_key", referenced from:
    _rdssl_rkey_get_exp_mod in ssl-d5fdf5.o
"_SSL_CTX_set_options", referenced from:
    _tcp_tls_connect in tcp-fac73c.o
"_X509_get_X509_PUBKEY", referenced from:
    _rdssl_cert_to_rkey in ssl-d5fdf5.o

I get this on macOS because there's multiple versions of OpenSSL. I fix this by hard-coding the paths:

$ gcc *.c -lssl -lcrypto -I/usr/local/include -L/usr/local/lib -o rdpscan

According to comments by others, the following command-line might work on macOS if you've used Homebrew to install things. I still get the linking errors above, though, because I've installed other OpenSSL components that are conflicting.

gcc $(brew --prefix)/opt/openssl/lib/libssl.a $(brew --prefix)/opt/openssl/lib/libcrypto.a -o rdpscan *.c

The section above gives quickstart tips for running the program. This section gives more in-depth help.

To scan a single target, just pass the address of the target:

./rdpscan 192.168.10.101

You can pass in IPv6 addresses and DNS names. You can pass in multiple targets. An example of this would be:

./rdpscan 192.168.10.101 exchange.example.com 2001:0db8:85a3::1

You can also scan ranges of addresses, using either begin-end IPv4 addresses, or IPv4 CIDR spec. IPv6 ranges aren't supported because they are so big.

./rdpscan 10.0.0.1-10.0.0.25 192.168.0.0/16

By default, it scans only 100 targets at a time. You can increase this number with the --workers parameter. However, no matter how high you set this parameter, in practice you'll get a max of around 500 to 1500 workers running at once, depending upon your system.

./rdpscan --workers 1000 10.0.0.0/24

Instead of specifying targets on the command-line, you can load them from a file instead, using the well-named --file parameter:

./rdpscan --file ips.txt

The format of the file is one address, name, or range per line. It can also consume the text generated by masscan. Extra whitespace is trimmed, blank lines ignored, any any comment lines are ignored. A comment is a line starting with the # character, or // characters.

The output is sent to stdout giving the status of VULNERABLE, SAFE, or UNKNOWN. There could be additional reasons for each.

149.129.120.24  - UNKNOWN - FIN received
45.60.213.160   - SAFE - not RDP but HTTP
208.43.229.89   - SAFE - CredSSP required
170.104.127.137 - UNKNOWN - FIN received
86.188.190.117  - UNKNOWN - connect timeout
62.15.34.157    - SAFE - Target appears patched
216.15.251.120  - VULNERABLE -- got appid
69.62.158.174   - VULNERABLE -- got appid
92.111.20.13    - SAFE - Target appears patched

You can process this with additional unix commands like grep and cut. To get a list of just vulnerable machiens:

./rdpscan 10.0.0.0/8 | grep 'VULN' | cut -f1 -d'-'

Those marked "UNKNOWN" are probably worth scanning later, especially for "FIN received", which usually means the other side terminated the connection early because of delay on the Internet. Save them into a file, and then read back on the next scan with the --file option.

Whether "CredSSP required" (meaning NLA required) is "SAFE" is debatable. It means it requires a password login before we can test/trigger the vuln. It may be unpatched and vulnerable to an authenticated user, it's just not exploitable by a worm or unauthenticated user.

You should always get one-and-only-one status on stdout for each IP address you scan. Of course, if you specify an IP address multiple times, you'll get multiple statuses for that address.

However, because this code is based on rdestkop, there are certain protocol errors that won't lead to a status. If you've got a public IP address on the Internet that produces one of these errors, then I'm eager to fix it.

Adding the -d parameter dumps diagnostic info on the connections to stderr.

./rdpscan 62.15.34.157 -d

[+] [62.15.34.157]:3389 - connecting...
[+] [62.15.34.157]:3389 - connected from [10.1.10.133]:49211
[+] [62.15.34.157]:3389 - SSL connection
[+] [62.15.34.157]:3389 - version = v4.8
[+] [62.15.34.157]:3389 - Sending MS_T120 check packet
[-] [62.15.34.157]:3389 - Max sends reached, waiting...
62.15.34.157    - SAFE - Target appears patched

On macOS/Linux, you can redirect stdout and stderr separately to different files in the usual manner:

./rdpscan --file ips.txt 2> diag.txt 1> results.txt

So it includes SOCKS5 support:

./rdpscan --file ips.txt --socks5 localhost --socks5port 9050

It makes connection problems worse so you get a lot more "UNKNOWN" results.