BKScan

Configurare noua (How To)

Situatie

BlueKeep (CVE-2019-0708) scanner that works both unauthenticated and authenticated (i.e. when Network Level Authentication (NLA) is enabled).

Requirements:

  • A Windows RDP server
  • If NLA is enabled on the RDP server, a valid user/password that is part of the “Remote Desktop Users” group

It is based on FreeRDP and uses Docker to ease compilation/execution. It should work on any UNIX environment and has been tested mainly on Linux/Ubuntu.

Backup

Nu avem

Solutie

Usage

Building

Install pre-requisites:

sudo apt-get install docker.io

Build the custom FreeRDP client inside the Docker container named bkscan:

$ git clone https://github.com/nccgroup/BKScan.git
$ cd BKScan
$ sudo docker build -t bkscan .
[...]
Successfully built f7666aeb3259
Successfully tagged bkscan:latest

Running

Invoke the bkscan.sh script from your machine. It will invoke the custom FreeRDP client inside the newly created bkscan Docker container:

$ sudo ./bkscan.sh -h
Usage:
./bkscan.sh -t <target_ip> [-P <target_port>] [-u <user>] [-p <password>] [--debug]

Target with NLA enabled and valid credentials

Against a vulnerable Windows 7 with NLA enabled and valid credentials.

$ sudo ./bkscan.sh -t 192.168.119.141 -u user -p password
[+] Targeting 192.168.119.141:3389...
[+] Using provided credentials, will support NLA
[-] Max sends reached, please wait to be sure...
[!] Target is VULNERABLE!!!

Against a Windows 10 (non-vulnerable) or patched Windows 7 with NLA enabled and valid credentials:

$ sudo ./bkscan.sh -t 192.168.119.133 -u user -p password
[+] Targeting 192.168.119.133:3389...
[+] Using provided credentials, will support NLA
[-] Max sends reached, please wait to be sure...
[*] Target appears patched.

Target with NLA enabled and non-valid credentials

Against a Windows 7 (vulnerable or patched) which NLA enabled but that we are scanning with a client without NLA support:

$ sudo ./bkscan.sh -t 192.168.119.141
[+] Targeting 192.168.119.141:3389...
[+] No credential provided, won't support NLA
[-] Connection reset by peer, NLA likely to be enabled. Detection failed.

Against a Windows 7 (vulnerable or patched) with NLA enabled and valid credentials but user is not part of the “Remote Desktop Users” group:

$ sudo ./bkscan.sh -t 192.168.119.141 -u test -p password
[+] Targeting 192.168.119.141:3389...
[+] Using provided credentials, will support NLA
[-] NLA enabled, credentials are valid but user has insufficient privileges. Detection failed.

Against a Windows 7 (vulnerable or patched) with NLA enabled and non-valid credentials:

$ sudo ./bkscan.sh -t 192.168.119.141 -u user -p badpassword
[+] Targeting 192.168.119.141:3389...
[+] Using provided credentials, will support NLA
[-] NLA enabled and access denied. Detection failed.

Against a Windows 10 (non-vulnerable) with NLA enabled and non-valid credentials:

$ sudo ./bkscan.sh -t 192.168.119.133 -u user -p badpassword
[+] Targeting 192.168.119.133:3389...
[+] Using provided credentials, will support NLA
[-] NLA enabled and logon failure. Detection failed.

Note: the difference in output between Windows 7 and Windows 10 is likely due to the Windows CredSSP versions and your output may differ.

Target with NLA disabled

Against a vulnerable Windows XP (no NLA support):

$ sudo ./bkscan.sh -t 192.168.119.137
[+] Targeting 192.168.119.137:3389...
[+] No credential provided, won't support NLA
[-] Max sends reached, please wait to be sure...
[!] Target is VULNERABLE!!!

Target without RDP disabled

Against a Windows 7 with RDP disabled or blocked port:

$ sudo ./bkscan.sh -t 192.168.119.142
[+] Targeting 192.168.119.142:3389...
[+] No credential provided, won't support NLA
[-] Can't connect properly, check IP address and port.

Tip solutie

Permanent

Impact colateral

Probleme?
Dacă aveți o problemă cu scanerul BlueKeep, vă rugăm să creați o problemă în acest depozit github cu ajutorul căutării detaliate ./bkscan.sh --debug.

Probleme cunoscute
Eroare la deschiderea afișajului
Unele versiuni recente de Linux (de exemplu, Ubuntu 18.04 sau Kali 2019.2 Rolling) nu se comportă bine cu variabilele de mediu $DISPLAYși $XAUTHORITY.

$ sudo ./bkscan.sh -t 192.168.119.137
[+] Targeting 192.168.119.137:3389...
[+] No credential provided, won't support NLA
[07:58:35:866] [1:1] [ERROR][com.freerdp.client.x11] - failed to open display: :0
[07:58:35:866] [1:1] [ERROR][com.freerdp.client.x11] - Please check that the $DISPLAY environment variable is properly set.
Funcționează bine pe o instalare proaspătă de Ubuntu 18.04, dar nu pe o instalare pe care am folosit-o pentru o vreme, așa că am învinovățit unele pachete sau configurații actualizate X11.

Voteaza

Up Down
(12 din 27 persoane apreciaza acest articol)
Share
Tweet
Share

Despre Autor

Leave A Comment?