The scanner has 2 modes of operation:
Uses the vuln scan code of https://github.com/MalwareTech/RDGScanner
Scanning for memory corruption vulnerabilities is dangerous and can potentially crash systems. Whilst this tool has been designed to avoid causing a crash, stability can't be 100% guaranteed. Use at your own risk and only scan systems you have permission to test.
The scanner is multithreaded and can parse files cotaining CIDR netmasks, but for bigger networks you still might want to use nmap for finding open UDP 3391 ports before vuln scanning them. This doens't work out of the box at the moment. You need to add 3391 to the DTLS section in nmap-payloads (usually in /usr/share/nmap, PR on the way) and scan using e.g.:
nmap -Pn -p 3391 -sU -oA rdg_scan_yyyymmdd 10.0.0.0/24
(Needs root permissions)
Default port for vuln scanning is UDP 3391, change with --port.
Not all RD gateways have UDP 3391 active or exposed on the firewall, probably because it also works with HTTPS only and the admins didn't bother to read the documentation. If you also want to find those RD gateways, use the webcheck (Maybe you're afraid of a server with CVE-2020-0609 unpatched and the operators opening UDP 3391 in 6 months because of the "better performance over high latency networks".)
To scan using HTTPS, use the parameter --webcheck or -w Default port for webcheck is TCP 443, change with --port.
Be aware, that e.g. a recent Debian/Kali has default openssl settings, which prevent any program including python, curl, ... from making connections to insecure SSL implementations, including anything lower than TLSv1.2. This is reasonable for home banking but not for vulnerability scanning, where you also want to find that old host still using SSLv3. I didn't find any better solution than chaning this in /etc/ssl/openssl.cnf. Find/insert the section [system_default_sect] and change it to:
[system_default_sect]
MinProtocol = SSLv3
CipherString = DEFAULT@SECLEVEL=1
Remember to change it back for sensitive stuff! If you know a solution which would only change this settings for a python script, please let me know ;)
SSL errors showing up during scanning might be from IPS systems.
The scanner can parse:
- IPs
- CIDR notations, for example: 192.168.1.0/24
- Hostnames
- Routing AS, e.g. as1234
- Plaintext files containing anything of the above, one entry per line, passed as file:netlist.txt
Example: python3 rdg_scanner_cve-2020-0609.py 192.168.1.1/24 # vuln scan for cve-2020-0609 on UDP 3391
Example2 python3 rdg_scanner_cve-2020-0609.py 192.168.1.1/24 --webcheck # check webpage for RD gateway
Example3: python3 rdg_scanner_cve-2020-0609.py 192.168.1.1
Example4: python3 rdg_scanner_cve-2020-0609.py fakewebsiteaddress.com
Example5: python3 rdg_scanner_cve-2020-0609.py as15169
Example6: python3 rdg_scanner_cve-2020-0609.py file:hostfile.txt
usage: rdg_scanner_cve-2020-0609.py [-h] [--port PORT] [--webcheck]
[--verbose]
target
No installation required.
Debian/Kali needs: apt-get install python3-netaddr
TODO:
- Check each IP twice because of UDP (repeated scans give slightly different results)