GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → nccgroup → Bkscan

nccgroup / Bkscan

BlueKeep scanner supporting NLA

Programming Languages

shell
77523 projects

Labels

scanner

Projects that are alternatives of or similar to Bkscan

Pidrila
Python Interactive Deepweb-oriented Rapid Intelligent Link Analyzer
Stars: ✭ 125 (-19.87%)
Mutual labels:  scanner
Reconnoitre
A security tool for multithreaded information gathering and service enumeration whilst building directory structures to store results, along with writing out recommendations for further testing.
Stars: ✭ 1,824 (+1069.23%)
Mutual labels:  scanner
Zxinglite
🔥 ZXing的精简版,优化扫码和生成二维码/条形码,内置闪光灯等功能。扫描风格支持:微信的线条样式,支付宝的网格样式。几句代码轻松拥有扫码功能 ,ZXingLite让集成更简单。(扫码识别速度快如微信)
Stars: ✭ 2,117 (+1257.05%)
Mutual labels:  scanner
Nwatch
🔍 Tool for - Host Discovery, Port Scanning and Operating System Fingerprinting
Stars: ✭ 127 (-18.59%)
Mutual labels:  scanner
Nimscan
🚀 Fast Port Scanner 🚀
Stars: ✭ 134 (-14.1%)
Mutual labels:  scanner
Enteletaor
Message Queue & Broker Injection tool
Stars: ✭ 139 (-10.9%)
Mutual labels:  scanner
Zzyqrcode
a scanner for QRCode barCode 最好用的ios二维码、条形码,扫描、生成框架,支持闪光灯,从相册获取,扫描音效等,高仿微信,微博
Stars: ✭ 123 (-21.15%)
Mutual labels:  scanner
Clamtk
An easy to use, light-weight, on-demand virus scanner for Linux systems
Stars: ✭ 151 (-3.21%)
Mutual labels:  scanner
Nosqlmap
Automated NoSQL database enumeration and web application exploitation tool.
Stars: ✭ 1,928 (+1135.9%)
Mutual labels:  scanner
Svscanner
SVScanner - Scanner Vulnerability And MaSsive Exploit.
Stars: ✭ 143 (-8.33%)
Mutual labels:  scanner
Ipadlidarscanexport
Export an OBJ file of ARKit 3.5 iPad Pro LIDAR scans
Stars: ✭ 129 (-17.31%)
Mutual labels:  scanner
Red hawk
All in one tool for Information Gathering, Vulnerability Scanning and Crawling. A must have tool for all penetration testers
Stars: ✭ 1,898 (+1116.67%)
Mutual labels:  scanner
Unimap
Scan only once by IP address and reduce scan times with Nmap for large amounts of data.
Stars: ✭ 141 (-9.62%)
Mutual labels:  scanner
Javascript Barcode Reader
Simple and Fast Barcode decoder with support of Code128, Code93, Code39, Standard/Industrial 2 of 5, Interleaved 2 of 5, Codabar, EAN-13, EAN-8 barcodes in javascript.
Stars: ✭ 127 (-18.59%)
Mutual labels:  scanner
Esp32 Blecollector
ᛡᛒ BLE Scanner + Data persistence on SD Card for M5Stack, Odroid-Go, ESP32-Wrover-Kit and other models
Stars: ✭ 145 (-7.05%)
Mutual labels:  scanner
Blueborne Scanner
Bluetooth scanner for local devices that may be vulnerable to Blueborne exploit
Stars: ✭ 125 (-19.87%)
Mutual labels:  scanner
Paskto
Paskto - Passive Web Scanner
Stars: ✭ 136 (-12.82%)
Mutual labels:  scanner
Wukong Agent
Web scan foundation framework
Stars: ✭ 153 (-1.92%)
Mutual labels:  scanner
Dirmap
An advanced web directory & file scanning tool that will be more powerful than DirBuster, Dirsearch, cansina, and Yu Jian.一个高级web目录、文件扫描工具,功能将会强于DirBuster、Dirsearch、cansina、御剑。
Stars: ✭ 2,127 (+1263.46%)
Mutual labels:  scanner
Ntlmscan
scan for NTLM directories
Stars: ✭ 141 (-9.62%)
Mutual labels:  scanner
View All Similar Projects ➔

BKScan

BlueKeep (CVE-2019-0708) scanner that works both unauthenticated and authenticated (i.e. when Network Level Authentication (NLA) is enabled).

Requirements:

  • A Windows RDP server
  • If NLA is enabled on the RDP server, a valid user/password that is part of the "Remote Desktop Users" group

It is based on FreeRDP and uses Docker to ease compilation/execution. It should work on any UNIX environment and has been tested mainly on Linux/Ubuntu.

Usage

Building

Install pre-requisites:

sudo apt-get install docker.io

Build the custom FreeRDP client inside the Docker container named bkscan:

$ git clone https://github.com/nccgroup/BKScan.git
$ cd BKScan
$ sudo docker build -t bkscan .
[...]
Successfully built f7666aeb3259
Successfully tagged bkscan:latest

Running

Invoke the bkscan.sh script from your machine. It will invoke the custom FreeRDP client inside the newly created bkscan Docker container:

$ sudo ./bkscan.sh -h
Usage:
./bkscan.sh -t <target_ip> [-P <target_port>] [-u <user>] [-p <password>] [--debug]

Target with NLA enabled and valid credentials

Against a vulnerable Windows 7 with NLA enabled and valid credentials.

$ sudo ./bkscan.sh -t 192.168.119.141 -u user -p password
[+] Targeting 192.168.119.141:3389...
[+] Using provided credentials, will support NLA
[-] Max sends reached, please wait to be sure...
[!] Target is VULNERABLE!!!

Against a Windows 10 (non-vulnerable) or patched Windows 7 with NLA enabled and valid credentials:

$ sudo ./bkscan.sh -t 192.168.119.133 -u user -p password
[+] Targeting 192.168.119.133:3389...
[+] Using provided credentials, will support NLA
[-] Max sends reached, please wait to be sure...
[*] Target appears patched.

Target with NLA enabled and non-valid credentials

Against a Windows 7 (vulnerable or patched) which NLA enabled but that we are scanning with a client without NLA support:

$ sudo ./bkscan.sh -t 192.168.119.141
[+] Targeting 192.168.119.141:3389...
[+] No credential provided, won't support NLA
[-] Connection reset by peer, NLA likely to be enabled. Detection failed.

Against a Windows 7 (vulnerable or patched) with NLA enabled and valid credentials but user is not part of the "Remote Desktop Users" group:

$ sudo ./bkscan.sh -t 192.168.119.141 -u test -p password
[+] Targeting 192.168.119.141:3389...
[+] Using provided credentials, will support NLA
[-] NLA enabled, credentials are valid but user has insufficient privileges. Detection failed.

Against a Windows 7 (vulnerable or patched) with NLA enabled and non-valid credentials:

$ sudo ./bkscan.sh -t 192.168.119.141 -u user -p badpassword
[+] Targeting 192.168.119.141:3389...
[+] Using provided credentials, will support NLA
[-] NLA enabled and access denied. Detection failed.

Against a Windows 10 (non-vulnerable) with NLA enabled and non-valid credentials:

$ sudo ./bkscan.sh -t 192.168.119.133 -u user -p badpassword
[+] Targeting 192.168.119.133:3389...
[+] Using provided credentials, will support NLA
[-] NLA enabled and logon failure. Detection failed.

Note: the difference in output between Windows 7 and Windows 10 is likely due to the Windows CredSSP versions and your output may differ.

Target with NLA disabled

Against a vulnerable Windows XP (no NLA support):

$ sudo ./bkscan.sh -t 192.168.119.137
[+] Targeting 192.168.119.137:3389...
[+] No credential provided, won't support NLA
[-] Max sends reached, please wait to be sure...
[!] Target is VULNERABLE!!!

Target without RDP disabled

Against a Windows 7 with RDP disabled or blocked port:

$ sudo ./bkscan.sh -t 192.168.119.142
[+] Targeting 192.168.119.142:3389...
[+] No credential provided, won't support NLA
[-] Can't connect properly, check IP address and port.

Thanks

Special thanks to @JaGoTu and @zerosum0x0 for releasing their Unauthenticated CVE-2019-0708 "BlueKeep" Scanner, see here. The BKScan scanner in this repo works similarly to their scanner but has been ported to FreeRDP to support NLA.

Thank you to mi2428 for releasing a script to run FreeRDP in Docker, see here.

Also thank you to the following people for contributing:

Problems?

If you have a problem with the BlueKeep scanner, please create an issue on this github repository with the detailed output using ./bkscan.sh --debug.

Known issues

Failed to open display

Some recent versions of Linux (e.g. Ubuntu 18.04 or Kali 2019.2 Rolling) do not play well with the $DISPLAY and $XAUTHORITY environment variables.

$ sudo ./bkscan.sh -t 192.168.119.137
[+] Targeting 192.168.119.137:3389...
[+] No credential provided, won't support NLA
[07:58:35:866] [1:1] [ERROR][com.freerdp.client.x11] - failed to open display: :0
[07:58:35:866] [1:1] [ERROR][com.freerdp.client.x11] - Please check that the $DISPLAY environment variable is properly set.

It works fine on a fresh installation of Ubuntu 18.04 but not on an installation I have used for a while so I am blaming some updated X11-related package or configuration.

docker-org documents this and proposes a solution but I haven't been able to have it working myself. So I am not sure they are describing the same issue. If you have this issue initially and are able to fix it, please feel free to do a PR.

Contact

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].