RDP/Rdesktop Password Grinding

JoMo-Kun / jmk "AT" foofus "DOT" net

Some quick notes about "brute-forcing RDP"...

The following patch to rdesktop adds the ability to perform brute-force password guessing against Microsoft Terminal Servers. This functionality was initially based off of a patch found at cqure.net. However, significant modifications were made to allow testing against Windows 2000 and detection of error messages beyond simple pass/fail. The following is a brief summary of the included changes:

rdesktop 1.4.1 patch: rdp-brute-force-r422.diff
rdesktop 1.5 patch: rdp-brute-force-r805.diff Thanks to Anton Bolshakov for the patch


Brute-force attack using password file:
rdesktop -u administrator -p passwords.txt

Brute-force attack sending passwords via STDIN:
rdesktop -u administrator -p -

The following example shows one way to use rdesktop with the MEDUSA wrapper module:

medusa -M wrapper -m TYPE:STDIN -m PROG:rdesktop -m ARGS:"-u %U -p - %H" -H hosts.txt -U users.txt -P passwords.txt

One possible method for hiding the graphical output from rdesktop:
% Xvfb :97 -ac -nolisten tcp &
% export DISPLAY=:97

Additional Information

It should be noted that this patch relies on matching data which rdesktop refers to as text. Of course, this isn't text, but what I think is some graphical representation of what the text on the screen should be. Messages for a particular error varied between OS (2K, 2K3 and XP), but seemed to be consistent across multiple installs of the same OS. Of course, your luck may vary. If anyone has a better method for detecting this stuff, please let me know. Feel free to also let me if this actually works for you.

Current test cases. Each cell contains information on two attempts; one with a valid password and another with an invalid password.

2000 XP 2003
Interactive Logon Not Permitted FAIL(2*)/FAIL SUCCESS(1)/FAIL SUCCESS(1)/FAIL
Account Locked FAIL/FAIL ERROR(1)/ERROR(1) ERROR(1)/ERROR(1)
Account Disabled(4) FAIL/FAIL ERROR(1)/FAIL ERROR(1)/ERROR(1)
Account Expired FAIL/FAIL ERROR(1)/ERROR(1) ERROR(1)/ERROR(1)
Expired, Must Change Password SUCCESS(1)/FAIL SUCCESS(1)/FAIL SUCCESS(1)/FAIL
Must Change at First Logon SUCCESS(3)/FAIL SUCCESS(1)/FAIL SUCCESS(1)/FAIL
User Currently Logged In SUCCESS(1)/FAIL
Terminal Server Exceeded Max Conn. SUCCESS/FAIL SUCCESS(1)/FAIL

1 - Displays corresponding error message
2 - Incorrect response, no unique text to match on
3 - Displays same error as "Expired, Must Change Password"
4 - W2K sends disabled message regardless of password. XP sends disabled
    only if password is correct.

© Copyright 2006, Foofus Advanced Security Services
any time. any fucknut.