RDP/Rdesktop Password Grinding

Some quick notes about "brute-forcing RDP"...

The following patch to rdesktop adds the ability to perform brute-force password guessing against Microsoft Terminal Servers. This functionality was initially based off of a patch found at cqure.net. However, significant modifications were made to allow testing against Windows 2000 and detection of error messages beyond simple pass/fail. The following is a brief summary of the included changes:

• Fixed segfault with original cqure.net patch when no dictionary file was supplied.
• Enhanced success detection. The cqure.net patch basically starts a connection, sends login info and immediately checks to see if we've successfully authenticated. It seems that about 50% of the time it does this check mid-auth and incorrectly assumes we've failed to authenticate.
• Basic OS detection (2K vs 2K3/XP).
• Basic error message detection (password expired, account locked, etc.).
• Modified rdesktop to support basic Windows 2000 brute-forcing. Unfortunately, unlike XP/2003, you can't just send the password in the initial RDP packet. I've modified Rdesktop to look for the W2K logon screen and then send the password via key presses/releases. Kinda kludgy, but seems to work. Matching errors such as "Not permitted to logon due to policy" when testing 2000 is not as good as 2K3/XP. Of course, NetBIOS is typically open on 2K, so don't use RDP for brute-forcing. MEDUSA is your friend. ;)

rdesktop 1.4.1 patch: rdp-brute-force-r422.diff
rdesktop 1.5 patch: rdp-brute-force-r805.diff Thanks to Anton Bolshakov for the patch

Usage

Brute-force attack using password file:
rdesktop -u administrator -p passwords.txt 192.168.0.100

Brute-force attack sending passwords via STDIN:
rdesktop -u administrator -p - 192.168.0.100

The following example shows one way to use rdesktop with the MEDUSA wrapper module:

medusa -M wrapper -m TYPE:STDIN -m PROG:rdesktop -m ARGS:"-u %U -p - %H" -H hosts.txt -U users.txt -P passwords.txt

One possible method for hiding the graphical output from rdesktop:
% Xvfb :97 -ac -nolisten tcp &
% export DISPLAY=:97


Additional Information

It should be noted that this patch relies on matching data which rdesktop refers to as text. Of course, this isn't text, but what I think is some graphical representation of what the text on the screen should be. Messages for a particular error varied between OS (2K, 2K3 and XP), but seemed to be consistent across multiple installs of the same OS. Of course, your luck may vary. If anyone has a better method for detecting this stuff, please let me know. Feel free to also let me if this actually works for you.

Current test cases. Each cell contains information on two attempts; one with a valid password and another with an invalid password.

	2000	XP	2003
Normal Logon	SUCCESS/FAIL	SUCCESS/FAIL	SUCCESS/FAIL
Interactive Logon Not Permitted	FAIL(2*)/FAIL	SUCCESS(1)/FAIL	SUCCESS(1)/FAIL
Account Locked	FAIL/FAIL	ERROR(1)/ERROR(1)	ERROR(1)/ERROR(1)
Account Disabled(4)	FAIL/FAIL	ERROR(1)/FAIL	ERROR(1)/ERROR(1)
Account Expired	FAIL/FAIL	ERROR(1)/ERROR(1)	ERROR(1)/ERROR(1)
Expired, Must Change Password	SUCCESS(1)/FAIL	SUCCESS(1)/FAIL	SUCCESS(1)/FAIL
Must Change at First Logon	SUCCESS(3)/FAIL	SUCCESS(1)/FAIL	SUCCESS(1)/FAIL
User Currently Logged In		SUCCESS(1)/FAIL
Terminal Server Exceeded Max Conn.	SUCCESS/FAIL		SUCCESS(1)/FAIL

1 - Displays corresponding error message
2 - Incorrect response, no unique text to match on
3 - Displays same error as "Expired, Must Change Password"
4 - W2K sends disabled message regardless of password. XP sends disabled
    only if password is correct.