BlueTeam, CredSSP, Information Security, Nmap, RDP, Windows

Using Nmap to extract Windows host and domain information via RDP

I’ve recently spent some time in various code bases working on Windows RDP related discovery. This post is going to talk about using a new Nmap script, rdp-ntlm-info.nse, against RDP services to discover the target’s hostname, domain name, DNS name, and version.

3389/tcp open     ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: W2016
|   NetBIOS_Domain_Name: W2016
|   NetBIOS_Computer_Name: W16GA-SRV01
|   DNS_Domain_Name: W2016.lab
|   DNS_Computer_Name: W16GA-SRV01.W2016.lab
|   DNS_Tree_Name: W2016.lab
|   Product_Version: 10.0.14393
|_  System_Time: 2019-06-13T10:38:35+00:00

This post was updated 2019.06.14 to reflect that the script had been committed to the official repo, update the usage instructions to reflect this, and include the NSEDoc link for the script.

This post was updated 2019.06.18 to indicate that users of 7.70 need updated nselib/datetime.lua as well.

Continue reading