ZMap RDP (3389) BlueKeep Scanning

Asphyxia

Owner
Administrator
Apr 25, 2015
1,844
2
2,197
327
We are going to start with Kali Linux running.

Warning:
If you are scanning from an office, make sure you are off WiFi and plugged into the ethernet for a direct line connection. WiFi traffic is often more filtered for less accurate results. If you adjust networking settings while a VM is live, you may find yourself having to pause and then restore the VM for networking operations to work as intended.

Requirements:
zmap
nmap
metasploit (with Armitage if you want GUI for simplicity)

Commands:
Code:
cd ~
mkdir scanHosts
cd scanHosts
mkdir 10 172 192
zmap -p3389 172.16.0.0/12 -o ~/scanHosts/172/p3389-$(date -d "today" +"%Y%m%d%H%M").list
zmap -p3389 192.168.0.0/16 -o ~/scanHosts/192/p3389-$(date -d "today" +"%Y%m%d%H%M").list
zmap -p3389 10.0.0.0/8 -o ~/scanHosts/10/p3389-$(date -d "today" +"%Y%m%d%H%M").list
cat */* | sort

If you do not care about noise, you should run the above scans maybe 10 times. Just throw the scan into a .sh file and loop it ten!

Why? I don't fu**ing know to be entirely honest. It's scanning 1,000,000 IPs pretty damn fast, maybe that is why. One could argue "Just tweak the scan configurations." Yeah but then too much and the scan slows way damn down, too little and you still end up missing hosts. We want damn near perfect accuracy, eh? ZMap is picking apart the bones, we can rescan subnets with Nmap for thoroughness.

Hint: When looping, add seconds to the filename or you know what happens. Waste of time overwriting!

Another option you have is to keep scanning until you start to see:
Code:
cat * | wc
cat * | uniq | wc

A difference here, because now our scan is overlapping. Is this a perfect science? No, creative af I know but maybe it could be an option to balance out odds unless you are having a bad luck kind of day or only can possibly detect a single host lol.

Sometimes people ask me to do crazy sh*t like scan EVERY single host for 3389 ports. What most people fail to realize, this shit can take a really long time and I am impatient.

So I would rather loop scans until we have some mapped out subnets, we can look for patterns y'know?

So I scanned about 20 times, came out with... ACTUALLY fu**. Have you ever tried scanning over 2,000,000 hosts with Nmap? Sh*t is real slow m8.

I decided to try something a little different! Let's try https://github.com/zmap/zmap/wiki/Rate-Limiting-and-Sampling and btw this random Tim Rice guy seems smart https://kb.help.rapid7.com/discuss/59b320ac8f40290010c16c6f I mean Edward Sheehy. Hell, guys seems pretty smart: https://www.linkedin.com/in/edsheehy/ definitely a visionary.

Okay, even adding "-r 9001" did not seem to help much if any.

Okay, I found the solution then, in my Nmap vs ZMap guide here.. I realized I should just fu**in' benchmark the two scans for a 3389 scan on the 172.

Nmap:
Code:
time nmap -p3389 --unprivileged -Pn --open -oG - 10.22.151.* | grep "/open" | awk '{ print $2 }' > wicked.list
10.740s for Nmap.

ZMap's scan guide details setting a "wait time" for receiving over here. Without using this, the default wait is 8 seconds.
ZMap:
Code:
time zmap -p3389 10.22.151.0/24


Code:
time zmap -p3389  -c3 10.22.151.0/24 -o wicked2.list
4.34s for ZMap

It is important to note both Nmap and ZMap were finding the same number of hosts when targeting such a small subnet. Where ZMap becomes less accurate is when it begins scanning through ~100,000 hosts RAPIDLY where Nmap would be gasping for air to keep up.

The scan speed becomes exponentially different though, as we increase target hosts. Let me showcase this!

Here are some results from ZMap to demonstrate how we can find areas on the network to further inspect.
Code:
10.22.239.58
10.22.240.129
10.22.240.211
10.22.240.55
10.22.240.80
...

Referencing this list over here https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#IPv4_CIDR_blocks we can assume X.22 and X.21 are areas of focus on this unspecified network.

255.255.0.0 (/16) makes sense then for X.22 then X.21, let's do this to have a faceoff between Nmap and ZMap for accuracy and speed:

ZMap
Code:
time zmap -p3389 -c4 10.22.0.0/16
Came back with 5.35s and found a hitrate of 0.03% or... 22 hosts. Running again results in varying results.

Nmap's turn
Code:
time nmap -p3389 --unprivileged -Pn --open 10.22.0.0/16

I am noticing right away, ZMap went in like lightning and found some hosts listening on port 3389. My primary complaint is going to certainly be accuracy, again this makes sense because we scanned 65,536 hosts in 5 seconds. The Nmap method is already over a few minutes in and I have a lot of time to wait - tick tock tick tock time to listen to Ke$ha and rip my eyes out.

The other annoyance with Nmap is never have any fu**ing clue how much time is left in a scan because it chunks apart the scans to 1024, 2048, ~4,000 or however many it feels like. It's some sort of automated method and while I may be able to tamper around with the settings, I feel like there is nothing I can do in my power to expedite these Nmap scans. It is just impractical to expect a "highly reliable" tool give me speed. Zmap, Masscan, Unicornscan are for speed and can be accurate if tuned finely for example modifying retries, capping the bandwidth used for a scan e.g. we could "-B 1M" which may greatly increase scan time but return a greater number of hosts. For example, ZMap may scan in 10 minutes and gather 200 hosts across a certain subnet where Nmap will still be chugging along for at least 50 minutes. I get accuracy is important, but should you really have to wait a damn hour to discover Windows hosts with RDP enabled? Come the f*** on, let's go!! (Remember I am impatient sometimes)

I have to be, because customers get impatient and want "security now", not tomorrow.

... okay so Nmap is still going (over an hour and a half later). I am actually just going to leave my motherf**king laptop here, running - whatever.

I'll clean this documentation up a lot tomorrow to make it more simple/professional.

Consider this a public/rough draft.

Quality content being refined soon.. thanks for your patience! 28,672 hosts scanned in Nmap in about 1:35:22 - that is kind of a long time considering ZMap can breeze through these with some tweaked settings with decent results in less than 20 minutes.
 
Last edited:

Asphyxia

Owner
Administrator
Apr 25, 2015
1,844
2
2,197
327
Target: 172.22.0.0/16 (65,536 hosts)
Port: 3389 (RDP)
ToolTime (hh:mm:ss)Discoveries (port open)
Masscan time masscan 172.22.0.0/16 -p338900:20:37843
Nmap time nmap -p3389 --unprivileged -Pn 172.22.0.0/1602:54:10204
Unicornscan time unicornscan -p3389 172.22.0.0/1600:03:50355
ZMap time zmap -p3389 -c10 -B 200K 172.22.0.0/1600:03:53377

While creating these benchmarks, I have tried my best to not adjust configs/flags to give one tool an unfair advantage over the other. Think of this as "out of the box" scanning results. ZMap is an exception because it would scan too fast (9 seconds) and discovery hitrate would sometimes be horribly low with varying results (20 then 100).

Getting each of these to write out logs is simple, shown below is how:
Code:
masscan 172.22.0.0/16 -p3389 -oG masscan.out
unicornscan -p3389 172.22.0.0/16 -l unicornscan.out
nmap -p3389 --unprivileged -Pn --open -oG nmap.out 172.22.0.0/16
zmap -p3389 -c10 -B 200K 172.22.0.0/16 -o zmap.out

All three of these tools are useful, for network discovery and finding information about hosts on a network.

If you get four ".out" files from a scan - into a certain folder for example: /nets/16/172.22.0.0/ zmap.out, nmap.out, masscan.out, unicornscan.out - now you can pull the results together.

Code:
cat /nets/16/172.22.0.0/*.out | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort | uniq > final.out
wc final.out

Now you have a network scanned by 4 separate utilities for host discovery. Discovery could be an automated process running during the weekend. Starting the moment people "clock off" Friday. ZMap is still phenomenal for launching fast scans,

Once you have your list of hosts seeming open on port 3389, time to scan for auxiliary/scanner/rdp/cve_2019_0708_bluekeep.

Code:
msfconsole -x "use auxiliary/scanner/rdp/cve_2019_0708_bluekeep; set THREADS 24; set RHOSTS file://root/scanHosts/172/maybeUnsafe.list; run; exit" -o vulnHosts.list

Now you can just grep vulnHosts.list for vulnerable hosts:
Code:
cat vulnHosts.list | grep "vuln"

Go patch your servers and have fun! You can see how automation could be accomplished between these host discovery scanners and other open security tools like OpenVAS, msfconsole, etc.

Could take some time, since only bigger teams even think about it
I quit being mad, I simply reorganized my notes and published them within thread.
 
Top