Script rdp-ntlm-info

Script types: portrule
Categories: default, discovery, safe
Download: https://svn.nmap.org/nmap/scripts/rdp-ntlm-info.nse

Script Summary

This script enumerates information from remote RDP services with CredSSP (NLA) authentication enabled.

Sending an incomplete CredSSP (NTLM) authentication request with null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version.

Script Arguments

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -p 3389 --script rdp-ntlm-info <target>

Script Output

3389/tcp open     ms-wbt-server syn-ack ttl 128 Microsoft Terminal Services
| rdp-ntlm-info:
|   Target_Name: W2016
|   NetBIOS_Domain_Name: W2016
|   NetBIOS_Computer_Name: W16GA-SRV01
|   DNS_Domain_Name: W2016.lab
|   DNS_Computer_Name: W16GA-SRV01.W2016.lab
|   DNS_Tree_Name: W2016.lab
|   Product_Version: 10.0.14393
|_  System_Time: 2019-06-13T10:38:35+00:00

Requires

• datetime
• os
• shortport
• stdnse
• smbauth
• string
• rdp

---

Author:

• Tom Sellers

License: Same as Nmap--See https://nmap.org/book/man-legal.html