Python script to detect bluekeep vulnerability - CVE-2019-0708 - with TLS/SSL support
Work derived from the Metasploit module written by @zerosum0x0 https://github.com/zerosum0x0/CVE-2019-0708
RC4 taken from https://github.com/DavidBuchanan314/rc4
detect_bluekeep.py requires pyasn1 and cryptography python modules.
Install them either via
pip install -r requirements.txt
or
pip3 install pyasn1 pyasn1_modules cryptography
- SAFE - host appears to be not vulnerable
- VULNERABLE - host is likely vunerable to CVE-2019-0708
- HYBRID_REQUIRED_BY_SERVER - server requires CredSSP, which is currently not supported by detect_bluekeep.py
- NO RDP - RDP not enabled on the remote host on port 3389
- UNKNOWN - status is reported only in very rare cases (less than 5%). It ususally comes on protocol timeouts. Some other PoCs report UNKNOWN status even when server enforces SSL/TLS, we don't.
Added handling of x509 certificates. Fixed issue #3
Do not use version 0.9 and 0.10, they are broken, while doing experiments on issue #3
Fall back to standard RDP security if SSL/TLS is not supported by the server.
The scripts now supports SSL/TLS security, which is enabled by default. If you want to use the standard RDP security, use the --notls commandline parameter.
- some RDP PDU annotations
- decryption of the server traffic.
- properly packetized server to client traffic, including fast path traffic
# ./detect_bluekeep.py
usage: detect_bluekeep.py [-h] [--version] [-d] [--notls] [-l [LOGFILE]] [-w WORKERS]
[host [host ...]]
positional arguments:
host List of targets (addresses or subnets)
optional arguments:
-h, --help show this help message and exit
--version show program's version number and exit
-d, --debug verbose output
--notls disable TLS security
-l [LOGFILE], --logfile [LOGFILE]
log to file
-w WORKERS, --workers WORKERS
number of parallel worker tasks
You may run with a list of IPv4 addresses:
# ./detect_bluekeep.py 192.168.158.241 192.168.158.242 192.168.158.247 192.168.162.73 192.168.162.70
2019-06-03 09:58:01,255 'Starting ./detect_bluekeep.py'
2019-06-03 09:58:01,255 './detect_bluekeep.py 192.168.158.241 192.168.158.242 192.168.158.247 192.168.162.73 192.168.162.70'
2019-06-03 09:58:01,256 'Going to scan 5 hosts, in 300 parallel tasks'
2019-06-03 09:58:01,366 '[-] [192.168.162.73] Status: Unknown'
2019-06-03 09:58:02,222 '[+] [192.168.158.241] Status: Vulnerable'
2019-06-03 09:58:02,887 '[+] [192.168.158.242] Status: Vulnerable'
2019-06-03 09:58:06,262 '[-] [192.168.162.70] Status: No RDP'
2019-06-03 09:58:06,262 '[-] [192.168.158.247] Status: No RDP'
or for whole subnets:
# ./detect_bluekeep.py 192.168.158.241/24 192.168.162.70/28
Apache 2.0