Windows XP False Positives?

[wright546]

I'm seeing a discrepancy in the results between this rdpscan and the one put out by zerosum0x0.

This rdpscan seems to be reporting all Windows XP as vulnerable even after they are patched and rebooted. The rdpscan from zerosum0x0 reports the same Windows XP as patched. (rdpscan from zerosum0x0 had previously reported them as vulnerable before KB4500331 was applied to them)

I'm not sure what information I can provide to help solve this but let me know and I'll do what I can. I'd like to set this up as a scheduled task. Thanks

[robertdavidgraham]

Do you have an IP address I can use to connect to? Also, do you have a link to the WinXP patch?

[wright546]

Unfortunately I don't, they are all internal RFC1918 addresses. I might be able to create a VM that I could send to you somehow? Let me know what could work.

The WinXP patch can be downloaded here:
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4500331

[t-rapp]

Noticed something similar. About half of the tested WinXP VMs are still reported as vulnerable by rdpscan after KB4500331 has been applied and the machine was restarted, but none of the (few) physical WinXP machines. Unfortunately (or fortunately) all of the VMs are disconnected from the internet.

[lgrangeia]

I've been investigating this, and I think we can narrow down false positives to the following behaviour:

True positive:

[+] [192.168.1.100]:30389 - connecting...
[+] [192.168.1.100]:30389 - connected from [192.168.1.100]:54718
[+] [192.168.1.100]:30389 - version = v4.8
[+] [192.168.1.100]:30389 - sending 1 channels
[+] [192.168.1.100]:30389 - Sending MS_T120 check packet
192.168.1.100 - VULNERABLE -- got appid

likely false positive (this machine was patched):

[+] [192.168.1.100]:3389 - connecting...
[+] [192.168.1.100]:3389 - connected from [192.168.1.100]:57098
[+] [192.168.1.100]:3389 - version = v4.8
[+] [192.168.1.100]:3389 - sending 1 channels
[+] [192.168.1.100]:3389 - Sending MS_T120 check packet
[-] [192.168.1.100]:3389 - Max sends reached, waiting...
192.168.1.100 - VULNERABLE -- got appid

Note the extra line of output:

[-] [192.168.1.100]:3389 - Max sends reached, waiting...

Also, in the case that the machine is patched, the tool times out at around 2 minutes.

@robertdavidgraham can you look into this?

[lgrangeia]

Update: using the latest version v0.0.4 seems to fix this.

[edersam2k]

I have the same issue. Two 2003 R2 servers already patched, one rdpscan says SAFE, and the other VULNERABLE. Using the latest version.

rdpscan.exe 172.18.72.33 -dddd
[+] [172.18.72.33]:3389 - connecting...
[+] [172.18.72.33]:3389 - connected from [172.18.72.108]:57922
[-] [172.18.72.33]:3389 - negotiate fail: wrong protocol, retrying with plain RD
P.
[+] [172.18.72.33]:3389 - connecting...
[+] [172.18.72.33]:3389 - connected from [172.18.72.108]:57923
[+] [172.18.72.33]:3389 - version = v4.8
[ ] [172.18.72.33]:3389 - RDP4 encryption w/ RSA and RC4
[+] [172.18.72.33]:3389 - sending 1 channels
[+] [172.18.72.33]:3389 - Sending MS_T120 check packet
[+] [172.18.72.33]:3389 - Sending MS_T120 check packet (size: 0x10 - offset: 0x4
)
172.18.72.33 - VULNERABLE - got appid