A python all-in-one tool to extract information, spray and bruteforce passwords on a Microsoft Remote Desktop Web Access (RDWA) application.
This python tool allows to extract various information from a Microsoft Remote Desktop Web Access (RDWA) application, such as the FQDN of the remote server, the internal AD domain name (from the FQDN), and the remote Windows Server version
$ rdwatool -h
____ ____ _ _____ __ __
/ __ \/ __ \ | / / | / /_____ ____ / /
/ /_/ / / / / | /| / / /| |/ __/ __ \/ __ \/ / @podalirius_
/ _, _/ /_/ /| |/ |/ / ___ / /_/ /_/ / /_/ / /
/_/ |_/_____/ |__/|__/_/ |_\__/\____/\____/_/ v2.0
usage: rdwatool recon [-h] [-tf TARGETS_FILE] [-tu TARGET_URLS] [-v] [--no-colors] [--debug] [-T THREADS] [-PI PROXY_IP] [-PP PROXY_PORT] [-rt REQUEST_TIMEOUT] [-k] [-L] [--export-xlsx EXPORT_XLSX] [--export-json EXPORT_JSON]
[--export-sqlite EXPORT_SQLITE]
options:
-h, --help show this help message and exit
-v, --verbose Verbose mode. (default: False)
--no-colors Disable colored output. (default: False)
--debug Debug mode, for huge verbosity. (default: False)
-T THREADS, --threads THREADS
Number of threads (default: 250)
Targets:
-tf TARGETS_FILE, --targets-file TARGETS_FILE
Path to file containing a line by line list of targets.
-tu TARGET_URLS, --target-url TARGET_URLS
Target URL of the RDWA login page.
Advanced configuration:
-PI PROXY_IP, --proxy-ip PROXY_IP
Proxy IP.
-PP PROXY_PORT, --proxy-port PROXY_PORT
Proxy port
-rt REQUEST_TIMEOUT, --request-timeout REQUEST_TIMEOUT
Set the timeout of HTTP requests.
-k, --insecure Allow insecure server connections when using SSL (default: False)
-L, --location Follow redirects (default: False)
Export results:
--export-xlsx EXPORT_XLSX
Output XLSX file to store the results in.
--export-json EXPORT_JSON
Output JSON file to store the results in.
--export-sqlite EXPORT_SQLITE
Output SQLITE3 file to store the results in.
demo.mp4
-
In
reconmode:rdwatool recon -tf ./subdomains.txt
-
In
spraymode:rdwatool spray -tu https://rds.podalirius.net/RDWeb/Pages/en-US/login.aspx
-
In
brutemode:rdwatool brute -tu https://rds.podalirius.net/RDWeb/Pages/en-US/login.aspx
Pull requests are welcome. Feel free to open an issue if you want to add other features.
There is much pre-filled information on the login.aspx page of the Remote Desktop Web Access (RDWA) application. In the input fields WorkSpaceID and/or RedirectorName we can find the FQDN of the remote server, and WorkspaceFriendlyName can contain a text description of the workspace.
<form id="FrmLogin" name="FrmLogin" action="login.aspx?ReturnUrl=%2FRDWeb%2FPages%2Fen-US%2FDefault.aspx" method="post" onsubmit="return onLoginFormSubmit()">
<input type="hidden" name="WorkSpaceID" value="DC01.lab.local"/>
<input type="hidden" name="RDPCertificates" value="E7100C72B6C11A5D14DE115D801E100C79143C19"/>
<input type="hidden" name="PublicModeTimeout" value="20"/>
<input type="hidden" name="PrivateModeTimeout" value="240"/>
<input type="hidden" name="WorkspaceFriendlyName" value="Workspace%20friendly%20name%20or%20description"/>
<input type="hidden" name="EventLogUploadAddress" value=""/>
<input type="hidden" name="RedirectorName" value="DC01.lab.local"/>
<input type="hidden" name="ClaimsHint" value=""/>
<input type="hidden" name="ClaimsToken" value=""/>
<input name="isUtf8" type="hidden" value="1"/>
<input type="hidden" name="flags" value="0"/>
...
</form>The rdwatool tool automatically parses this form and extract all the information.
If the remote RDWeb installation is not hardened, there is a high chance that the default version image file /RDWeb/Pages/images/WS_h_c.png is still accessible (even if not linked on the login page). This is really awesome as we can compare its sha256 hash value directly with a known table of the windows banners of this service:
| Windows OS | SHA256 hash | Banner |
|---|---|---|
| Windows Server 2008 R2 | 5a8a77dc7ffd463647987c0de6df2c870f42819ec03bbd02a3ea9601e2ed8a4b |
 |
| Windows Server 2012 R2 | 4560591682d433c7fa190c6bf40827110e219929932dc6dc049697529c8a98bc |
 |
| Windows Server 2012 R2 | 3d9b56811a5126a6d3b78a692c2278d588d495ee215173f752ce4cbf8102921c |
 |
| Windows Server 2016 | fb1505aadeab42d82100c4d23d421f421c858feae98332c55a4b9595f4cea541 |
 |
| Windows Server 2016 | 3dbbeff5a0def7e0ba8ea383e5059eaa6acc37f7f8857218d44274fc029cfc4b |
 |
| Windows Server 2019 | 2da4eb15fda2b7c80a94b9b2c5a3e104e2a9a2d9e9b3a222f5526c748fadf792 |
 |
| Windows Server 2022 | 256a6445e032875e611457374f08acb0565796c950eb9c254495d559600c0367 |
 |
The rdwatool tool automatically gets this file and compare its hash to get the remote Windows Server version.
