RE: Cannot forward RDP using ncat

[Green Natalie <Green.Natalie () pbgc gov>]

Hi David,

Thanks for that info. I updated to the beta and it worked perfectly - when connecting from workstation to workstation 
or server to server, but not when they're mixed. That's when I get a 0x1104 error, but that apparently has nothing to 
do with ncat. See this:
http://support.microsoft.com/kb/898060

We applied the MS06-007 patch to our servers, so I don't know why it's buggin', but the beta version definitely allows 
the connections to work perfectly in many cases. Thanks a bunch!

Quick question: insecure.org is blocked, but nmap.org is open to us. I would like to send nmap protocol info but 
currently cannot and they will not open that site any time soon. Is there an alternate site, or an email, that I can 
use to get the info up? We've got lots of varieties of protocols that might well help the nmap world. :)

Regards,
Natalie

-----Original Message-----
From: David Fifield [mailto:david () bamsoftware com]
Sent: Wednesday, July 07, 2010 1:26 PM
To: Green Natalie
Cc: 'nmap-dev () insecure org'
Subject: Re: Cannot forward RDP using ncat

On Tue, Jun 29, 2010 at 07:30:11PM -0400, Green Natalie wrote:
> Hello,
>
> I have found that I cannot redirect RDP (mstsc.exe) connections to
> another Microsoft host. After turning off Remote Desktop Protocol on
> my own host so that ncat can accept the session redirect handling, I
> run the following on my host:
>
> ncat --sh-exec "ncat target1 3389" -l 3389
>
> Where "target1" is the host that I want my RDP session to get forwarded to.
>
> I then open mstsc.exe, type in my own hostname, I disable "Bitmap
> Caching", and try to connect. Only twice out of about ten attempts did
> I get an RDP screen, but I never got anything but a black screen; I
> should have gotten a login screen.
>
> I researched this but found nothing. When running it in debug mode
> ("-vvv") here's how it looks after starting ncat, and after an RDP
> connection attempt is made through it:
>
> C:\>ncat -vvv -l 3389 --sh-exec "ncat target1:3389"
> Ncat: Version 5.21 ( http://nmap.org/ncat )
> Ncat: Listening on 0.0.0.0:3389
> NCAT DEBUG: Initialized fdlist with 102 maxfds NCAT DEBUG: Added fd
> 1932 to list, nfds 1, maxfd 1932 NCAT DEBUG: Added fd 0 to list, nfds
> 2, maxfd 1932 NCAT DEBUG: Initialized fdlist with 100 maxfds NCAT
> DEBUG: selecting, fdmax 1932 NCAT DEBUG: select returned 1 fds ready
> NCAT DEBUG: fd 1932 is ready
> Ncat: Connection from source1.
> NCAT DEBUG: Executing: C:\WINDOWS\system32\cmd.exe /C ncat
> target1:3389 NCAT DEBUG: Creating named pipe "\\.\pipe\ncat-0"
> NCAT DEBUG: Register subprocess 0000074C at index 0.
> NCAT DEBUG: selecting, fdmax 1932
> NCAT DEBUG: Subprocess ended with exit code 259.
> NCAT DEBUG: Unregister subprocess 0000074C from index 0.
> NCAT DEBUG: Terminating subprocesses
> NCAT DEBUG: max_index 1
> NCAT DEBUG: Terminating subprocesses
> NCAT DEBUG: max_index 1
>
> Do you have any thoughts on this? Is there something I'm missing, or
> is this not possible to do to RDP? Thanks in advance!

Thanks for this good report. Please try version 5.30BETA1. I think this is already fixed as described in this thread:
http://seclists.org/nmap-dev/2010/q1/731. The clue was the "exit code 259".

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/