Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cannot forward RDP using ncat

From: David Fifield <david () bamsoftware com>
Date: Wed, 7 Jul 2010 11:26:12 -0600
On Tue, Jun 29, 2010 at 07:30:11PM -0400, Green Natalie wrote:

Hello,

I have found that I cannot redirect RDP (mstsc.exe) connections to
another Microsoft host. After turning off Remote Desktop Protocol on
my own host so that ncat can accept the session redirect handling, I
run the following on my host:

ncat --sh-exec "ncat target1 3389" -l 3389

Where "target1" is the host that I want my RDP session to get forwarded to.

I then open mstsc.exe, type in my own hostname, I disable "Bitmap
Caching", and try to connect. Only twice out of about ten attempts did
I get an RDP screen, but I never got anything but a black screen; I
should have gotten a login screen.

I researched this but found nothing. When running it in debug mode
("-vvv") here's how it looks after starting ncat, and after an RDP
connection attempt is made through it:

C:\>ncat -vvv -l 3389 --sh-exec "ncat target1:3389"
Ncat: Version 5.21 ( http://nmap.org/ncat )
Ncat: Listening on 0.0.0.0:3389
NCAT DEBUG: Initialized fdlist with 102 maxfds
NCAT DEBUG: Added fd 1932 to list, nfds 1, maxfd 1932
NCAT DEBUG: Added fd 0 to list, nfds 2, maxfd 1932
NCAT DEBUG: Initialized fdlist with 100 maxfds
NCAT DEBUG: selecting, fdmax 1932
NCAT DEBUG: select returned 1 fds ready
NCAT DEBUG: fd 1932 is ready
Ncat: Connection from source1.
NCAT DEBUG: Executing: C:\WINDOWS\system32\cmd.exe /C ncat target1:3389
NCAT DEBUG: Creating named pipe "\\.\pipe\ncat-0"
NCAT DEBUG: Register subprocess 0000074C at index 0.
NCAT DEBUG: selecting, fdmax 1932
NCAT DEBUG: Subprocess ended with exit code 259.
NCAT DEBUG: Unregister subprocess 0000074C from index 0.
NCAT DEBUG: Terminating subprocesses
NCAT DEBUG: max_index 1
NCAT DEBUG: Terminating subprocesses
NCAT DEBUG: max_index 1

Do you have any thoughts on this? Is there something I'm missing, or
is this not possible to do to RDP? Thanks in advance!


Thanks for this good report. Please try version 5.30BETA1. I think this
is already fixed as described in this thread:
http://seclists.org/nmap-dev/2010/q1/731. The clue was the "exit code
259".

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: