You signed in with another tab or window.Reload to refresh your session.You signed out in another tab or window.Reload to refresh your session.You switched accounts on another tab or window.Reload to refresh your session.Dismiss alert
A python all-in-one tool to extract information, spray and bruteforce passwords on a Microsoft Remote Desktop Web Access (RDWA) application.
This python tool allows to extract various information from a Microsoft Remote Desktop Web Access (RDWA) application, such as the FQDN of the remote server, the internal AD domain name (from the FQDN), and the remote Windows Server version
Usage
$ rdwatool -h ____ ____ _ _____ __ __ / __ \/ __ \ | / / | / /_____ ____ / / / /_/ / / / / | /| / / /| |/ __/ __ \/ __ \/ / @podalirius_ / _, _/ /_/ /| |/ |/ / ___ / /_/ /_/ / /_/ / / /_/ |_/_____/ |__/|__/_/ |_\__/\____/\____/_/ v2.0 usage: rdwatool recon [-h] [-tf TARGETS_FILE] [-tu TARGET_URLS] [-v] [--no-colors] [--debug] [-T THREADS] [-PI PROXY_IP] [-PP PROXY_PORT] [-rt REQUEST_TIMEOUT] [-k] [-L] [--export-xlsx EXPORT_XLSX] [--export-json EXPORT_JSON] [--export-sqlite EXPORT_SQLITE]options: -h, --help show this help message and exit -v, --verbose Verbose mode. (default: False) --no-colors Disable colored output. (default: False) --debug Debug mode, for huge verbosity. (default: False) -T THREADS, --threads THREADS Number of threads (default: 250)Targets: -tf TARGETS_FILE, --targets-file TARGETS_FILE Path to file containing a line by line list of targets. -tu TARGET_URLS, --target-url TARGET_URLS Target URL of the RDWA login page.Advanced configuration: -PI PROXY_IP, --proxy-ip PROXY_IP Proxy IP. -PP PROXY_PORT, --proxy-port PROXY_PORT Proxy port -rt REQUEST_TIMEOUT, --request-timeout REQUEST_TIMEOUT Set the timeout of HTTP requests. -k, --insecure Allow insecure server connections when using SSL (default: False) -L, --location Follow redirects (default: False)Export results: --export-xlsx EXPORT_XLSX Output XLSX file to store the results in. --export-json EXPORT_JSON Output JSON file to store the results in. --export-sqlite EXPORT_SQLITE Output SQLITE3 file to store the results in.
Pull requests are welcome. Feel free to open an issue if you want to add other features.
How it works
Getting information about the remote server
There is much pre-filled information on thelogin.aspx page of the Remote Desktop Web Access (RDWA) application. In the input fieldsWorkSpaceID and/orRedirectorName we can find the FQDN of the remote server, andWorkspaceFriendlyName can contain a text description of the workspace.
The rdwatool tool automatically parses this form and extract all the information.
OS version banner image
If the remote RDWeb installation is not hardened, there is a high chance that the default version image file/RDWeb/Pages/images/WS_h_c.png is still accessible (even if not linked on the login page). This is really awesome as we can compare its sha256 hash value directly with a known table of the windows banners of this service:
