{"id":17995015,"url":"https://github.com/p0dalirius/rdwatool","last_synced_at":"2025-04-06T19:10:56.726Z","repository":{"id":41381779,"uuid":"455221062","full_name":"p0dalirius/RDWAtool","owner":"p0dalirius","description":"A python script to extract information from a Microsoft Remote Desktop Web Access (RDWA) application ","archived":false,"fork":false,"pushed_at":"2025-02-11T07:43:15.000Z","size":957,"stargazers_count":97,"open_issues_count":1,"forks_count":16,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-30T18:07:54.766Z","etag":null,"topics":["active-directory","domain","python","rdp","rdwa","recon","web"],"latest_commit_sha":null,"homepage":"https://podalirius.net/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/p0dalirius.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"p0dalirius","patreon":"Podalirius"}},"created_at":"2022-02-03T15:34:32.000Z","updated_at":"2025-03-02T22:24:44.000Z","dependencies_parsed_at":"2024-03-22T15:46:02.440Z","dependency_job_id":null,"html_url":"https://github.com/p0dalirius/RDWAtool","commit_stats":null,"previous_names":["p0dalirius/rdwatool"],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/p0dalirius%2FRDWAtool","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/p0dalirius%2FRDWAtool/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/p0dalirius%2FRDWAtool/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/p0dalirius%2FRDWAtool/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/p0dalirius","download_url":"https://codeload.github.com/p0dalirius/RDWAtool/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247535516,"owners_count":20954576,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["active-directory","domain","python","rdp","rdwa","recon","web"],"created_at":"2024-10-29T20:17:33.453Z","updated_at":"2025-04-06T19:10:56.706Z","avatar_url":"https://github.com/p0dalirius.png","language":"Python","funding_links":["https://github.com/sponsors/p0dalirius","https://patreon.com/Podalirius"],"categories":[],"sub_categories":[],"readme":"![banner](./.github/banner.png)\n\n\u003cp align=\"center\"\u003e\n  A python all-in-one tool to extract information, spray and bruteforce passwords on a Microsoft Remote Desktop Web Access (RDWA) application.\n  \u003cbr\u003e\n  \u003cimg alt=\"GitHub release (latest by date)\" src=\"https://img.shields.io/github/v/release/p0dalirius/RDWArecon\"\u003e\n  \u003ca href=\"https://twitter.com/intent/follow?screen_name=podalirius_\" title=\"Follow\"\u003e\u003cimg src=\"https://img.shields.io/twitter/follow/podalirius_?label=Podalirius\u0026style=social\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://www.youtube.com/c/Podalirius_?sub_confirmation=1\" title=\"Subscribe\"\u003e\u003cimg alt=\"YouTube Channel Subscribers\" src=\"https://img.shields.io/youtube/channel/subscribers/UCF_x5O7CSfr82AfNVTKOv_A?style=social\"\u003e\u003c/a\u003e\n  \u003cbr\u003e\n\u003c/p\u003e\n\nThis python tool allows to extract various information from a Microsoft Remote Desktop Web Access (RDWA) application, such as the FQDN of the remote server, the internal AD domain name (from the FQDN), and the remote Windows Server version\n\n## Usage\n\n```\n$ rdwatool -h\n           ____  ____ _       _____   __              __\n          / __ \\/ __ \\ |     / /   | / /_____  ____  / /\n         / /_/ / / / / | /| / / /| |/ __/ __ \\/ __ \\/ /    @podalirius_\n        / _, _/ /_/ /| |/ |/ / ___ / /_/ /_/ / /_/ / /  \n       /_/ |_/_____/ |__/|__/_/  |_\\__/\\____/\\____/_/      v2.0\n    \nusage: rdwatool recon [-h] [-tf TARGETS_FILE] [-tu TARGET_URLS] [-v] [--no-colors] [--debug] [-T THREADS] [-PI PROXY_IP] [-PP PROXY_PORT] [-rt REQUEST_TIMEOUT] [-k] [-L] [--export-xlsx EXPORT_XLSX] [--export-json EXPORT_JSON]\n                      [--export-sqlite EXPORT_SQLITE]\n\noptions:\n  -h, --help            show this help message and exit\n  -v, --verbose         Verbose mode. (default: False)\n  --no-colors           Disable colored output. (default: False)\n  --debug               Debug mode, for huge verbosity. (default: False)\n  -T THREADS, --threads THREADS\n                        Number of threads (default: 250)\n\nTargets:\n  -tf TARGETS_FILE, --targets-file TARGETS_FILE\n                        Path to file containing a line by line list of targets.\n  -tu TARGET_URLS, --target-url TARGET_URLS\n                        Target URL of the RDWA login page.\n\nAdvanced configuration:\n  -PI PROXY_IP, --proxy-ip PROXY_IP\n                        Proxy IP.\n  -PP PROXY_PORT, --proxy-port PROXY_PORT\n                        Proxy port\n  -rt REQUEST_TIMEOUT, --request-timeout REQUEST_TIMEOUT\n                        Set the timeout of HTTP requests.\n  -k, --insecure        Allow insecure server connections when using SSL (default: False)\n  -L, --location        Follow redirects (default: False)\n\nExport results:\n  --export-xlsx EXPORT_XLSX\n                        Output XLSX file to store the results in.\n  --export-json EXPORT_JSON\n                        Output JSON file to store the results in.\n  --export-sqlite EXPORT_SQLITE\n                        Output SQLITE3 file to store the results in.\n```\n\n## Demonstration\n\nhttps://user-images.githubusercontent.com/79218792/152828736-e2e39305-8167-432e-ac3a-3449ea9ff414.mp4\n\n## Example of output\n\n - **In `recon` mode**:\n\n    ```\n    rdwatool recon -tf ./subdomains.txt\n    ```\n\n![](./.github/example_recon.png)\n\n - **In `spray` mode**:\n\n    ```\n    rdwatool spray -tu https://rds.podalirius.net/RDWeb/Pages/en-US/login.aspx\n    ```\n\n![](./.github/example_spray.png)\n\n - **In `brute` mode**:\n\n    ```\n    rdwatool brute -tu https://rds.podalirius.net/RDWeb/Pages/en-US/login.aspx\n    ```\n\n![](./.github/example_brute.png)\n\n## Contributing\n\nPull requests are welcome. Feel free to open an issue if you want to add other features.\n\n## How it works\n\n### Getting information about the remote server\n\nThere is much pre-filled information on the `login.aspx` page of the Remote Desktop Web Access (RDWA) application. In the input fields `WorkSpaceID` and/or `RedirectorName` we can find the FQDN of the remote server, and `WorkspaceFriendlyName` can contain a text description of the workspace. \n\n```html\n\u003cform id=\"FrmLogin\" name=\"FrmLogin\" action=\"login.aspx?ReturnUrl=%2FRDWeb%2FPages%2Fen-US%2FDefault.aspx\" method=\"post\" onsubmit=\"return onLoginFormSubmit()\"\u003e\n    \u003cinput type=\"hidden\" name=\"WorkSpaceID\" value=\"DC01.lab.local\"/\u003e\n    \u003cinput type=\"hidden\" name=\"RDPCertificates\" value=\"E7100C72B6C11A5D14DE115D801E100C79143C19\"/\u003e\n    \u003cinput type=\"hidden\" name=\"PublicModeTimeout\" value=\"20\"/\u003e\n    \u003cinput type=\"hidden\" name=\"PrivateModeTimeout\" value=\"240\"/\u003e\n    \u003cinput type=\"hidden\" name=\"WorkspaceFriendlyName\" value=\"Workspace%20friendly%20name%20or%20description\"/\u003e\n    \u003cinput type=\"hidden\" name=\"EventLogUploadAddress\" value=\"\"/\u003e\n    \u003cinput type=\"hidden\" name=\"RedirectorName\" value=\"DC01.lab.local\"/\u003e\n    \u003cinput type=\"hidden\" name=\"ClaimsHint\" value=\"\"/\u003e\n    \u003cinput type=\"hidden\" name=\"ClaimsToken\" value=\"\"/\u003e\n    \n    \u003cinput name=\"isUtf8\" type=\"hidden\" value=\"1\"/\u003e\n    \u003cinput type=\"hidden\" name=\"flags\" value=\"0\"/\u003e\n...\n\u003c/form\u003e\n```\n\nThe rdwatool tool automatically parses this form and extract all the information.\n\n### OS version banner image\n\nIf the remote RDWeb installation is not hardened, there is a high chance that the default version image file `/RDWeb/Pages/images/WS_h_c.png` is still accessible (even if not linked on the login page). This is really awesome as we can compare its sha256 hash value directly with a known table of the windows banners of this service:\n\n| Windows OS                 | SHA256 hash                                                        | Banner                                                            |\n|----------------------------|--------------------------------------------------------------------|-------------------------------------------------------------------|\n| **Windows Server 2008 R2** | `5a8a77dc7ffd463647987c0de6df2c870f42819ec03bbd02a3ea9601e2ed8a4b` | ![](version_images/Windows%20Server%202008%20R2.png)            | \n| **Windows Server 2012 R2** | `4560591682d433c7fa190c6bf40827110e219929932dc6dc049697529c8a98bc` | ![](version_images/Windows%20Server%202012%20R2_white.png)      | \n| **Windows Server 2012 R2** | `3d9b56811a5126a6d3b78a692c2278d588d495ee215173f752ce4cbf8102921c` | ![](version_images/Windows%20Server%202012%20R2_black.png)      | \n| **Windows Server 2016**    | `fb1505aadeab42d82100c4d23d421f421c858feae98332c55a4b9595f4cea541` | ![](version_images/Windows%20Server%202016_black_bg_white.png)  | \n| **Windows Server 2016**    | `3dbbeff5a0def7e0ba8ea383e5059eaa6acc37f7f8857218d44274fc029cfc4b` | ![](version_images/Windows%20Server%202016_black.png)           | \n| **Windows Server 2019**    | `2da4eb15fda2b7c80a94b9b2c5a3e104e2a9a2d9e9b3a222f5526c748fadf792` | ![](version_images/Windows%20Server%202019_black.png)           | \n| **Windows Server 2022**    | `256a6445e032875e611457374f08acb0565796c950eb9c254495d559600c0367` | ![](version_images/Windows%20Server%202022_black.png)           | \n\nThe rdwatool tool automatically gets this file and compare its hash to get the remote Windows Server version.\n\n## References\n - https://twitter.com/podalirius_/status/1490734021332160525\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fp0dalirius%2Frdwatool","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fp0dalirius%2Frdwatool","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fp0dalirius%2Frdwatool/lists"}