Researchers present tools for scanning computers for BlueKeep vulnerability

Last month Microsoft announced that it had discovered a vulnerability in remote desktop services that could allow malicious malware to spread easily through vulnerable systems.

This vulnerability, now known as BlueKeep, was given a unique identifier, CVE-2019-0708, and affects Windows 7, Windows 2008 R2, Windows Server 2008, Windows XP and Windows Server 2003.

Considering severity severity of the problem, Microsoft released patches for all supported versions of Windows, and even for those that the company no longer supports as Windows XP and Windows Server 2003.

Since that time, many security researchers rushed to create experimental exploits that can be used by BlueKeep. Of course, there is confidence that the attackers do not sit quietly.

Read also: BlueKeep still can attack about one million of computers

Knowing that exploit of cybercriminals inevitably would be created, Microsoft issued a second warning, and the National Security Agency (NSA) issued its own council, urging Windows users to patch the system immediately.

Bleepingcomputer journalists offer two tools with which you can check if your Windows machine is vulnerable to BlueKeep.

Security researcher Rob Graham created a program called RDPScan for Windows and macOS based on the Zdesos0x0 rdesktop patch.

To use RDPScan, simply download the latest version from the project’s release section. After downloading, you can start the program from the command line using the following commands:

Scan a single host:
rdpscan [ip_address] rdpscan

Scan a range of IP addresses:
rdpscan [start_ip_address]-[end_ip_address] rdpscan

Scan a network with CIDR notation:
rdpscan [network]/[cidr_notation] rdpscan

RDPScan will check each of the IP addresses to determine if port 3389 is open, and then determine if the computer is vulnerable. To change the port that is scanned, can be used -p argument. You can also use the –workers argument to increase the scanning speed.

For a complete list of arguments, use rdpscan -h.

While scanning for vulnerabilities, list of hosts will indicate “Safe”, “Vulnerable” or “Unknown”. Appropriate security updates must be installed on all hosts marked as vulnerable.

RDPScan showing vulnerable system
RDPScan showing vulnerable system

For users of the penetration testing infrastructure from Metasploit, security researchers Zerosum0x0 and JaGoTu have also created a module that can be used to scan for the BlueKeep vulnerability.

If Metasploit installed, you can load the module with the following command:

use auxiliary/scanner/rdp/cve_2019_0708_bluekeep

After the module is loaded, you can scan individual systems and networks.

 Metasploit scanning
Metasploit scanning


Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button