Accessible RDP Report

LAST UPDATED: 2022-07-07

This report identifies hosts that have Remote Desktop (RDP) Service running and are accessible to the world on the Internet.

Misconfigured RDP can allow attackers access to the desktop of a vulnerable host and can also allow for information-gathering on a target host, as the SSL certificate used by RDP often contains the system’s trivial hostname.

For more details behind the scan methodology and a daily update of global RDP scan statistics please visit our dedicated Accessible RDP scan page.

You can learn more on the report in our Accessible RDP Report tutorial.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

For more information on our scanning efforts, check out our Internet scanning summary page.

As of 2022-07-06, this report now comes in two versions, IPv4 and IPv6.

Filename(s): scan_rdp, scan6_rdp

 

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the response came on (always TCP)
  • port
    Port that the response came from (3389/TCP)
  • hostname
    Hostname is either reverse DNS of the IP device in question or if that is not obtained and the subject_common_name in the RDP/SSL certificate has a domain present, the subject_common_name is copied to the host name
  • tag
    Will always be rdp
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • rdp_protocol
    The version of RDP protocol that responded; valid responses are RDP (aka RDP Security), RDP_negotiation_ignored (this can be old versions of windows or xrdp), unsupported (no idea what this is), CredSSP_Enforced (Hybrid Security, NLA), SSL_Enforced (TLS security is mandated)
  • cert_length
    Length of the Certificate (1024, 2048, 4096, et cetera)
  • subject_common_name
    The Common Name (CN) of the SSL certificate
  • issuer_common_name
    The Common Name of the entity that signed the SSL certificate
  • cert_issue_date
    Date when the SSL certificate became valid
  • cert_expiration_date
    Date when the SSL certificate expires
  • sha1_fingerprint
    SHA1 fingerprint of the certificate
  • cert_serial_number
    Serial number embedded in the certificate
  • ssl_version
    SSL Version
  • signature_algorithm
    Algorithm used to sign the certificate
  • key_algorithm
    Algorithm used by the key
  • sha256_fingerprint
    SHA256 fingerprint of the certificate
  • sha512_fingerprint
    SHA512 fingerprint of the certificate
  • md5_fingerprint
    MD5 fingerprint of the certificate
  • naics
    North American Industry Classification System Code
  • sic
    Standard Industrial Classification System Code
  • sector
    device sector
  • tlsv13_support
    TLS 1.3 if supported
  • tlsv13_cipher
    TLS 1.3 ciphers supported
  • cve20190708_vulnerable
    If vulnerable to CVE 2019-0708
  • bluekeep_vulnerable
    If vulnerable to Bluekeep (same as above)
  • jarm
    JARM fingerprint

Sample

timestamp,ip,port,hostname,tag,handshake,asn,geo,region,city,rdp_protocol,cert_length,subject_common_name,issuer_common_name,cert_issue_date,cert_expiration_date,sha1_fingerprint,cert_serial_number,ssl_version,signature_algorithm,key_algorithm,sha256_fingerprint,sha512_fingerprint,md5_fingerprint,naics,sic,sector,tlsv13_support,tlsv13_cipher,cve20190708_vulnerable,bluekeep_vulnerable,jarm
"2010-02-10 00:00:00",192.168.0.1,3389,node01.example.com,rdp,,64512,ZZ,Region,City,CredSSP_Enforced,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,B3F13DFBDBA2D8B2,2,sha256WithRSAEncryption,rsaEncryption,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,0,0,"Communications, Service Provider, and Hosting Service",,,N,N,
"2010-02-10 00:00:01",192.168.0.2,3389,node02.example.com,rdp,,64512,ZZ,Region,City,CredSSP_Enforced,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,B3F13DFBDBA2D8B2,2,sha256WithRSAEncryption,rsaEncryption,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,0,0,"Communications, Service Provider, and Hosting Service",,,N,N,
"2010-02-10 00:00:02",192.168.0.3,3389,node03.example.com,rdp,,64512,ZZ,Region,City,CredSSP_Enforced,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,B3F13DFBDBA2D8B2,2,sha256WithRSAEncryption,rsaEncryption,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,0,0,"Communications, Service Provider, and Hosting Service",,,N,N,

Our 130 Report Types

« Back to Network Reporting