HIGH: Accessible RDP Report

DESCRIPTION LAST UPDATED: 2023-12-27

DEFAULT SEVERITY LEVEL: HIGH

This report identifies hosts that have Remote Desktop (RDP) Service running and are accessible to the world on the Internet.

Misconfigured RDP can allow attackers access to the desktop of a vulnerable host and can also allow for information-gathering on a target host, as the SSL certificate used by RDP often contains the system’s trivial hostname.

You can learn more on the report in our Accessible RDP Report tutorial.

You can track the latest RDP scan results on our Dashboard.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

As of 2022-07-06, this report now comes in two versions, IPv4 and IPv6.

Filename(s): scan_rdp, scan6_rdp

 

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the response came on (always TCP)
  • port
    Port that the response came from (3389/TCP)
  • hostname
    Hostname is either reverse DNS of the IP device in question or if that is not obtained and the subject_common_name in the RDP/SSL certificate has a domain present, the subject_common_name is copied to the host name
  • tag
    For example, rdp
  • handshake
    The highest SSL handshake that could be negotiated (TLSv1.2, TLSv1.1, TLSv1.0, SSLv3)
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • rdp_protocol
    The version of RDP protocol that responded; valid responses are RDP (aka RDP Security), RDP_negotiation_ignored (this can be old versions of windows or xrdp), unsupported (no idea what this is), CredSSP_Enforced (Hybrid Security, NLA), SSL_Enforced (TLS security is mandated)
  • cert_length
    Length of the Certificate (1024, 2048, 4096, et cetera)
  • subject_common_name
    The Common Name (CN) of the SSL certificate
  • issuer_common_name
    The Common Name of the entity that signed the SSL certificate
  • cert_issue_date
    Date when the SSL certificate became valid
  • cert_expiration_date
    Date when the SSL certificate expires
  • sha1_fingerprint
    SHA1 fingerprint of the certificate
  • cert_serial_number
    Serial number embedded in the certificate
  • ssl_version
    SSL Version
  • signature_algorithm
    Algorithm used to sign the certificate
  • key_algorithm
    Algorithm used by the key
  • sha256_fingerprint
    SHA256 fingerprint of the certificate
  • sha512_fingerprint
    SHA512 fingerprint of the certificate
  • md5_fingerprint
    MD5 fingerprint of the certificate
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • sector
    Sector the IP belongs to
  • tlsv13_support
    TLS 1.3 if supported
  • tlsv13_cipher
    TLS 1.3 ciphers supported
  • jarm
    JARM fingerprint

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","handshake","asn","geo","region","city","rdp_protocol","cert_length","subject_common_name","issuer_common_name","cert_issue_date","cert_expiration_date","sha1_fingerprint","cert_serial_number","ssl_version","signature_algorithm","key_algorithm","sha256_fingerprint","sha512_fingerprint","md5_fingerprint","naics","hostname_source","sector","tlsv13_support","tlsv13_cipher","jarm"
"2010-02-10 00:00:00",high,192.168.0.1,tcp,3389,node01.example.com,rdp,,64512,ZZ,Region,City,,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,B3F13DFBDBA2D8B2,,,rsaEncryption,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,0,,,,,
"2010-02-10 00:00:01",high,192.168.0.2,tcp,3389,node02.example.com,rdp,,64512,ZZ,Region,City,CredSSP_Enforced,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,B3F13DFBDBA2D8B2,2,sha256WithRSAEncryption,rsaEncryption,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,0,,,,,
"2010-02-10 00:00:02",high,192.168.0.3,tcp,3389,node03.example.com,rdp,,64512,ZZ,Region,City,CredSSP_Enforced,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,B3F13DFBDBA2D8B2,2,sha256WithRSAEncryption,rsaEncryption,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,0,,,,,

Our 124 Report Types