BKscan fixed "x11: failed to open display" issue

[nikallass]

1) Issue with x11:

$ sudo ./bkscan.sh -t 192.168.119.137
[+] Targeting 192.168.119.137:3389...
[+] No credential provided, won't support NLA
[07:58:35:866] [1:1] [ERROR][com.freerdp.client.x11] - failed to open display: :0
[07:58:35:866] [1:1] [ERROR][com.freerdp.client.x11] - Please check that the $DISPLAY environment variable is properly set.

Fixed with information from here

Working good now:

If you are using ssh to kali where is BKscan so you need to redefine $DISPLAY variable: export DISPLAY=:1

2) Issue with xfreerdp asking username/password on hosts without NLA

Also added xfreerdp -sec-nla /u:"" flag so scan now works on hosts without NLA, it is not asking username\password any more.

If username\pass not provided, but NLA is enabled on host:

In --debug mode it is clear:

[saidelike]

Hi nikallass,

Thanks for your PR, much appreciated.

1) I still have the issue in my environment, unfortunately. I could still merge it as long as other people confirm it solves the problem for them too.

BKScan$ git log | head -n 12
commit 77b27fc9697a448224641a56cd64ff840a7c9c43
Author: nikallass <XXX>
Date:   Fri Jun 14 13:33:22 2019 +0300

    Disabling nla in xfreerdp while connecting without credentials to support not NLA checks.

commit 37754a1d0d20596961956b8325459a0e85f13869
Author: nikallass <XXX>
Date:   Fri Jun 14 13:32:57 2019 +0300

    Fixed "... failed to open display: ..." issue.

BKScan$ sudo ./bkscan.sh -t 192.168.119.141
[+] Targeting 192.168.119.141:3389...
[+] No credential provided, won't support NLA
[12:36:54:503] [1:1] [ERROR][com.freerdp.client.x11] - failed to open display: :0
[12:36:54:504] [1:1] [ERROR][com.freerdp.client.x11] - Please check that the $DISPLAY environment variable is properly set.

2) I am yet to replicate this issue. Can you show the output before your patch? What Windows version have you used for the server? and what RDP setting? NLA enabled? I am particularly interested in what you have checked as in below:

Also what users have you specified in "Select Users"?

Thanks again for improving BKScan.

[nikallass]

My error before patch is the same:

Systeminfo:

I also checked with enabled NLA and disabled NLA. Before patch there was the same issue, and everything is working with patch.

Users:

I think the problem in your environment is not in Windows machine, but in attacker machine where docker service is running. Maybe you need to install sudo apt-get install xauth #client or sudo apt-get install xorg openbox #server

[nikallass]

If you need, I also can provide an access to my machine on 3389 port for you to check. PM of course. :)

[saidelike]

I have fixed 2) in 55bbb552a571ae287350d5d2e2deefe5f8bae5a7. Thanks.

One thing to note about adding -sec-nla i.e not supporting NLA on the client side is that we force the client to not support NLA so:

• if the server enforces NLA, we can detect it based on the response which we do now
• if the server does not enforce NLA, we don't use NLA and detect it is vulnerable or not

Before adding -sec-nla, we supported NLA on the client side and:

• if the server enforces NLA, we would have been asked for credentials interactively
• if the server does not enforce NLA, but supports it (e.g. Windows 7 but not XP), then the negotiation done by FreeRDP would actually negotiate NLA as well by default, and we would have been asked for credentials interactively as well (which is not required)

The only drawback of -sec-nla is that is means we need to:

• scan a host with no NLA support on the client side first
• then scan it with NLA support on the client side This is because in a case where Windows 7 is configured with NLA not enforced, if we scan only with NLA support on the client side, and don't have right credentials, we will miss the detection even though we can detect it by disabling NLA on the client side.

[nikallass]

Yeah, thats true. Not very good to scan twice. But it is the only way, as I see.

[nikallass]

Hey, in your last commit in bkscan.sh you missed: --user=$USER \ Its important for solving x11 issue .

[saidelike]

Just to clarify, the fix you proposed for the DISPLAY/X11 issue didn't work on my environment. Also you confirmed me by DM that it didn't completely worked after your computer went out of hibernation.

So am not going to merge the changes until we confirm it actually works.

[seajaysec]

This fixed the issue for me. Thanks, @nikallass!

[saidelike]

Thanks for confirming chrsjhnsn. I've merged the changes due to multiple people confirming it helped them, even if it does not work with my distrib.

Closing this. Please open another issue if you still have the problem, and detail your environment.

[nikallass]

Check latest commit. There are some excessive arguments. https://github.com/nccgroup/BKScan/commit/1b5103ed1bb2e531e47257c601f56b5746462c15