Update findingsDB and tweak bit for separate RDP port

minvws · Nov 25, 2024 · 6cba8d1 · 6cba8d1
1 parent 8bf3368
commit 6cba8d1
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 1 deletion.
diff --git a/boefjes/boefjes/plugins/kat_kat_finding_types/kat_finding_types.json b/boefjes/boefjes/plugins/kat_kat_finding_types/kat_finding_types.json
@@ -132,6 +132,13 @@
     "impact": "System administrator ports should only be reachable from safe and known locations to reduce attack surface.",
     "recommendation": "Determine if this port should be reachable from the identified location. Limit access to reduce the attack surface if necessary."
   },
+  "KAT-REMOTE-DESKTOP-PORT": {
+    "description": "An open Microsoft Remote Desktop Protocol (RDP) port was detected.",
+    "source": "https://www.cloudflare.com/en-gb/learning/access-management/rdp-security-risks/",
+    "risk": "critical",
+    "impact":"Remote desktop ports are often the root cause in ransomware attacks, due to weak password usage, outdated software or insecure configurations.",
+    "recommendation": "Disable the Microsoft RDP service on port 3389 if this is publicly reachable. Add additional security layers, such as VPN access if these ports do require to be enabled to limit the attack surface."
+  },
   "KAT-OPEN-DATABASE-PORT": {
     "description": "A database port is open.",
     "source": "https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers",

diff --git a/octopoes/bits/port_classification_ip/port_classification_ip.py b/octopoes/bits/port_classification_ip/port_classification_ip.py
@@ -26,7 +26,6 @@
     21,  # FTP
     22,  # SSH
     23,  # Telnet
-    3389,  # Remote Desktop
     5900,  # VNC
 ]
 DB_TCP_PORTS = [
@@ -36,6 +35,9 @@
     3306,  # MySQL
     5432,  # PostgreSQL
 ]
+MICROSOFT_RDP_PORTS = [
+    3389,  # Microsoft Remote Desktop
+]
 
 
 def get_ports_from_config(config, config_key, default):
@@ -53,6 +55,7 @@ def run(input_ooi: IPPort, additional_oois: list, config: dict[str, Any]) -> Ite
     common_udp_ports = get_ports_from_config(config, "common_udp_ports", COMMON_UDP_PORTS)
     sa_tcp_ports = get_ports_from_config(config, "sa_tcp_ports", SA_TCP_PORTS)
     db_tcp_ports = get_ports_from_config(config, "db_tcp_ports", DB_TCP_PORTS)
+    microsoft_rdp_ports = get_ports_from_config(config, "microsoft_rdp_ports", MICROSOFT_RDP_PORTS)
 
     for ip_port in additional_oois:
         port = ip_port.port
@@ -79,6 +82,17 @@ def run(input_ooi: IPPort, additional_oois: list, config: dict[str, Any]) -> Ite
                     ooi=ip_port.reference,
                     description=f"Port {port}/{protocol.value} is a database port and should not be open.",
                 )
+        elif (protocol == Protocol.TCP or protocol == Protocol.UDP) and port in microsoft_rdp_ports:
+            open_rdp_port = KATFindingType(id="KAT-REMOTE-DESKTOP-PORT")
+            if aggregate_findings:
+                open_ports.append(ip_port.port)
+            else:
+                yield open_rdp_port
+                yield Finding(
+                    finding_type=open_rdp_port.reference,
+                    ooi=ip_port.reference,
+                    description=f"Port {port}/{protocol.value} is a Microsoft Remote Desktop port and should not be open.",
+                )
         elif (protocol == Protocol.TCP and port not in common_tcp_ports) or (
             protocol == Protocol.UDP and port not in common_udp_ports
         ):