RDWA recon v1.2 releases: extract information from a Microsoft Remote Desktop Web Access application
This python script allows to extract of various information from a Microsoft Remote Desktop Web Access (RDWA) application, such as the FQDN of the remote server, the internal AD domain name (from the FQDN), and the remote Windows Server version.
How it works
Getting information about the remote server
There is much pre-filled information on the login.aspx page of the Remote Desktop Web Access (RDWA) application. In the input fields WorkSpaceID and/or RedirectorName we can find the FQDN of the remote server, and WorkspaceFriendlyName can contain a text description of the workspace.
The RDWArecon.py tool automatically parses this form and extracts all the information.
OS version banner image
If the remote RDWeb installation was not hardened, there is a high chance that the default version image file /RDWeb/Pages/images/WS_h_c.png is still accessible (even if not mentioned on the login page). This is really awesome as we can compare its sha256 hash value directly with a known table of the windows banners of this service:
The RDWArecon.py tool automatically gets this file and compare its hash to get the remote Windows Server version.
git clone https://github.com/p0dalirius/RDWArecon.git