Coder Social home page Coder Social logo

rmdavy / pyrdp Goto Github PK

View Code? Open in Web Editor NEW

This project forked from gosecure/pyrdp

0.0 0.0 0.0 2.28 MB

RDP man-in-the-middle and library for Python 3 with the ability to watch connections live or after the fact

Home Page: https://gosecure.net/2018/12/19/rdp-man-in-the-middle-smile-youre-on-camera/

License: GNU General Public License v3.0

Dockerfile 0.09% Python 96.34% C 3.57%

pyrdp's Introduction

PyRDP

PyRDP is a Python 3 Remote Desktop Protocol (RDP) Man-in-the-Middle (MITM) and library.

It features a few tools:

  • RDP Man-in-the-Middle
    • Logs credentials used to connect
    • Steals data copied to the clipboard
    • Saves a copy of the files transferred over the network
    • Saves replays of connections so you can look at them later
  • RDP Player:
    • See live RDP connections coming from the MITM
    • View replays of RDP connections
  • RDP Certificate Cloner:
    • Create a self-signed X509 certificate with the same fields as an RDP server's certificate

We are using this tool as part of an RDP honeypot which records sessions and saves a copy of the malware dropped on our target machine.

Table of Contents

Supported Systems

PyRDP should work on Python 3.6 and up.

This tool has been tested to work on Python 3.6 on Linux (Ubuntu 18.04). It has not been tested on OSX and Windows.

Installing

First, make sure to install the prerequisite packages

sudo apt install libdbus-1-dev libdbus-glib-1-dev

You can now install PyRDP by running the setup script with pip:

sudo pip3 install -U -e .

This should install all the dependencies required to run PyRDP.

Installing with Docker

PyRDP can be installed in a container. First of all, create the image by executing this command at the root of pyRDP (where Dockerfile is located):

docker build -t pyrdp .

Afterwards, you can execute the following command to run the container.

docker run pyrdp pyrdp-mitm.py 192.168.1.10

For more information about the diffrent commands and arguments, please refer to these sections: Using the PyRDP MITM, Using the PyRDP Player, Using the PyRDP Certificate Cloner.

To store the output, be sure that your destination directory is owned by a user with a UID of 1000, otherwise you will get a permission denied error. If you're the only user on the system, you should not worry about this. Add the -v option to the previous command:

docker run -v /home/developer/pyrdp_output:/home/pyrdp/pyrdp_output pyrdp pyrdp-mitm.py 192.168.1.10

Using the player will require you to export the DISPLAY environment variable from the host to the docker (this redirects the GUI of the player to the host screen), expose the host's network and stop Qt from using the MITM-SHM X11 Shared Memory Extension. To do so, add the -e and --net options to the run command:

docker run -e DISPLAY=$DISPLAY -e QT_X11_NO_MITSHM=1 --net=host pyrdp pyrdp-player.py

Keep in mind that exposing the host's network to the docker can compromise the isolation between your container and the host. If you plan on using the player, X11 forwarding using an SSH connection would be a more secure way.

Installing on Windows

If you want to install PyRDP on Windows, note that setup.py will try to compile ext/rle.c, so you will need to have a C compiler installed. You will also need to generate a private key and certificate to run the MITM.

Using the PyRDP MITM

Use pyrdp-mitm.py <ServerIP> or pyrdp-mitm.py <ServerIP>:<ServerPort> to run the MITM.

Assuming you have an RDP server running on 192.168.1.10 and listening on port 3389, you would run:

pyrdp-mitm.py 192.168.1.10

When running the MITM for the first time on Linux, a private key and certificate should be generated for you in ~/.config/pyrdp. These are used when TLS security is used on a connection. You can use them to decrypt PyRDP traffic in Wireshark, for example.

Specifying the private key and certificate

If key generation didn't work or you want to use a custom key and certificate, you can specify them using the -c and -k arguments:

pyrdp-mitm.py 192.168.1.10 -k private_key.pem -c certificate.pem

Connecting to the PyRDP player

If you want to see live RDP connections through the PyRDP player, you will need to specify the ip and port on which the player is listening using the -i and -d arguments. Note: the port argument is optional, the default port is 3000.

pyrdp-mitm.py 192.168.1.10 -i 127.0.0.1 -d 3000

Connecting to a PyRDP player when the MITM is running on a server

If you are running the MITM on a server and still want to see live RDP connections, you should use SSH remote port forwarding to forward a port on your server to the player's port on your machine. Once this is done, you pass 127.0.0.1 and the forwarded port as arguments to the MITM. For example, if port 4000 on the server is forwarded to port 3000 on your machine, this would be the command to use:

pyrdp-mitm.py 192.168.1.10 -i 127.0.0.1 -d 4000

Other MITM arguments

Run pyrdp-mitm.py --help for a full list of arguments.

Using the PyRDP Player

Use pyrdp-player.py to run the player.

Playing a replay file

You can use the menu to open a new replay file: File > Open.

You can also open replay files when launching the player:

pyrdp-player.py <FILE1> <FILE2> ...

Listening for live connections

The player always listens for live connections. By default, the listening port is 3000, but it can be changed:

pyrdp-player.py -p <PORT>

Changing the listening address

By default, the player only listens to connections coming from the local machine. We do not recommend opening up the player to other machines. If you still want to change the listening address, you can do it with -b:

pyrdp-player.py -b <ADDRESS>

Other player arguments

Run pyrdp-player.py --help for a full list of arguments.

Using the PyRDP Certificate Cloner

The PyRDP certificate cloner creates a brand new X509 certificate by using the values from an existing RDP server's certificate. It connects to an RDP server, downloads its certificate, generates a new private key and replaces the public key and signature of the certificate using the new private key. This can be used in a pentest if, for example, you're trying to trick a legitimate user into going through your MITM. Using a certificate that looks like a legitimate certificate could increase your success rate.

Cloning a certificate

You can clone a certificate by using pyrdp-clonecert.py:

pyrdp-clonecert.py 192.168.1.10 cert.pem -o key.pem

The -o parameter defines the path name to use for the generated private key.

Using a custom private key

If you want to use your own private key instead of generating a new one:

pyrdp-clonecert.py 192.168.1.10 cert.pem -i input_key.pem

Other cloner arguments

Run pyrdp-clonecert.py --help for a full list of arguments.

Using PyRDP as a Library

If you're interested in experimenting with RDP and making your own tools, head over to our documentation section for more information.

Using PyRDP with Bettercap

We wanted to test using PyRDP to man-in-the-middle all RDP connections on a given LAN. Due to our architecture right now this redirects to a single destination RDP server specified on the command-line. If you're interested in making that working, check out this document for more information.

Contributing to PyRDP

See our contribution guidelines.

Acknowledgements

PyRDP uses code from the following open-source software:

  • RC4-Python for the RC4 implementation.
  • rdesktop for bitmap decompression.
  • rdpy for RC4 keys, the bitmap decompression bindings and the base GUI code for the PyRDP player.

pyrdp's People

Contributors

christruncer avatar citronneur avatar coolacid avatar dnozay avatar manuteleco avatar obilodeau avatar r04r avatar res260 avatar viktor-evdokimov avatar xshill avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.