PyRDP

PyRDP is a Python 3 Remote Desktop Protocol (RDP) Man-in-the-Middle (MITM) and library.

It features a few tools:

• RDP Man-in-the-Middle
  • Logs credentials used when connecting
  • Steals data copied to the clipboard
  • Saves a copy of the files transferred over the network
  • Saves replays of connections so you can look at them later
  • Run console commands or PowerShell payloads automatically on new connections
• RDP Player:
  • See live RDP connections coming from the MITM
  • View replays of RDP connections
  • Take control of active RDP sessions while hiding your actions
  • List the client’s mapped drives and download files from them during active sessions
• RDP Certificate Cloner:
  • Create a self-signed X509 certificate with the same fields as an RDP server’s certificate

We have used this tool as part of an RDP honeypot which records sessions and saves a copy of the malware dropped on our target machine.

PyRDP was first introduced in a blogpost in which we demonstrated that we can catch a real threat actor in action. In May 2019 a presentation by its authors was given at NorthSec and two demos were performed. The first one covered credential logging, clipboard stealing, client-side file browsing, and a session take-over. The second one covered the execution of cmd or powershell payloads when a client successfully authenticates. In August 2019, PyRDP was demo’ed at BlackHat Arsenal (slides).

Changelog v0.4.1

Now with 100% public docker image!

Enhancements

• Improvements to our docker image (#156, #157, #160)
• Logging when Restricted Admin Mode is enabled on clients
• Documentation improvements

Bug fixes

• Fixed libGL.so.1 missing in docker image (#138, #159)

Release meta

• Released by: Olivier Bilodeau
• Release beer: Archibald’s Triple Américaine limited edition from YUL Airport

Install && Use

Copyright (C) 2018 GoSecure