PyRDP v1.0 releases: Python 3 Remote Desktop Protocol Man-in-the-Middle
PyRDP is a Python 3 Remote Desktop Protocol (RDP) Man-in-the-Middle (MITM) and library.
It features a few tools:
- RDP Man-in-the-Middle
- Logs credentials used when connecting
- Steals data copied to the clipboard
- Saves a copy of the files transferred over the network
- Saves replays of connections so you can look at them later
- Run console commands or PowerShell payloads automatically on new connections
- RDP Player:
- See live RDP connections coming from the MITM
- View replays of RDP connections
- Take control of active RDP sessions while hiding your actions
- List the client’s mapped drives and download files from them during active sessions
- RDP Certificate Cloner:
- Create a self-signed X509 certificate with the same fields as an RDP server’s certificate
We have used this tool as part of an RDP honeypot which records sessions and saves a copy of the malware dropped on our target machine.
PyRDP was first introduced in a blogpost in which we demonstrated that we can catch a real threat actor in action. In May 2019 a presentation by its authors was given at NorthSec and two demos were performed. The first one covered credential logging, clipboard stealing, client-side file browsing, and a session take-over. The second one covered the execution of cmd or powershell payloads when a client successfully authenticates. In August 2019, PyRDP was demo’ed at BlackHat Arsenal (slides).
This release has a dedicated SecTor 2020 presentation: ACHIEVING PYRDP 1.0 – THE REMOTE DESKTOP PWNAGE MITM AND LIBRARY.
- Added support for dynamic certificate cloning when no certificate is specified. (#94, #243). This is enabled by default and can be overridden through the existing
- File interception now saves files transferred via clipboard copy/paste (#100)
- Added a transparent proxy mode where source or destination packets are unaltered from the client or the server’s perspective. See feature documentation for details and usage examples. See also #197, #204, #205 and #239.
- Added support for Network Level Authentication (NLA) by passing CredSSP authentication untouched. Activate it with the
--auth sspswitch. It requires the RDP server’s private key which must be given to PyRDP. See #229 for details.
- Support for 32-bit x86 operating systems when not using the graphical interface (#150)
- Added a
twistdplugin (#174, #177, #191)
- Loosen up TLS version checks to allow a broader set of clients and server (#192, #193)
- Explicitly disabled TLS 1.3 for now since we don’t record TLS 1.3 master secrets yet (#116, #193)
- Logging can be customized using configuration files (#191)
- Improvements on log correlation (#180):
replayfilenameto the connection report log entry
sessionIDto replay filename
- Added several switches to selectively disable features of PyRDP:
- Added support for the GDI graphics as the default graphics pipeline. The
--no-gdiswitch was added to force the previous behavior (bitmaps). See #50 and #209 for details.
- Python 3.8 supported by fixing a logging.Formatter misuse (#176)
- PyRDP no longer creates replay files for sessions with no activity (#169, #207)
- Fixed stack traces in the player when attempting to print strings ending with a null character (#182)
- Removed NLA argument from
- Updated and clarified documentation (#165, #166, #172)
- Docker images are now based on Ubuntu 20.04 (#251)
- Docker image size reduced and split in default and
-slimvariants (#173, #198)
- Improved docker caching for faster development iterations (#217, #219)
- Changed default docker compose command now
pyrdp-mitm -hto avoid confusing crash on
- Added continuous integration with GitHub Actions that builds docker images and runs basic smoke tests (#194, #201, #202, #253)
Copyright (C) 2018