PyRDP v1.2 releases: Python 3 Remote Desktop Protocol Man-in-the-Middle

by do son · Published December 23, 2018 · Updated December 25, 2022

PyRDP

PyRDP is a Python 3 Remote Desktop Protocol (RDP) Man-in-the-Middle (MITM) and library.

It features a few tools:

RDP Man-in-the-Middle
- Logs credentials used when connecting
- Steals data copied to the clipboard
- Saves a copy of the files transferred over the network
- Saves replays of connections so you can look at them later
- Run console commands or PowerShell payloads automatically on new connections
RDP Player:
- See live RDP connections coming from the MITM
- View replays of RDP connections
- Take control of active RDP sessions while hiding your actions
- List the client’s mapped drives and download files from them during active sessions
RDP Certificate Cloner:
- Create a self-signed X509 certificate with the same fields as an RDP server’s certificate

We have used this tool as part of an RDP honeypot which records sessions and saves a copy of the malware dropped on our target machine.

PyRDP was first introduced in a blogpost in which we demonstrated that we can catch a real threat actor in action. In May 2019 a presentation by its authors was given at NorthSec and two demos were performed. The first one covered credential logging, clipboard stealing, client-side file browsing, and a session take-over. The second one covered the execution of cmd or powershell payloads when a client successfully authenticates. In August 2019, PyRDP was demo’ed at BlackHat Arsenal (slides).

Collected files are now stored as their SHA-256 hash value instead of SHA-1 (#389)
The log field shasum now holds the SHA-256 hash value of files instead of SHA-1 (#389)

Backported security fixes from rdesktop to our Python C extension doing RLE processing.
Exploitability wasn’t verified. (#357)

Support for RDP version 10.9 and 10.10 (#396, #397)
Capture and log NetNTLMv2 hash if the server enforces NLA and we don’t have the NLA redirection attack activated (#367, #358)
The Net-NTLMv2 challenge can be defined via --ssp-challenge allowing to do more efficient parallel cracking or leverage rainbow tables (#405, #418)
pyrdp-convert video conversion is now 6x faster! (See #349)
pyrdp-convert video format can be viewed during encoding and will play even if the conversion process crashes or is halted (#352, #353)
pyrdp-convert can now handle exported PDUs (decrypted pcaps) with multiple sessions in them (#313, #368)
pyrdp-convert can now extract session information including keyboard and mouse movement information in JSON from pcap and PDUs (#331, #366)
pyrdp-convert has better success messages, error reporting and exit status (#361, #369)
pyrdp-mitm added --address argument to choose the IP address where PyRDP is listening (#411, #412)
Minor CLI improvements
Improved type hints
Updated instructions to extract the RDP certificate and private key (#345)
Documentation updates (#335, #339, #340, #360, #371, #381, #383, #384, #408, #420)
Replaced unmaintained dependency notify2 with py-notifier (#363, #365)
Some Python 3.10 compatibility work (#366, #380, #421)
Enable play/pause replay on the Player by pressing the Space key (#403).

Fixed situations where device redirection or clipboard sharing would hang and timeout (#139, #422)
Fixed a memory leak in the bitmap decoding routine preventing the conversion or the replay of very large captures (#352, #353)
Fixed pyrdp-player on macOS platforms (#362)
Fixed pyrdp-convert pcap processing when victim IP and MITM IP are the same (#366)
Fixed a pyrdp-convert segmentation fault in QT in some MP4 conversions (#378, #428, #429)
Fixed NLA redirection problems if original target and NLA redirection target are the same (#342, #343)
Fixed leak of file descriptors due to missing close on replay file recording (#392, #413, #415)
Added a missing dependency for the GUI on Ubuntu 20.04 LTS (#348, #351, #355)
No longer assuming every connection will have VirtualChannels (#375)
Some minor protocol-level fixes (#408)

The slim flavor of our Docker image is now provided for the ARM64 platform (#346, #388)
Docker images are now built and pushed via GitHub Actions (#334, #341)
Added an automated video conversion test to CI configuration (#349)
Added an automated JSON conversion test to CI configuration with some validation (#369)
Added an automated replay conversion test to CI configuration (#369)
Test refactoring to allow running most GitHub CI tests locally when developing (#368)
Added Python 3.10 to CI test configuration (#387)
Updated our dependencies to the latest stable versions (#386, #391, #400, #414, #417)