This document provides a high-level view of the changes introduced in PyRDP by release. For a detailed view of what has changed, refer to the commit history on GitHub.
-
Backported security fixes from rdesktop to our Python C extension doing RLE processing. Exploitability wasn’t verified. (#357)
-
pyrdp-convertvideo conversion is now 6x faster! (See #349) -
pyrdp-convertvideo format can be viewed during encoding and will play even if the conversion process crashes or is halted (#352, #353) -
Better error reporting for
pyrdp-convert(#361) -
Minor CLI improvements
-
Improved type hints
-
Updated instructions to extract the RDP certificate and private key (#345)
-
Fixed a memory leak in the bitmap decoding routine preventing the conversion or the replay of very large captures (#352, #353)
-
Fixed
pyrdp-playeron macOS platforms (#362) -
Fixed NLA redirection problems if original target and NLA redirection target are the same (#342, #343)
-
Added a missing dependency for the GUI on Ubuntu 20.04 LTS (#348, #351, #355)
Released just in time for our BlackHat USA Arsenal 2021 presentation! Here are the high-level release highlights:
-
Network-Level Authentication (NLA) redirection: if target is NLA redirect to a different non-NLA host (see this as a dynamic downgrade attack)
-
Improved file collection capabilities: file deduplication, preserving client-side file hierarchies and preserve partial copies
-
More reliable, powerful and faster
pyrdp-convert -
Attempted credentials collection (NTLMSSP hashes in NLA context and plaintext otherwise)
-
Improved logging in error conditions and general bug fixes
Full list of changes follows.
Security
-
Cryptography dependency updated to 3.3.2 due to upstream security issues which we are not really concerned about for this project’s use case (See #259, #295)
-
Pillow dependency updated to 8.2.0 due to upstream security issues (see #306 and #317)
-
rsa dependency updated to 4.7 due to upstream security issues (see #314)
Tools
-
pyrdp-convertnow relies on scapy for session reconstruction from a pcap. This is more reliable and can handle multiple sessions at once. (#311, #221) -
pyrdp-convertMP4 conversion is now 2x faster! (See #234 and #273) -
Added a JSON output format to
pyrdp-convert(See #236) -
Use a proper progress bar with completion percentage and ETA in
pyrdp-convert(See #274)
MITM
-
NLA Redirection: if the original destination server requires NLA we can now redirect the connection to a different destination server as specified by the
--nla-redirection-hostand--nla-redirection-portswitches (#260, #308) -
Added NTLMSSP hash logging when NLA is used with NTLM as the authentication protocol. Hashes are logged to
pyrdp_output/logs/ntlmssp.login addition to stdout and JSON. (See #307) -
Added attempted credentials logging when using graphical login (non-NLA). It is using a heuristic of Enter being pressed or mouse being clicked in specific areas. (See #303)
-
PyRDP will log the value of the
HOST_IPvariable on start if it exists. You can set it to the IP address of the host running PyRDP. This is mostly helpful when you’re using PyRDP in Docker and you want the IP of the Docker host in the logs. -
Added detection function for BlueKeep scans / exploit attempts. PyRDP will log the attempt and shut down the connection. The JSON log has an exploitInfo attribute as well as a parserInfo attribute to help investigate what happened.
-
Added better logging for parser errors. PyRDP will now log which parser crashed and the data that was fed to that parser to make it crash. This makes it easier to investigate bugs and exploits. In JSON logs, this information shows up in the parserInfo attribute.
-
Files intercepted or crawled by the MITM are now named according to the sha1 hash of their contents and stored in the
pyrdp_output/filesfolder (see #261) -
Files that are currently being downloaded by the MITM but are not complete are stored in the
pyrdp_output/files/tmpfolder -
Both the file stealer and the file crawler components now mimick the victim’s filesystem by creating the same file hierarchy in the
pyrdp_output/filesystems/<SESSION_ID>folders. Files in these folders are symbolic links to files in thepyrdp_output/filesfolder to avoid useless duplication. The symlinks are relative, which allows you to move the folder around without losing the mapping. (See #270, #272 and #299) -
File interceptor will keep a copy of interrupted file transfers in
pyrdp_output/files/tmp/and mention it in the logs (#333) -
All JSON logs now have a
clientIpfield once a client IP address is known (#321, #326) -
Removed
mapping.jsonfile since all the information it would contain can be obtained by checking thepyrdp_output/filesystemsfolder -
Added tests for the DeviceRedirectionMITM and FileMapping classes (#268)
-
Added
clientPortfield to the message when a new client is connected (#310)
-
Added SO_REUSEADDR to MITM socket to avoid having to wait for sockets stuck in
TIME_WAIT -
Fixed a bug causing the connection to crash when the pointerCacheSize field is absent in PointerCapability (See #287)
-
Fixed a bug causing the connection to crash when the client sends no connection negotiation flags (See #283)
-
Fixed a bug preventing files opened by the RDPDR file stealer from being closed (#264)
-
Fixed an issue with ghost mouse pointers in replays converted to MP4 (#271)
-
Fixed a regression with the
--sensor-id(-s) command line argument. It would not work since 1.0. (#279) -
doc: README update to fix Windows install (#301)
-
Now handling space characters in password attempts (#303)
-
core.sslJSON logs now properly carry thecommonNameandcertFilevariables (#326) -
Fixed wrong date format string for sessions converted from a pcap (#330, #332)
-
Fixed a crash when deleting active file transfers on a disconnect (#322, #333)
We added many interesting features in the last couple of months and have used this tool in enough contexts to officially mark it as stable. Some of the noteworthy features are described in our announcement blog post.
This release has a dedicated SecTor 2020 presentation: Achieving PyRDP 1.0 – The Remote Desktop Pwnage MITM and Library.
Tools
-
Introduced the
pyrdp-converttool to convert between pcaps, PyRDP replay files and MP4 video files. Read its section in the README for details. See #199, #188 and #170.
Player
MITM
-
Added support for dynamic certificate cloning when no certificate is specified. (#94, #243). This is enabled by default and can be overridden through the existing
-cand-karguments. -
File interception now saves files transferred via clipboard copy/paste (#100)
-
Added a transparent proxy mode where source or destination packets are unaltered from the client or the server’s perspective. See feature documentation for details and usage examples. See also #197, #204, #205 and #239.
-
Added support for Network Level Authentication (NLA) by passing CredSSP authentication untouched. Activate it with the
--auth sspswitch. It requires the RDP server’s private key which must be given to PyRDP. See #229 for details. -
Support for 32-bit x86 operating systems when not using the graphical interface (#150)
-
Loosen up TLS version checks to allow a broader set of clients and server (#192, #193)
-
Explicitly disabled TLS 1.3 for now since we don’t record TLS 1.3 master secrets yet (#116, #193)
-
Logging can be customized using configuration files (#191)
-
Improvements on log correlation (#180):
-
Added
replayfilenameto the connection report log entry -
Added
sessionIDto replay filename
-
-
Added several switches to selectively disable features of PyRDP:
-
Added support for the GDI graphics as the default graphics pipeline. The
--no-gdiswitch was added to force the previous behavior (bitmaps). See #50 and #209 for details.
-
Docker images are now based on Ubuntu 20.04 (#251)
-
Docker image size reduced and split in default and
-slimvariants (#173, #198) -
Improved docker caching for faster development iterations (#217, #219)
-
Changed default docker compose command now
pyrdp-mitm -hto avoid confusing crash ondocker-compose up(#173) -
Added continuous integration with GitHub Actions that builds docker images and runs basic smoke tests (#194, #201, #202, #253)
Now with 100% public docker image!
-
Released by: Olivier Bilodeau
-
Release beer: Archibald’s Triple Américaine limited edition from YUL Airport
Release just in time for our Derbycon talk!
A special BlackHat USA Arsenal 2019 release!
-
Added Windows support (#129)
-
Improved documentation for operation with Bettercap (#107)
-
Added a heuristics-based credential logger to enable credentials collection at scale (#106)
-
Dependency update: Replaced pycrypto with pycryptodome (#128)
-
Improved handling of X224 Negotiation Failures like NLA (#102)
-
Accept and log connections from scanners better (#136)
-
Added BlueKeep specific detection and logging (#114)
-
Added a log entry that summarizes a connection, useful to hunt specific connections (#117)
A special NorthSec 2019 release just in time for Francis Labelle and Émilio Gonzalez's talk on PyRDP.
-
Session takeover: take control of an active session with working mouse and keyboard
-
Client-side file browsing and downloading
-
Ability to run custom PowerShell or console commands on new connections (documentation)
-
Easier integration with
virtualenv(#84) -
Provided a simple Dockerfile for Docker image creation (#66)
-
Documentation on how to combine with Bettercap (more on the way)
-
Important refactoring
First release. See our introductory blog post for details.
Thanks to the following people who contributed to this release:
Francis Labelle, Émilio Gonzalez, CoolAcid
Special thanks to Sylvain Peyrefitte who created RDPy on which we initially based PyRDP. We eventually had to fork due to drastic changes in order to achieve the capabilities we were interested in building. That said, his initial architecture and base library choices should be recognized as they stood the test of time.