Remote Desktop Protocol in twisted python.
RDPY is a pure Python implementation of the Microsoft RDP (Remote Desktop Protocol) protocol (client and server side). RDPY is built over the event driven network engine Twisted. RDPY support standard RDP security layer, RDP over SSL and NLA authentication (through ntlmv2 authentication protocol).
RDPY provides the following RDP and VNC binaries :
- RDP Man In The Middle proxy which is used for doing credential relay in credssp.
Relaying the credentials is useful in the context of cve-2018-0886. Please refer to credssp library for the exploit demo. https://github.com/preempt/credssp
RDPY is fully implemented in python. It is dependent upon pyQt4.
Example for Debian based systems :
sudo apt-get install python-qt4
Then:
$ git clone https://github.com/preempt/rdpy.git rdpy
$ pip install twisted pyopenssl qt4reactor service_identity rsa pyasn1 impacket
$ python rdpy/setup.py install
This should technically work. Although, this won't be useful for any exploitation. Please refer to credssp library. https://github.com/preempt/credssp
RDPY comes with only one binary:
rdpy-credsspmitm.py -k private_key -c cert_file [-l port] target -l listen_port default 3389 -k private_key_file_path (generated by gen_cmd.py) -c certificate_file_path (generated by gen_cmd.py) target should be DNS so that kerberos will happen
This is the main attack script for exploiting the CVE-2018-0886 vulnerability.
It should be executed after running the gen_cmd.py script to generate a suitable private and public key. The gen_cmd.py is found in credssp.
It waits for the user to connect (to listen port) and executes the attack on the target server chosen.
It mainly composed of RDP proxy based upon rdpy implementation.