Pyrdp Versions Save

Enhancements

• Player GUI displays playback time and recording duration (#467)

Bug fixes

• Clipboard file transfer compatibility with non-mstsc clients (#464)
• Some replay files when converted would be cut short (#466)

Credits

Thanks to the following people who contributed to this release:

Olivier Bilodeau (@obilodeau) and @luciaprime54

Release Highlights

• PyPI pre-built packages for Linux, Windows and macOS (easier installation)
• Ported to QT6
• Docker images based on Ubuntu 22.04

Full list of changes follows.

Backwards Compatibility Changes

• All tools lost their .py suffix. For example, pyrdp-mitm.py is now pyrdp-mitm.
• Requires Python 3.7
• master Docker container tag renamed devel (master-slim to devel-slim)
• The log field sessionID changed format from <firstname><100000-999999> to <adjective>_<name>_<1000000-9999999> (#458)
• Stolen clipboard files are now stored hashed under the files/ hierarchy without sessionId and linked from filesystems/<sessionID>/clipboard/ hierarchy (#338)
• Python project name is now pyrdp-mitm since pyrdp was taken on PyPI (#456)

Enhancements

• Pre-built binaries available on PyPI for Linux, Windows and macOS! (#451)
• PyRDP now runs with QT6 which is better supported than QT5 nowadays (#436, #453)
• Support for RDP version 10.11 (#433)
• Support for Python 3.11 by updating PyAV to get pre-built binary wheels (#437, #438)
• MITM start and termination log messages are now part of the JSON logs (#447)
• Docker images are now based on Ubuntu 22.04 and dependencies were minimized (#455)
• Documented how to run pyrdp-convert through a Docker container (#455)
• Fixed sessionID duplication caused by a bad name library and added an extra digit (#458, #460)
• Stolen clipboard files are deduplicated (via hashing) just like mapped drives files (#338, #462)

Bug fixes

• JSON logging of files captured via the clipboard was fixed (#441)
• Fixed support for Windows on Python 3.8+ (#316, #439, #444)
• Updated Twisted's minimum version to 23 (#316, #455)
• Added more missing dependencies for the GUI on Ubuntu 20.04 LTS (#448)
• Fixed installation issue on Windows with Python 3.11 (#436)

Infrastructure

• Project packaging modernized, getting rid of pkg_resources deprecation warnings (#416, #440)
• Added Python 3.10 tests on Windows to CI test configuration (#439)
• Then replaced Python 3.10 with Python 3.11 for CI test configuration (#438)
• Also added Ubuntu 20.04, 22.04 and Python 3.12 in CI test configurations (#455)
• Using cibuildwheel for cross-platform and cross-python builds Windows, Linux, macOS (#451)
• Deprecation cleanup in CI (#452)
• Updated our dependencies to the latest stable versions (#454)
• Renamed master branch to main (#450, #459)

Credits

Thanks to the following people who contributed to this release:

@kszafran, Mason Shi (@Mas0nShi), Olivier Bilodeau (@obilodeau) and @plonxyz

Release blog post: https://www.gosecure.net/blog/2022/12/23/a-new-pyrdp-release-the-rudolph-desktop-protocol/

Release highlights

• Net-NTLMv2 Hash Capture
• 6x faster pyrdp-convert
• RDP Version 10.9 and 10.10 supported
• Python 3.10 support
• Plugged memory leak and fixed important long-standing bugs

Full list of changes follows.

Backwards Compatibility Changes

• Collected files are now stored as their SHA-256 hash value instead of SHA-1 (#389)
• The log field shasum now holds the SHA-256 hash value of files instead of SHA-1 (#389)

Security

• Backported security fixes from rdesktop to our Python C extension doing RLE processing. Exploitability wasn't verified. (#357)

Enhancements

• Support for RDP version 10.9 and 10.10 (#396, #397)
• Capture and log NetNTLMv2 hash if the server enforces NLA and we don't have the NLA redirection attack activated (#367, #358)
• The Net-NTLMv2 challenge can be defined via --ssp-challenge allowing to do more efficient parallel cracking or leverage rainbow tables (#405, #418)
• pyrdp-convert video conversion is now 6x faster! (See #349)
• pyrdp-convert video format can be viewed during encoding and will play even if the conversion process crashes or is halted (#352, #353)
• pyrdp-convert can now handle exported PDUs (decrypted pcaps) with multiple sessions in them (#313, #368)
• pyrdp-convert can now extract session information including keyboard and mouse movement information in JSON from pcap and PDUs (#331, #366)
• pyrdp-convert has better success messages, error reporting and exit status (#361, #369)
• pyrdp-mitm added --address argument to choose the IP address where PyRDP is listening (#411, #412)
• Minor CLI improvements
• Improved type hints
• Updated instructions to extract the RDP certificate and private key (#345)
• Documentation updates (#335, #339, #340, #360, #371, #381, #383, #384, #408, #420)
• Replaced unmaintained dependency notify2 with py-notifier (#363, #365)
• Some Python 3.10 compatibility work (#366, #380, #421)
• Enable play/pause replay on the Player by pressing the Space key (#403).

Bug fixes

• Fixed situations where device redirection or clipboard sharing would hang and timeout (#139, #422)
• Fixed a memory leak in the bitmap decoding routine preventing the conversion or the replay of very large captures (#352, #353)
• Fixed pyrdp-player on macOS platforms (#362)
• Fixed pyrdp-convert pcap processing when victim IP and MITM IP are the same (#366)
• Fixed a pyrdp-convert segmentation fault in QT in some MP4 conversions (#378, #428, #429)
• Fixed NLA redirection problems if original target and NLA redirection target are the same (#342, #343)
• Fixed leak of file descriptors due to missing close on replay file recording (#392, #413, #415)
• Added a missing dependency for the GUI on Ubuntu 20.04 LTS (#348, #351, #355)
• No longer assuming every connection will have VirtualChannels (#375)
• Some minor protocol-level fixes (#408)

Infrastructure

• The slim flavor of our Docker image is now provided for the ARM64 platform (#346, #388)
• Docker images are now built and pushed via GitHub Actions (#334, #341)
• Added an automated video conversion test to CI configuration (#349)
• Added an automated JSON conversion test to CI configuration with some validation (#369)
• Added an automated replay conversion test to CI configuration (#369)
• Test refactoring to allow running most GitHub CI tests locally when developing (#368)
• Added Python 3.10 to CI test configuration (#387)
• Updated our dependencies to the latest stable versions (#386, #391, #400, #414, #417)

Credits

Thanks to the following people who contributed to this release:

Alexandre Beaulieu (@alxbl), Lisandro Ubiedo (@lubiedo), Francis Labelle (@xshill), Lukas Kupczyk (@lkupczyk), Olivier Bilodeau (@obilodeau), simonhuang (@thelongestusernameofall), Jonas (@spameier) and Flare Systems

Release Highlights

Released just in time for our BlackHat USA Arsenal 2021 presentation! Here are the high-level release highlights:

• Network-Level Authentication (NLA) redirection: if target is NLA redirect to a different non-NLA host (see this as a dynamic downgrade attack)
• Improved file collection capabilities: file deduplication, preserving client-side file hierarchies and preserve partial copies
• More reliable, powerful and faster pyrdp-convert
• Attempted credentials collection (NTLMSSP hashes in NLA context and plaintext otherwise)
• Improved logging in error conditions and general bug fixes

Full list of changes follows.

Breaking Changes

• pyrdp-convert command-line interface change: --list is now --list-only to better reflect what it does. The short form -l didn't change. (#311)
• Log fields changes: hash is now shasum (#302)

Enhancements

Security

• Cryptography dependency updated to 3.3.2 due to upstream security issues which we are not really concerned about for this project's use case (See #259, #295)
• Pillow dependency updated to 8.2.0 due to upstream security issues (see #306 and #317)
• rsa dependency updated to 4.7 due to upstream security issues (see #314)

Tools

• pyrdp-convert now relies on scapy for session reconstruction from a pcap. This is more reliable and can handle multiple sessions at once. (#311, #221)
• pyrdp-convert MP4 conversion is now 2x faster! (See #234 and #273)
• Added a JSON output format to pyrdp-convert (See #236)
• Use a proper progress bar with completion percentage and ETA in pyrdp-convert (See #274)

MITM

• NLA Redirection: if the original destination server requires NLA we can now redirect the connection to a different destination server as specified by the --nla-redirection-host and --nla-redirection-port switches (#260, #308)
• Added NTLMSSP hash logging when NLA is used with NTLM as the authentication protocol. Hashes are logged to pyrdp_output/logs/ntlmssp.log in addition to stdout and JSON. (See #307)
• Added attempted credentials logging when using graphical login (non-NLA). It is using a heuristic of Enter being pressed or mouse being clicked in specific areas. (See #303)
• PyRDP will log the value of the HOST_IP variable on start if it exists. You can set it to the IP address of the host running PyRDP. This is mostly helpful when you're using PyRDP in Docker and you want the IP of the Docker host in the logs.
• Added detection function for BlueKeep scans/exploit attempts. PyRDP will log the attempt and shut down the connection. The JSON log has an exploitInfo attribute as well as a parserInfo attribute to help investigate what happened.
• Added better logging for parser errors. PyRDP will now log which parser crashed and the data that was fed to that parser to make it crash. This makes it easier to investigate bugs and exploits. In JSON logs, this information shows up in the parserInfo attribute.
• Files intercepted or crawled by the MITM are now named according to the sha1 hash of their contents and stored in the pyrdp_output/files folder (see #261)
• Files that are currently being downloaded by the MITM but are not complete are stored in the pyrdp_output/files/tmp folder
• Both the file stealer and the file crawler components now mimick the victim's filesystem by creating the same file hierarchy in the pyrdp_output/filesystems/<SESSION_ID> folders. Files in these folders are symbolic links to files in the pyrdp_output/files folder to avoid useless duplication. The symlinks are relative, which allows you to move the folder around without losing the mapping. (See #270, #272 and #299)
• File interceptor will keep a copy of interrupted file transfers in pyrdp_output/files/tmp/ and mention it in the logs (#333)
• All JSON logs now have a clientIp field once a client IP address is known (#321, #326)
• Removed mapping.json file since all the information it would contain can be obtained by checking the pyrdp_output/filesystems folder
• Added tests for the DeviceRedirectionMITM and FileMapping classes (#268)
• Added clientPort field to the message when a new client is connected (#310)

Bug fixes

• Added SO_REUSEADDR to MITM socket to avoid having to wait for sockets stuck in TIME_WAIT
• Fixed a bug causing the connection to crash when the pointerCacheSize field is absent in PointerCapability (See #287)
• Fixed a bug causing the connection to crash when the client sends no connection negotiation flags (See #283)
• Fixed a bug preventing files opened by the RDPDR file stealer from being closed (#264)
• Fixed an issue with ghost mouse pointers in replays converted to MP4 (#271)
• Fixed a regression with the --sensor-id (-s) command line argument. It would not work since 1.0. (#279)
• doc: README update to fix Windows install (#301)
• Now handling space characters in password attempts (#303)
• Fixed 'Too Many Files Open' situations (#265, #309)
• core.ssl JSON logs now properly carry the commonName and certFile variables (#326)
• Fixed wrong date format string for sessions converted from a pcap (#330, #332)
• Fixed a crash when deleting active file transfers on a disconnect (#322, #333)

Infrastructure

• Add automated tests to CI configuration
• Fixed pip timeout issues when building full docker image on slow networks (#320)
• Updated our dependencies to the latest stable versions for Docker builds (#327)

Credits

Thanks to the following people who contributed to this release:

Alexandre Beaulieu (@alxbl), @dependabot[bot], @exys228, Francis Labelle (@xshill), Olivier Bilodeau (@obilodeau)

We added many interesting features in the last couple of months and have used this tool in enough contexts to officially mark it as stable. Some of the noteworthy features are described in our announcement blog post.

This release has a dedicated SecTor 2020 presentation: Achieving PyRDP 1.0 – The Remote Desktop Pwnage MITM and Library.

Enhancements

Tools

• Introduced the pyrdp-convert tool to convert between pcaps, PyRDP replay files and MP4 video files. Read its section in the README for details. See #199, #188 and #170.

Player

• New --headless mode to output replay data to the terminal. All GUI dependencies are now optional enabling further Docker image size reduction. See #151, #163 and #190.
• Added window scaling support for session replays (#101, #208)

MITM

• Added support for dynamic certificate cloning when no certificate is specified. (#94, #243). This is enabled by default and can be overridden through the existing -c and -k arguments.
• File interception now saves files transferred via clipboard copy/paste (#100)
• Added a transparent proxy mode where source or destination packets are unaltered from the client or the server's perspective. See feature documentation for details and usage examples. See also #197, #204, #205 and #239.
• Added support for Network Level Authentication (NLA) by passing CredSSP authentication untouched. Activate it with the --auth ssp switch. It requires the RDP server's private key which must be given to PyRDP. See #229 for details.
• Support for 32-bit x86 operating systems when not using the graphical interface (#150)
• Added a twistd plugin (#174, #177, #191)
• Loosen up TLS version checks to allow a broader set of clients and server (#192, #193)
• Explicitly disabled TLS 1.3 for now since we don't record TLS 1.3 master secrets yet (#116, #193)
• Logging can be customized using configuration files (#191)
• Improvements on log correlation (#180):
  • Added replayfilename to the connection report log entry
  • Added sessionID to replay filename
• Added several switches to selectively disable features of PyRDP:
  • --disable-active-clipboard switch to prevent clipboard request injection
  • --no-downgrade switch to prevent protocol downgrading where possible #189
  • --no-files switch to prevent extracting transferred files #195
• Added support for the GDI graphics as the default graphics pipeline. The --no-gdi switch was added to force the previous behavior (bitmaps). See #50 and #209 for details.

Bug fixes

• Python 3.8 supported by fixing a logging.Formatter misuse (#176)
• PyRDP no longer creates replay files for sessions with no activity (#169, #207)
• Fixed stack traces in the player when attempting to print strings ending with a null character (#182)
• Removed NLA argument from pyrdp-mitm
• Updated and clarified documentation (#165, #166, #172)

Infrastructure

• Docker images are now based on Ubuntu 20.04 (#251)
• Docker image size reduced and split in default and -slim variants (#173, #198)
• Improved docker caching for faster development iterations (#217, #219)
• Changed default docker compose command now pyrdp-mitm -h to avoid confusing crash on docker-compose up (#173)
• Added continuous integration with GitHub Actions that builds docker images and runs basic smoke tests (#194, #201, #202, #253)

Credits

Thanks to the following people who contributed to this release:

Olivier Bilodeau (@obilodeau), Alexandre Beaulieu (@alxbl), Émilio Gonzalez (@res260), Francis Labelle (@xshill), @robeving, @sotebob

0.4.1 - 2019-11-03

Now with 100% public docker image!

Enhancements

• Improvements to our docker image (#156, #157, #160)
• Logging when Restricted Admin Mode is enabled on clients
• Documentation improvements

Bug fixes

• Fixed libGL.so.1 missing in docker image (#138, #159)

Release meta

• Released by: Olivier Bilodeau
• Release beer: Archibald's Triple Américaine limited edition from YUL Airport

Credits

Thanks to the following people who contributed to this release:

Émilio Gonzalez, Francis Labelle, Olivier Bilodeau, Ondrej Gersl

0.4.0 - 2019-09-01

Release just in time for our Derbycon talk!

Enhancements

• Add recursive folder download from the PyRDP Player and a queue to download files #140
• Add file crawler to automatically download files from the client drive using pattern files #141

Bug fixes

Credits

Thanks to the following people who contributed to this release:

Maxime Carbonneau

A special BlackHat USA Arsenal 2019 release!

• BlackHat USA Arsenal 2019 slides

Enhancements

• Added Windows support (#129)
• Improved documentation for operation with Bettercap (#107)
• Added a heuristics-based credential logger to enable credentials collection at scale (#106)
• Dependency update: Replaced pycrypto with pycryptodome (#128)
• UX improvements to the PyRDP-Player (#119, #124)
• Improved handling of X224 Negotiation Failures like NLA (#102)
• Accept and log connections from scanners better (#136)
• Added BlueKeep specific detection and logging (#114)
• Added a log entry that summarizes a connection, useful to hunt specific connections (#117)
• Logging minor improvements (#123, #112)

Bug fixes

• Added support for RDP v10.7 in the connection handshake (#135)
• Fixed issue with virtualenv setup (#110)
• Fixed connections to Windows servers with RDS enabled (#118)
• Shared Folders: Fixed a case where DOSName had no nullbyte (#121)

Credits

Thanks to the following people who contributed to this release:

Maxime Carbonneau, Émilio Gonzalez, Francis Labelle and Olivier Bilodeau

A special NorthSec 2019 release just in time for Francis Labelle and Émilio Gonzalez's talk on PyRDP.

• Presentation Slides
• Demo Video of a Session Takeover and more
• Demo Video of a cmd.exe payload triggered on connection
• Abstract

Enhancements

• Session takeover: take control of an active session with working mouse and keyboard
• Client-side file browsing and downloading
• Ability to run custom PowerShell or console commands on new connections (documentation)
• Easier integration with virtualenv (#84)
• Provided a simple Dockerfile for Docker image creation (#66)
• Documentation on how to combine with Bettercap (more on the way)
• Important refactoring

Credits

Thanks to the following people who contributed to this release:

Etienne Lacroix, Olivier Bilodeau, Francis Labelle

Our first release! See our introductory blog post for full details.

Credits

Thanks to the following people who contributed to this release:

Francis Labelle, Émilio Gonzalez, CoolAcid

Special thanks to Sylvain Peyrefitte who created RDPy on which we initially based PyRDP. We eventually had to fork due to drastic changes in order to achieve the capabilities we were interested in building. That said, his initial architecture and base library choices shoul be recognized as they stood the test of time.