1.1.0
Release Highlights
Released just in time for our BlackHat USA Arsenal 2021 presentation! Here are the high-level release highlights:
- Network-Level Authentication (NLA) redirection: if target is NLA redirect to a different non-NLA host (see this as a dynamic downgrade attack)
- Improved file collection capabilities: file deduplication, preserving client-side file hierarchies and preserve partial copies
- More reliable, powerful and faster
pyrdp-convert
- Attempted credentials collection (NTLMSSP hashes in NLA context and plaintext otherwise)
- Improved logging in error conditions and general bug fixes
Full list of changes follows.
Breaking Changes
pyrdp-convert
command-line interface change:--list
is now--list-only
to better reflect what it does. The short form-l
didn't change. (#311)- Log fields changes:
hash
is nowshasum
(#302)
Enhancements
Security
- Cryptography dependency updated to 3.3.2 due to upstream security issues which we are not really concerned about for this project's use case (See #259, #295)
- Pillow dependency updated to 8.2.0 due to upstream security issues (see #306 and #317)
- rsa dependency updated to 4.7 due to upstream security issues (see #314)
Tools
pyrdp-convert
now relies on scapy for session reconstruction from a pcap. This is more reliable and can handle multiple sessions at once. (#311, #221)pyrdp-convert
MP4 conversion is now 2x faster! (See #234 and #273)- Added a JSON output format to
pyrdp-convert
(See #236) - Use a proper progress bar with completion percentage and ETA in
pyrdp-convert
(See #274)
MITM
- NLA Redirection: if the original destination server requires NLA we can now redirect the connection to a different destination server as specified by the
--nla-redirection-host
and--nla-redirection-port
switches (#260, #308) - Added NTLMSSP hash logging when NLA is used with NTLM as the authentication protocol. Hashes are logged to
pyrdp_output/logs/ntlmssp.log
in addition to stdout and JSON. (See #307) - Added attempted credentials logging when using graphical login (non-NLA). It is using a heuristic of Enter being pressed or mouse being clicked in specific areas. (See #303)
- PyRDP will log the value of the
HOST_IP
variable on start if it exists. You can set it to the IP address of the host running PyRDP. This is mostly helpful when you're using PyRDP in Docker and you want the IP of the Docker host in the logs. - Added detection function for BlueKeep scans/exploit attempts. PyRDP will log the attempt and shut down the connection. The JSON log has an exploitInfo attribute as well as a parserInfo attribute to help investigate what happened.
- Added better logging for parser errors. PyRDP will now log which parser crashed and the data that was fed to that parser to make it crash. This makes it easier to investigate bugs and exploits. In JSON logs, this information shows up in the parserInfo attribute.
- Files intercepted or crawled by the MITM are now named according to the sha1 hash of their contents and stored in the
pyrdp_output/files
folder (see #261) - Files that are currently being downloaded by the MITM but are not complete are stored in the
pyrdp_output/files/tmp
folder - Both the file stealer and the file crawler components now mimick the victim's filesystem by creating the same file hierarchy in the
pyrdp_output/filesystems/<SESSION_ID>
folders. Files in these folders are symbolic links to files in thepyrdp_output/files
folder to avoid useless duplication. The symlinks are relative, which allows you to move the folder around without losing the mapping. (See #270, #272 and #299) - File interceptor will keep a copy of interrupted file transfers in
pyrdp_output/files/tmp/
and mention it in the logs (#333) - All JSON logs now have a
clientIp
field once a client IP address is known (#321, #326) - Removed
mapping.json
file since all the information it would contain can be obtained by checking thepyrdp_output/filesystems
folder - Added tests for the DeviceRedirectionMITM and FileMapping classes (#268)
- Added
clientPort
field to the message when a new client is connected (#310)
Bug fixes
- Added SO_REUSEADDR to MITM socket to avoid having to wait for sockets stuck in
TIME_WAIT
- Fixed a bug causing the connection to crash when the pointerCacheSize field is absent in PointerCapability (See #287)
- Fixed a bug causing the connection to crash when the client sends no connection negotiation flags (See #283)
- Fixed a bug preventing files opened by the RDPDR file stealer from being closed (#264)
- Fixed an issue with ghost mouse pointers in replays converted to MP4 (#271)
- Fixed a regression with the
--sensor-id
(-s
) command line argument. It would not work since 1.0. (#279) - doc: README update to fix Windows install (#301)
- Now handling space characters in password attempts (#303)
- Fixed 'Too Many Files Open' situations (#265, #309)
core.ssl
JSON logs now properly carry thecommonName
andcertFile
variables (#326)- Fixed wrong date format string for sessions converted from a pcap (#330, #332)
- Fixed a crash when deleting active file transfers on a disconnect (#322, #333)
Infrastructure
- Add automated tests to CI configuration
- Fixed pip timeout issues when building full docker image on slow networks (#320)
- Updated our dependencies to the latest stable versions for Docker builds (#327)
Credits
Thanks to the following people who contributed to this release:
Alexandre Beaulieu (@alxbl), @dependabot[bot], @exys228, Francis Labelle (@xshill), Olivier Bilodeau (@obilodeau)