Closed SnasiCze closed 5 years ago
PersonaN0nGrata
commented
5 years ago I am having this same issue. the cert cloner made new certificates, but i still get the cert error. Can it be because of the cert on the actual rdp server ?
Also, so you have any tips on setting up the actual rdp server? a good way for attackers to be able to login when they connect to it.
Also will the pyrdp-mitm/player show bluekeep exploits, and how does this look?
Res260
commented
5 years ago This is an expected behavior. The purpose of a certificate is to verify that you trust the device that you're connecting too, by using asymmetric cryptography. By using the certificate cloner, you create a new certificate that has not been signed by a trusted authority. Thus, it is expected that this cert gives a certificate error.
If you control the destination server, you can extract the certificate and the private key of it manually and use them in pyrdp. That wont yield a certificate error, assuming that the client doesnt get a certificate error when connecting directly to the rdp server.
Res260
commented
5 years ago @norup123 maybe use weak creds or keep a user connected?
Also yes we detect bluekeep exploits attempts, but pyrdp usually crashes the connection after, as the client sends invalid packets.
obilodeau
commented
5 years ago Also, so you have any tips on setting up the actual rdp server?
What is your use case? You want to lure legitimate users or attackers (pentesters, malicious employees or online adversaries)? Note that this is a little bit off-topic for this issue but features like integration with bettercap or fixing the server side username and password can help you achieve what you want. If you have further questions I recommend you ask them on the security stackexchange with the [pyrdp] tag. This will keep this issue on topic.
Also will the pyrdp-mitm/player show bluekeep exploits, and how does this look?
The specific log line for BlueKeep is this:
Bluekeep (CVE-2019-0708) scan or exploit attempt detected.
Note that we haven't tested it against the newly released metasploit payload.
@Res260 already provided a good answer but allow me to add a bit of context. An RDP man-in-the-middle attack is just like an HTTPS man-in-the-middle attack. If you don't have access to the original certificate/private key there are going to be errors on the client-side. Our experience is that, unlike for HTTPS, users are used to them and tend to click-through these errors. This tool was built in part to demonstrate and raise awareness about that.
I consider this issue closed. If you have further questions on the topic of certifcate errors, feel free to re-open.
Hello, I have a problem with an untrusted certificate. When I clone certificat using pyrdp-cloner. There is no change. See photo.
This is a big problem because people are not connecting to the server.
Is there a solution to get rid of this problem?