Implement the drawing orders (GDI) API for output packets

GoSecure / pyrdp

RDP monster-in-the-middle (mitm) and library for Python with the ability to watch connections live or after the fact

https://www.gosecure.net/blog/2020/10/20/announcing-pyrdp-1/

GNU General Public License v3.0

1.49k stars 242 forks source link

Implement the drawing orders (GDI) API for output packets #153

Closed xshill closed 4 years ago

xshill commented 4 years ago

Following from this Twitter conversation and this gist comment.

Currently, we can only create replays from PCAPs when the RDP session uses bitmap output. Implementing the GDI drawing order packets (the "normal" output method) would allow the pyrdp-replay script to work with any kind of RDP pcap. It would be nice to have, unfortunately there's quite a bit of work to do to get there.

For reference, here is the spec for drawing orders: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpegdi/745f2eee-d110-464c-8aca-06fc1814f6ad

And the Graphics Update PDU structure: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/bd3c4df4-87b9-43dd-88cb-ce5b24698e19

robeving commented 4 years ago

Alternatively are there ways to disable this on the server itself?

obilodeau commented 4 years ago

When PyRDP is doing the man-in-the-middle, it will downgrade these channels to bitmap so if you have a packet capture of that you will be able to extract a replay out of it.

Now, to your question: is it possible to disable it from the server? I'm not sure but I would suspect it would be hard to do without modifying system libraries.

I don't know much about your use case but an alternative would be to run pyrdp-mitm.py combined with bettercap and poison clients trying to reach that server's IP. If you control the server you could even extract the server's certificate and private key and use them in PyRDP making this transparent to users who trust the server. For certificate extraction and re-use, we know its possible but never did it ourselves so step-by-step documentation contribution would be appreciated.

Res260 commented 4 years ago

This is a duplicate for #50 :)

robeving commented 4 years ago

For me, the most important thing is to not have a protocol break. I want the clients to have access to the full range of features RDP offers. For instance if an attacker was to use something like CVE-2019-0708 then pyrdp may have altered the connection so that the attack is not successful.

As for dumping the RDP key from a recent version of Windows:

First you need to disable all algorithms that use ephemeral keys (Diffie-Hellman, probably anything that uses Elliptic curve). This is done by removing certain algorithms from SCHANNEL, the Windows crypto provider. There is a tool https://www.nartac.com/Products/IISCrypto/ which gives a nice GUI.
Reboot box, check with Wireshark that TLS + RSA is in use.
Use Mimikatz to dump the RDP certificates - https://github.com/FreeRDP/FreeRDP/wiki/Mimikatz

Res260 commented 4 years ago

For reference, bitmap and gdi are not the only ways to transfer graphics via RDP. Most recent RDP versions use RemoteFx.

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdprfx/62495a4a-a495-46ea-b459-5cde04c44549

RemoteFx is obviously not implemented at the moment in PyRDP.

robeving commented 4 years ago

You can disable RemoteFx via the registry / group policy.

alxbl commented 4 years ago

I've started looking into this, I'm going to close this issue as a duplicate of #50 since it's been around longer, but this issue's discussion has a lot of interesting information that will be useful to keep in mind.

Cheers,