search

citronneur / rdpy

Remote Desktop Protocol in Twisted Python
GNU General Public License v3.0
1.67k stars 545 forks source link

Multiple errors when using rdpy-rdphoneypot.py #100

Open bontchev opened 4 years ago

bontchev commented 4 years ago

I tried setting up an RDP honeypot using rdpy-rdphoneypot.py but it was an utter failure because rdpy-rdphoneypot.py is broken in multiple ways, essentially making it unusable.

1) When connecting to the honeypot manually with a Windows 7 RDP client, it sort of works, in the sense that I am shown the recorded session. However, I am never asked for a password and no password is recorded in the log. Somebody has asked how to fix this problem in issue #93 but never got a reply.

2) When actual attackers connect to the honeypot, it seems that the RDP protocol is not quite compatible with theirs. As a result, the honeypot logs only the connection but no username, password, etc.:

[*] INFO:   Connection from 185.156.177.153:53555
[*] INFO:   Connection from 185.156.177.153:56984
[*] INFO:   Connection from 14.23.163.250:53077
[*] INFO:   Connection from 185.156.177.176:4584
[*] INFO:   Connection from 185.156.177.176:4585

3) Occasionally the honeypot crashes with the following error:

[*] ERROR:  Error during read <class 'rdpy.protocol.rdp.x224.X224DataHeader'>::messageType
Unhandled Error
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/log.py", line 103, in callWithLogger
    return callWithContext({"system": lp}, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/log.py", line 86, in callWithContext
    return context.call({ILogContext: newCtx}, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/context.py", line 122, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/context.py", line 85, in callWithContext
    return func(*args,**kw)
--- <exception caught here> ---
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 614, in _doReadOrWrite
    why = selectable.doRead()
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 243, in doRead
    return self._dataReceived(data)
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 249, in _dataReceived
    rval = self.protocol.dataReceived(data)
  File "/home/bontchev/rdphoneypot/rdpy/core/layer.py", line 209, in dataReceived
    self.recv(expectedData)
  File "/home/bontchev/rdphoneypot/rdpy/protocol/rdp/tpkt.py", line 195, in readData
    self._presentation.recv(data)
  File "/home/bontchev/rdphoneypot/rdpy/protocol/rdp/x224.py", line 147, in recvData
    data.readType(header)
  File "/home/bontchev/rdphoneypot/rdpy/core/type.py", line 897, in readType
    value.read(self)
  File "/home/bontchev/rdphoneypot/rdpy/core/type.py", line 97, in read
    self.__read__(s)
  File "/home/bontchev/rdphoneypot/rdpy/core/type.py", line 477, in __read__
    raise e
rdpy.core.error.InvalidExpectedDataException: <class 'rdpy.core.type.UInt8'> const value expected 240 != 128

Issue #25 suggests that this happens when the attacking tool Hydra is used because of some kind of protocol incompatibility. Any chance of this problem being solved?

4) Occasionally the honeypot crashes with the following error:

Unhandled Error
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/log.py", line 103, in callWithLogger
    return callWithContext({"system": lp}, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/log.py", line 86, in callWithContext
    return context.call({ILogContext: newCtx}, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/context.py", line 122, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/context.py", line 85, in callWithContext
    return func(*args,**kw)
--- <exception caught here> ---
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 614, in _doReadOrWrite
    why = selectable.doRead()
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 243, in doRead
    return self._dataReceived(data)
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 249, in _dataReceived
    rval = self.protocol.dataReceived(data)
  File "/home/bontchev/rdphoneypot/rdpy/core/layer.py", line 209, in dataReceived
    self.recv(expectedData)
  File "/home/bontchev/rdphoneypot/rdpy/protocol/rdp/tpkt.py", line 186, in readFastPath
    self._fastPathListener.recvFastPath(self._secFlag, data)
  File "/home/bontchev/rdphoneypot/rdpy/protocol/rdp/sec.py", line 510, in recvFastPath
    self._fastPathPresentation.recvFastPath(secFlag, fastPathS)
exceptions.TypeError: recvFastPath() takes exactly 2 arguments (3 given)

Somebody has asked what it means in issue #66 but never got a reply.

5) Occasionally the honeypot crashes with the following error:

Unhandled Error
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/log.py", line 103, in callWithLogger
    return callWithContext({"system": lp}, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/log.py", line 86, in callWithContext
    return context.call({ILogContext: newCtx}, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/context.py", line 122, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/context.py", line 85, in callWithContext
    return func(*args,**kw)
--- <exception caught here> ---
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 614, in _doReadOrWrite
    why = selectable.doRead()
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 243, in doRead
    return self._dataReceived(data)
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 249, in _dataReceived
    rval = self.protocol.dataReceived(data)
  File "/home/bontchev/rdphoneypot/rdpy/core/layer.py", line 209, in dataReceived
    self.recv(expectedData)
  File "/home/bontchev/rdphoneypot/rdpy/protocol/rdp/tpkt.py", line 195, in readData
    self._presentation.recv(data)
  File "/home/bontchev/rdphoneypot/rdpy/protocol/rdp/x224.py", line 148, in recvData
    self._presentation.recv(data)
  File "/home/bontchev/rdphoneypot/rdpy/protocol/rdp/t125/mcs.py", line 542, in recvErectDomainRequest
    raise InvalidExpectedDataException("Invalid MCS PDU : ERECT_DOMAIN_REQUEST expected")
rdpy.core.error.InvalidExpectedDataException: Invalid MCS PDU : ERECT_DOMAIN_REQUEST expected

I have no idea what that means but it's probably again some kind of protocol incompatibility with some attacking tool.

Is there any chance of these problems ever getting fixed or should I give up on the idea of using this tool as an RDP honeypot?

chapinb commented 4 years ago

I am also getting the error reported as item 5:

INFO:   Connection from <ip>:1885
Unhandled Error
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/log.py", line 103, in callWithLogger
    return callWithContext({"system": lp}, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/log.py", line 86, in callWithContext
    return context.call({ILogContext: newCtx}, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/context.py", line 122, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/context.py", line 85, in callWithContext
    return func(*args,**kw)
--- <exception caught here> ---
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 614, in _doReadOrWrite
    why = selectable.doRead()
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 243, in doRead
    return self._dataReceived(data)
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 249, in _dataReceived
    rval = self.protocol.dataReceived(data)
  File "/usr/local/lib/python2.7/dist-packages/rdpy/core/layer.py", line 209, in dataReceived
    self.recv(expectedData)
  File "/usr/local/lib/python2.7/dist-packages/rdpy/protocol/rdp/tpkt.py", line 195, in readData
    self._presentation.recv(data)
  File "/usr/local/lib/python2.7/dist-packages/rdpy/protocol/rdp/x224.py", line 148, in recvData
    self._presentation.recv(data)
  File "/usr/local/lib/python2.7/dist-packages/rdpy/protocol/rdp/t125/mcs.py", line 542, in recvErectDomainRequest
    raise InvalidExpectedDataException("Invalid MCS PDU : ERECT_DOMAIN_REQUEST expected")
rdpy.core.error.InvalidExpectedDataException: Invalid MCS PDU : ERECT_DOMAIN_REQUEST expected

I understand that some malformed traffic will be sent as a byproduct of port scanning/etc. but wanted to echo that this is in multiple environments. If anticipated, can we have a try/except that catches and prints that it is malformed (with detail?)

hackdefendr commented 4 years ago

Downgrade Twisted to 19.2.1, I was seeing these errors only in newer versions. Seems they changed something in newer versions and @citronneur does not appear to be active so upgrading probably won't be happening.

citronneur commented 4 years ago

OK i will check soon. I'm working on the python 3 version.

bontchev commented 4 years ago

Oh, man, nice to hear back from you!

I've started making an RDP honeypot of my own, based on this library. I'd like it to be able to run in Python3 too, so I and another guy have started porting the library. Man what a pain in the butt... We're nowhere near ready yet, but if you would like to take a look (maybe it would save you some time?), give me some e-mail address (could be a throw-away one) to which to send the invite. The repo is on GitLab and it isn't public yet.

lwtsao commented 3 years ago

Hi,

I also get the same error when scanning RDPY honeypot with nmap script.

The nmap command: nmap -sC rdp-enum-encryption.nse 127.0.0.1

The error message :

Unhandled Error Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/twisted/python/log.py", line 103, in callWithLogger return callWithContext({"system": lp}, func, *args, kw) File "/usr/local/lib/python2.7/dist-packages/twisted/python/log.py", line 86, in callWithContext return context.call({ILogContext: newCtx}, func, *args, *kw) File "/usr/local/lib/python2.7/dist-packages/twisted/python/context.py", line 122, in callWithContext return self.currentContext().callWithContext(ctx, func, args, kw) File "/usr/local/lib/python2.7/dist-packages/twisted/python/context.py", line 85, in callWithContext return func(*args,**kw) --- --- File "/usr/local/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 597, in _doReadOrWrite why = selectable.doRead() File "/usr/local/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 208, in doRead return self._dataReceived(data) File "/usr/local/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 214, in _dataReceived rval = self.protocol.dataReceived(data) File "/usr/local/lib/python2.7/dist-packages/rdpy/core/layer.py", line 209, in dataReceived self.recv(expectedData) File "/usr/local/lib/python2.7/dist-packages/rdpy/protocol/rdp/tpkt.py", line 186, in readFastPath self._fastPathListener.recvFastPath(self._secFlag, data) File "/usr/local/lib/python2.7/dist-packages/rdpy/protocol/rdp/sec.py", line 510, in recvFastPath self._fastPathPresentation.recvFastPath(secFlag, fastPathS) exceptions.TypeError: recvFastPath() takes exactly 2 arguments (3 given)

I've tried to downgrade twisted to 19.2.1 , which @hackdefendr advised before. But it didn't works either. I know you are working on Python 3 version, so I just wonder if you have time to fix this.

d0nEgg1 commented 2 years ago

@citronneur are there any news regarding a "new" python 3 version? I stumbled upon this project in search for a RDP honeypot for a school project, however I get the same error as some guys in here as soon as I start a RDP session to the honeypot.

[*] ERROR:      Error during read <class 'rdpy.core.rss.UpdateEvent'>::data
[*] ERROR:      Error during read <class 'rdpy.core.rss.Event'>::event
Unhandled Error
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/log.py", line 103, in callWithLogger
    return callWithContext({"system": lp}, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/log.py", line 86, in callWithContext
    return context.call({ILogContext: newCtx}, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/context.py", line 122, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/context.py", line 85, in callWithContext
    return func(*args,**kw)
--- <exception caught here> ---
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 614, in _doReadOrWrite
    why = selectable.doRead()
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 243, in doRead
    return self._dataReceived(data)
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 249, in _dataReceived
    rval = self.protocol.dataReceived(data)
  File "/usr/local/lib/python2.7/dist-packages/rdpy/core/layer.py", line 209, in dataReceived
    self.recv(expectedData)
  File "/usr/local/lib/python2.7/dist-packages/rdpy/protocol/rdp/tpkt.py", line 195, in readData
    self._presentation.recv(data)
  File "/usr/local/lib/python2.7/dist-packages/rdpy/protocol/rdp/x224.py", line 148, in recvData
    self._presentation.recv(data)
  File "/usr/local/lib/python2.7/dist-packages/rdpy/protocol/rdp/t125/mcs.py", line 243, in recvData
    self._channels[channelId].recv(data)
  File "/usr/local/lib/python2.7/dist-packages/rdpy/core/layer.py", line 102, in <lambda>
    callback = lambda x:self.__class__.recv(self, x)
  File "/usr/local/lib/python2.7/dist-packages/rdpy/protocol/rdp/sec.py", line 470, in recv
    self._presentation.recv(data)
  File "/usr/local/lib/python2.7/dist-packages/rdpy/protocol/rdp/pdu/layer.py", line 504, in recvClientFontListPDU
    self._listener.onReady()
  File "/usr/local/lib/python2.7/dist-packages/rdpy/protocol/rdp/rdp.py", line 480, in onReady
    observer.onReady()
  File "/usr/local/bin/rdpy-rdphoneypot.py", line 68, in onReady
    self.start()
  File "/usr/local/bin/rdpy-rdphoneypot.py", line 83, in start
    self.loopScenario(self._rssFile.nextEvent())
  File "/usr/local/bin/rdpy-rdphoneypot.py", line 106, in loopScenario
    e = self._rssFile.nextEvent()
  File "/usr/local/lib/python2.7/dist-packages/rdpy/core/rss.py", line 282, in nextEvent
    self._s.readType(e)
  File "/usr/local/lib/python2.7/dist-packages/rdpy/core/type.py", line 897, in readType
    value.read(self)
  File "/usr/local/lib/python2.7/dist-packages/rdpy/core/type.py", line 97, in read
    self.__read__(s)
  File "/usr/local/lib/python2.7/dist-packages/rdpy/core/type.py", line 477, in __read__
    raise e
rdpy.core.error.InvalidSize: Impossible to read type <class 'rdpy.core.rss.UpdateEvent'> : read length is too small
ehmueller commented 2 years ago

Hello, I am having same issue. Any news on a fix or python 3 port?