rdpy-rdpmitm.py 2 Problems

[armin884]

1. The client (windows) no longer prompts you for credentials before you establish a remote desktop connection, so no logon data is stored in cleartext. This window doesn't appear.. ~~2. The keyboard layout of the client isn't detected automatically, always the US keyboard will be used even if the client has a different layout. I think always the default value found in gcc.py self.kbdLayout = UInt32Le(KeyboardLayout.US) will be used cause if i change that value i get a different keyboard layout.~~ Got a workaround for keyboard layout for me (chaniung the gcc.py self.kbdLayout = UInt32Le(KeyboardLayout.US value) so that is solved for me only the credentials Problem is still valid

[citronneur]

Hi,

This window is the underline secure module for NLA. But you right i will add this to avoid cleartext password.

Actually only us and fr keyboard are detected. I will add other in next release. What is your key board language please?

Best regards.

[armin884]

The point is the rdpy-rssplayer doesn't show me the password in cleartext in the field with Domain: Username: Password: Hostname: , since the user isn't prompted for password before connecting... Also when server only accepts NLA connections mitm is not possible. Is that possible to implement such an login form?

For the keyboard layout, simply add all the keyboard layouts from http://technet.microsoft.com/en-us/library/cc766503%28WS.10%29.aspx .

[leeyefa]

I get all the issues obove and I have the save problem when server only accepts NLA connections in mitm,Expect the new version! And where can i input the credentials when using '-n',as the rdpy-rdpmitm.py puts ‘[-n For NLA Client authentication (need to provide credentials)]’. Thank you.

[armin884]

@leeyefa thats the problem it's not possible cause with NLA enabled you have to enter user and password before the main connection to rdp is established. Doesn't work with microsoft remote desktop client. Maybe some command-line clinet works like rdesktop or rdp+ (http://www.donkz.nl/) but i never tested that, @citronneur any updates on this issue? Is there some way to emulate this security login prompt? Most of the new OS Windows 8.1/10/2012 R2 NLA is enabled by default. Are you still maintaing this project?

[citronneur]

Sorry but i'm a little bit busy actually. Yes i'm still in project. My main work is on to pass on python 3. I Will do a hotfix for this

[leeyefa]

There is another project in C...... / My guess about the server disconnection is that NTLMSSP uses sends information regarding the client or the server that doesn't match anymore because of the proxying. In the very worst case, the proxy could fully authenticate using NTLMSSP and re-authenticate with the real server after. This may require the proxy to know in advance the real password./

[citronneur]

Sorry but i didn't understand before what toi want. Mitm un ntlm cade is not possible due to ntlm mechanism... During ntlm the challenge response is composed with private key of server and client password. The server need to know client password before. Sorry...

[citronneur]

Sorry but i didn't understand before what toi want. Mitm in ntlm case is not possible due to ntlm mechanism... Ssp is designed for mitm attack. the challenge response is composed with private key of server and client password. The server need to know client password before. Sorry...

[armin884]

Does that mean mitm RDP with NLA is not possible?

[citronneur]

yes sorry.

[armin884]

But wouldn't it be possible in case of NLA do something like a fake login prompt / fake rdp server (something like a honeypot) only to grab the login creds and the disconnect the client? Look here https://github.com/citronneur/rdpy/issues/28

[armin884]

I'm still doing research on that issue. If i add to rdp file on client side "prompt for credentials on client:i:1" (https://technet.microsoft.com/de-de/library/ff393660(v=ws.10).aspx) i'm always prompt for login credentials and so mitm via NLA enabled works (tested that with Windows 2012 R2), also if NLA not enabled i get that login prompt. But that "prompt for credentials on client:i:1" is disabled by default. How does the client choose whether to prompt or not to prompt for credentials can we modify rdpy somehow to do that?