Enhancement: RDP Module

[anotheronemoretime]

Hi @skelsec,

This PR updates the RDP module.

It allows the extraction of RDP connection information through 2 methods:

• pypykatz rdp logonpasswords -h: this option extracts RDP credentials information from a memory dump of the terminal service. The code is the same as the previous RDP module, only a few more checks were added to improve accuracy (taken from mimikatz source code).

• pypykatz rdp mstsc -h: this option extracts RDP credentials information from a memory dump of the process mstsc.exe, created when a user opens the remote desktop connection application. The extraction method used is the one implemented by @gentilkiwi and detailed in mimikatz.

In order to work properly, you need to apply the pull request #21. It makes a minor fix in the minidump library, more precisely in the function which is looking for patterns in memory segments.

I did some tests and everything seems to work like a charm on win2012r2, win2016, win2019 and win10 (x64). Further testing is welcome :)

Kind regards

[skelsec]

wow, this looks really cool! The only reason I haven't merged it yet is that this project is now migrating to Porchetta Industries "group" and you just sent it after the gitlab sync. We are trying to figure out what would be the best way to get it right. Sorry for the inconvenience, we're on it.

[byehack]

not working using RDPCredParser.parse_minidump_file in win10 20h2.

UPDATE: worked after using 64bit interpreter.

[skelsec]

@ThePwn1sher can you please reach out to me via twitter DM (same handle) or on porchetta discord? It would be appreciated.

[byehack]

Rdp: WinServer2019 x64 System: Win10 20h2 x64 interpreter: Py37 x64

c:\Python37>python -m pypykatz live rdp mstsc
Traceback (most recent call last):
  File "c:\Python37\lib\runpy.py", line 193, in _run_module_as_main
    "__main__", mod_spec)
  File "c:\Python37\lib\runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "c:\Python37\lib\site-packages\pypykatz\__main__.py", line 151, in <module>
    main()
  File "c:\Python37\lib\site-packages\pypykatz\__main__.py", line 84, in main
    helper.execute(args)
  File "c:\Python37\lib\site-packages\pypykatz\rdp\cmdhelper.py", line 59, in execute
    self.run_live(args)
  File "c:\Python37\lib\site-packages\pypykatz\rdp\cmdhelper.py", line 65, in run_live
    print(str(cred))
  File "c:\Python37\lib\site-packages\pypykatz\rdp\packages\creds\decryptor.py", line 38, in __str__
    t += '\t\tpassword_raw %s\n' % self.password_raw.hex()
AttributeError: 'str' object has no attribute 'hex'

[byehack]

other tests:

c:\Python37>python -m pypykatz live rdp mstsc
        == RDP Credential ==
                domainname SERVER
                username user
                password 'None'             # <---------- why None inside string?
                password_raw
                isencrypted: None
                servername: 'x.x.x.x'
                serverfqdn: ''

c:\Python37>python -m pypykatz rdp mstsc minidump c:/mstsc.dmp
        == RDP Credential ==
                domainname SERVER
                username user
                password ''
                password_raw
                isencrypted: True
                servername: 'x.x.x.x'
                serverfqdn: ''

[anotheronemoretime]

Hi @byehack, thank you for your tests. I made a commit which should fix these bugs, at least I hope :). Keep me updated if this solved your issues.

[byehack]

c:\Python37>python -m pypykatz live rdp mstsc
        == RDP Credential ==
                domainname SERVER
                username user
                password 'None'
                password_raw
                isencrypted: None
                servername: 'x.x.x.x'
                serverfqdn: ''

after added https://github.com/skelsec/pypykatz/pull/89/commits/28840361347273b06b98b053d47e55c9357e1ed1. but it still doesn't show password.

[anotheronemoretime]

Weird, I can't reproduce the bug:

Do you have the latest version of minidump installed? Otherwise, I'll need your mstsc.dmp file for debugging.

[byehack]

@ThePwn1sher yes, all of Dependencies updated.

c:\Python37>python -m pypykatz rdp mstsc minidump mstsc.dmp
        == RDP Credential ==
                domainname YES_LOG
                username file
                password ''
                password_raw
                isencrypted: True
                servername: 'x.x.x.x'
                serverfqdn: ''

c:\Python37>python -m pypykatz live rdp mstsc
        == RDP Credential ==
                domainname YES_LOG
                username file
                password 'None'
                password_raw
                isencrypted: None
                servername: 'x.x.x.x'
                serverfqdn: ''

c:\Python37>python --version
Python 3.7.7

c:\Python37>python -m pip show minidump
Name: minidump
Version: 0.0.19
Summary: Python library to parse Windows minidump file format
Home-page: https://github.com/skelsec/minidump
Author: Tamas Jos
Author-email: skelsecprojects@gmail.com
License: UNKNOWN
Location: c:\python37\lib\site-packages
Requires:
Required-by: pypykatz

c:\Python37>systeminfo

Host Name:                 SYSTEM
OS Name:                   Microsoft Windows 10 Enterprise
OS Version:                10.0.19042 N/A Build 19042

## RDP INFO
C:\Users\file>systeminfo

Host Name:                 YES_LOG
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.19043 N/A Build 19043

if you have telegram send me msg for dump file @ByeHack. otherwise give me an address to dm you.

[byehack]

also in mimikatz:

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # ts::mstsc
!!! Warning: false positives can be listed !!!

| PID 16224     mstsc.exe (module @ 0x00000000010DF990)

ServerName                                [wstring] 'x.x.x.x'
ServerFqdn                                [wstring] ''
UserSpecifiedServerName                   [wstring] 'x.x.x.x'
UserName                                  [wstring] 'file'
Domain                                    [wstring] 'YES_LOG'
Password                                  [protect]
SmartCardReaderName                       [wstring] ''
PasswordContainsSCardPin                  [ bool  ] FALSE
ServerNameUsedForAuthentication           [wstring] 'x.x.x.x'
RDmiUsername                              [wstring] 'file'

[byehack]

it seems works on other system:

C:\Users\User>systeminfo

Host Name:                 WIN-R5831VUIAI5
OS Name:                   Microsoft Windows Server 2012 R2 Standard
OS Version:                6.3.9600 N/A Build 9600

mimikatz # ts::mstsc
!!! Warning: false positives can be listed !!!

| PID 20200     mstsc.exe (module @ 0x000000000104FBB0)

ServerName                                [wstring] 'x.x.x.x'
ServerFqdn                                [wstring] ''
UserSpecifiedServerName                   [wstring] 'x.x.x.x'
UserName                                  [wstring] 'file'
Domain                                    [wstring] ''
Password                                  [protect] 'PASSWord'
SmartCardReaderName                       [wstring] ''
PasswordContainsSCardPin                  [ bool  ] FALSE
ServerNameUsedForAuthentication           [wstring] 'x.x.x.x'

[anotheronemoretime]

So if I understand correctly, Mimikatz AND Pypykatz are not able to retrieve RDP credentials in your mstsc.exe.

You can share your mstsc minidump here: https://nx5494.your-storageshare.de/s/SJteWj3PPbg8jBA (@skelsec will forward it to me). I'll take a look, but if it's also a Mimikatz issue, I'm not sure how to fix it. You may address this issue to @gentilkiwi.

[byehack]

but if it's also a Mimikatz issue, I'm not sure how to fix it. You may address this issue to @gentilkiwi.

i think too. i should solve this problem with Mimikatz. i think in newer version of windows it is unable to get passwords.

[anotheronemoretime]

Commit 841f7c1 will work properly only if the PR #22 is merged.

[skelsec]

Finally I got around testing it, thank you for the contribution!