defensivedepth
commented
1 year ago Fantastic!
Closed HybridAU closed 1 year ago
defensivedepth
commented
1 year ago Fantastic!
Neleus
commented
1 year ago @HybridAU You forgot to say that RDP works only with HTTPS updation
Without HTTPS updation, You'll receive error Apr 21 08:50:50 opencanaryd[7747]: from opencanary.modules.https import CanaryHTTPS Apr 21 08:50:50 opencanaryd[7747]: builtins.ModuleNotFoundError: No module named 'opencanary.modules.https'
Neleus
commented
1 year ago @HybridAU This is better to emulate fake RDP It's also show username, but not password (crypted).
HybridAU
commented
1 year ago Hey @Neleus thanks for your feedback.
This change doesn't rely on the HTTPS module, I'm assuming you're getting that error message because opencanary.tac imports that module, and somehow you don't have that, but that change is already in the master branch.
Responding with a successful NLA response like the fake RDP you have linked to does look like a good idea, I'll take a look and update my PR.
Neleus
commented
1 year ago @HybridAU LOL my opencanary wasn't updated because version wasn't change at CONFIG Better to change Version at CONFIG at main branch) Thanks
HybridAU
commented
1 year ago I've updated this PR, so the initial response is the same as an NLA enabled RDP server, then we respond with an authentication failure when the attacker tries to log in.
dlundgren
commented
1 year ago This is great, would love to see this merged in soon so that I can get off of python 2.
1Stronk
commented
1 year ago This is awesome, I can't thank you enough. Would love to see this merged 👍
1Stronk
commented
1 year ago I decided to clone your branch to test things out for myself, it works like a charm really. Even capturing the username when specifically selecting an account to log in with.
For example, when using a "compromised" Microsoft account to log in with RDP, it captures the User Logon Name/SAM account name ('SBF020' in this scenario).
To easily find out more information about this compromised account, you can use CMD to run command 'net user SBF020 /domain'.
Note; It does fail to capture the username when one of the other 3 sign-in methods is chosen, but the source IP address would suffice in this case for detecting compromised devices.
jayjb
commented
1 year ago @HybridAU thank you so much! This is excellent and I'm sure from here we can add onto it too. Very Well Played!
This adds a basic RDP service to OpenCanary which has been requested a few times.
We listen on port 3389 (configurable) and whenever a connection comes in, we respond with a RDP Negotiation Failure, this failure indicates that the server and the client could not agree on a security protocol as opposed to a failed login.
The advantage of this approach is that it's incredibly simple, and we don't need to import any third party libraries.
The main drawback is that because we don't implement more of the RDP spec (such as tpkt, x224, ssl, network level authentication) we don't capture more details about the connection attempt like the password or hash being used. Which would not be good if we were trying to collect information / statistics about bots on the internet.
However, in the use case of an OpenCanary, we get a high fidelity alert if an attacker tries to connect to it.