{"id":20462,"date":"2021-11-29T05:28:18","date_gmt":"2021-11-29T05:28:18","guid":{"rendered":"https:\/\/kalilinuxtutorials.com\/?p=20462"},"modified":"2021-11-29T05:28:22","modified_gmt":"2021-11-29T05:28:22","slug":"pyrdp","status":"publish","type":"post","link":"https:\/\/kalilinuxtutorials.com\/pyrdp\/","title":{"rendered":"PyRDP : RDP Monster-In-The-Middle (Mitm) And Library For Python With The Ability To Watch Connections Live Or After The Fact"},"content":{"rendered":"\n<p><strong>PyRDP<\/strong> is a Python Remote Desktop Protocol (RDP) Monster-in-the-Middle (MITM) tool and library.<\/p>\n\n\n\n<p>It features a few tools:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>RDP Monster-in-the-Middle<ul><li>Logs credentials used when connecting<\/li><li>Steals data copied to the clipboard<\/li><li>Saves a copy of the files transferred over the network<\/li><li>Crawls shared drives in the background and saves them locally<\/li><li>Saves replays of connections so you can look at them later<\/li><li>Runs console commands or PowerShell payloads automatically on new connections<\/li><\/ul><\/li><li>RDP Player:<ul><li>See live RDP connections coming from the MITM<\/li><li>View replays of RDP connections<\/li><li>Take control of active RDP sessions while hiding your actions<\/li><li>List the client&#8217;s mapped drives and download files from them during active sessions<\/li><\/ul><\/li><li>RDP Certificate Cloner:<ul><li>Create a self-signed X509 certificate with the same fields as an RDP server&#8217;s certificate<\/li><\/ul><\/li><\/ul>\n\n\n\n<p>PyRDP was&nbsp;introduced in 2018&nbsp;in which we&nbsp;demonstrated that we can catch a real threat actor in action. This tool is being developed with both pentest and malware research use cases in mind.<\/p>\n\n\n\n<p class=\"has-text-align-center has-vivid-green-cyan-background-color has-background\"><strong>Supported Systems<\/strong><\/p>\n\n\n\n<p>PyRDP should work on Python 3.6 and up on the x86-64, ARM and ARM64 platforms.<\/p>\n\n\n\n<p>This tool has been tested to work on Python 3.6 on Linux (Ubuntu 18.04), Raspberry Pi and Windows (see section&nbsp;Installing on<a href=\"https:\/\/github.com\/GoSecure\/pyrdp#installing-on-windows\"> <\/a>Windows). It has not been tested on macOS.<\/p>\n\n\n\n<p class=\"has-text-align-center has-black-color has-vivid-green-cyan-background-color has-text-color has-background\"><strong>Installing<\/strong><\/p>\n\n\n\n<p class=\"has-light-green-cyan-background-color has-background\"><a href=\"https:\/\/github.com\/GoSecure\/pyrdp#using-the-docker-image\"><\/a><strong>Using the Docker Image<\/strong><\/p>\n\n\n\n<p>This is the easiest installation method if you have docker installed and working.<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>docker pull gosecure\/pyrdp:latest<\/strong><\/p>\n\n\n\n<p>As an alternative we have a slimmer image without the GUI and ffmpeg dependencies. This is the only provided image on ARM platforms.<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>docker pull gosecure\/pyrdp:latest-slim<\/strong><\/p>\n\n\n\n<p>You can find the list of all our Docker images&nbsp;on the gosecure\/pyrdp DockerHub page.<\/p>\n\n\n\n<p class=\"has-light-green-cyan-background-color has-background\"><a href=\"https:\/\/github.com\/GoSecure\/pyrdp#from-git-source\"><\/a><strong>From Git Source<\/strong><\/p>\n\n\n\n<p>We recommend installing PyRDP in a&nbsp;virtual environment&nbsp;to avoid dependency issues.<\/p>\n\n\n\n<p>First, make sure to install the prerequisite packages (on Ubuntu). We provide two types of installs a full one and a slim one. Install the dependencies according to your use case.<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\">#<strong>Full install (GUI, transcoding to MP4)<br>sudo apt install python3 python3-pip python3-dev python3-setuptools python3-venv \\<br>build-essential python3-dev git openssl \\<br>libdbus-1-dev libdbus-glib-1-dev libgl1-mesa-glx \\<br>notify-osd dbus-x11 libxkbcommon-x11-0 libxcb-xinerama0 \\<br>libavformat-dev libavcodec-dev libavdevice-dev \\<br>libavutil-dev libswscale-dev libswresample-dev libavfilter-dev<br>#Slim install (no GUI, no transcoding)<br>sudo apt install python3 python3-pip python3-setuptools python3-venv \\<br>build-essential python3-dev git openssl<\/strong><\/p>\n\n\n\n<p>Grab PyRDP&#8217;s source code:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>git clone https:\/\/github.com\/gosecure\/pyrdp.git<\/strong><\/p>\n\n\n\n<p>Then, create your virtual environment in the&nbsp;<code><strong>venv<\/strong><\/code>&nbsp;directory inside PyRDP&#8217;s directory:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>cd pyrdp<br>python3 -m venv venv<\/strong><\/p>\n\n\n\n<p><em>DO NOT<\/em>&nbsp;use the root PyRDP directory for the virtual environment folder <strong>(<code>python3 -m venv .<\/code><\/strong>). You will make a mess, and using a directory name like&nbsp;<code><strong>venv<\/strong><\/code>&nbsp;is more standard anyway.<\/p>\n\n\n\n<p>Before installing the dependencies, you need to activate your virtual environment:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>source venv\/bin\/activate<\/strong><\/p>\n\n\n\n<p>Finally, you can install the project with Pip:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>pip3 install -U pip setuptools wheel<br>Without GUI and ffmpeg dependencies<br>pip3 install -U -e .<br>With GUI and ffmpeg dependencies<br>pip3 install -U -e &#8216;.[full]&#8217;<\/strong><\/p>\n\n\n\n<p>This should install the dependencies required to run PyRDP. If you choose to install without GUI or ffmpeg dependencies, it will not be possible to use&nbsp;<code><strong>pyrdp-player<\/strong><\/code>&nbsp;without headless mode (<code><strong>--headless<\/strong><\/code>) or&nbsp;<code><strong>pyrdp-convert<\/strong><\/code>.<\/p>\n\n\n\n<p>If you ever want to leave your virtual environment, you can simply deactivate it:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>deactivate<\/strong><\/p>\n\n\n\n<p>Note that you will have to activate your environment every time you want to have the PyRDP scripts available as shell commands.<\/p>\n\n\n\n<p class=\"has-text-align-center has-vivid-green-cyan-background-color has-background\"><a href=\"https:\/\/github.com\/GoSecure\/pyrdp#installing-on-windows\"><\/a><strong>Installing on Windows<\/strong><\/p>\n\n\n\n<p>The steps are almost the same. There are two additional prerequisites.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Any C compiler<\/li><li>OpenSSL. Make sure it is reachable from your&nbsp;<code><strong>$PATH<\/strong><\/code>.<\/li><\/ul>\n\n\n\n<p>Then, create your virtual environment in PyRDP&#8217;s directory:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>cd pyrdp<br>python3 -m venv venv<\/strong><\/p>\n\n\n\n<p><em>DO NOT<\/em>&nbsp;use the root PyRDP directory for the virtual environment folder <strong>(<code>python3 -m venv .<\/code><\/strong>). You will make a mess, and using a directory name like&nbsp;<code><strong>venv<\/strong><\/code>&nbsp;is more standard anyway.<\/p>\n\n\n\n<p>Before installing the dependencies, you need to activate your virtual environment:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>venv\\Scripts\\activate<\/strong><\/p>\n\n\n\n<p>Finally, you can install the project with Pip:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>pip3 install -U pip setuptools wheel<br>pip3 install -U -e &#8220;.[full]&#8221;<\/strong><\/p>\n\n\n\n<p>This should install all the dependencies required to run PyRDP.<\/p>\n\n\n\n<p>If you ever want to leave your virtual environment, you can simply deactivate it:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>deactivate<\/strong><\/p>\n\n\n\n<p>Note that you will have to activate your environment every time you want to have the PyRDP scripts available as shell commands.<\/p>\n\n\n\n<p class=\"has-light-green-cyan-background-color has-background\"><a href=\"https:\/\/github.com\/GoSecure\/pyrdp#building-the-docker-image\"><\/a><strong>Building the Docker Image<\/strong><\/p>\n\n\n\n<p>First of all, build the image by executing this command at the root of PyRDP (where Dockerfile is located):<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>docker build -t pyrdp .<\/strong><\/p>\n\n\n\n<p>As an alternative we have a slimmer image without the GUI and ffmpeg dependencies:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>docker build -f Dockerfile.slim -t pyrdp .<\/strong><\/p>\n\n\n\n<p>Afterwards, you can execute PyRDP by invoking the&nbsp;<code><strong>pyrdp<\/strong><\/code>&nbsp;docker container. See&nbsp;Usage instructions&nbsp;and the&nbsp;Docker specific<a href=\"https:\/\/github.com\/GoSecure\/pyrdp#docker-specific-usage-instructions\"> <\/a>instructions&nbsp;for details.<\/p>\n\n\n\n<p>Cross-platform builds can be achieved using&nbsp;<code><strong>buildx<\/strong><\/code>:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>docker buildx build &#8211;platform linux\/arm,linux\/amd64 -t pyrdp -f Dockerfile.slim<\/strong><\/p>\n\n\n\n<p class=\"has-light-green-cyan-background-color has-background\"><strong>Migrating away from pycrypto<\/strong><\/p>\n\n\n\n<p>Since pycrypto isn&#8217;t maintained anymore, we chose to migrate to pycryptodome. If you get this error, it means that you are using the module pycrypto instead of pycryptodome.<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>[\u2026]<br>File &#8220;[\u2026]\/pyrdp\/pyrdp\/pdu\/rdp\/connection.py&#8221;, line 10, in<br>from Crypto.PublicKey.RSA import RsaKey<br>ImportError: cannot import name &#8216;RsaKey&#8217;<\/strong><\/p>\n\n\n\n<p>You will need to remove the module pycrypto and reinstall PyRDP.<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>pip3 uninstall pycrypto<br>pip3 install -U -e .<\/strong><\/p>\n\n\n\n<p class=\"has-text-align-center has-vivid-green-cyan-background-color has-background\"><strong>Using PyRDP<\/strong><\/p>\n\n\n\n<p class=\"has-light-green-cyan-background-color has-background\"><a href=\"https:\/\/github.com\/GoSecure\/pyrdp#using-the-pyrdp-monster-in-the-middle\"><\/a><strong>Using the PyRDP Monster-in-the-Middle<\/strong><\/p>\n\n\n\n<p>Use&nbsp;<code><strong>pyrdp-mitm.py &lt;ServerIP&gt;<\/strong><\/code>&nbsp;or&nbsp;<code><strong>pyrdp-mitm.py &lt;ServerIP&gt;:&lt;ServerPort&gt;<\/strong><\/code>&nbsp;to run the MITM.<\/p>\n\n\n\n<p>Assuming you have an RDP server running on&nbsp;<code><strong>192.168.1.10<\/strong><\/code>&nbsp;and listening on port 3389, you would run:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>pyrdp-mitm.py 192.168.1.10<\/strong><\/p>\n\n\n\n<p>When running the MITM for the first time on Linux, a private key and certificate should be generated for you in&nbsp;<code>~\/.config\/pyrdp<\/code>. These are used when TLS security is used on a connection. You can use them to decrypt PyRDP traffic in Wireshark, for example.<\/p>\n\n\n\n<p class=\"has-light-green-cyan-background-color has-background\"><a href=\"https:\/\/github.com\/GoSecure\/pyrdp#specifying-the-private-key-and-certificate\"><\/a><strong>Specifying the private key and certificate<\/strong><\/p>\n\n\n\n<p>If key generation didn&#8217;t work or you want to use a custom key and certificate, you can specify them using the&nbsp;<code><strong>-c<\/strong><\/code>&nbsp;and&nbsp;<code><strong>-k<\/strong><\/code>&nbsp;arguments:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>pyrdp-mitm.py 192.168.1.10 -k private_key.pem -c certificate.pem<\/strong><\/p>\n\n\n\n<p class=\"has-light-green-cyan-background-color has-background\"><strong>Connecting to the PyRDP player<\/strong><\/p>\n\n\n\n<p>If you want to see live RDP connections through the PyRDP player, you will need to specify the ip and port on which the player is listening using the&nbsp;<code><strong>-i<\/strong><\/code>&nbsp;and&nbsp;<code><strong>-d<\/strong><\/code>&nbsp;arguments. Note: the port argument is optional, the default port is 3000.<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>pyrdp-mitm.py 192.168.1.10 -i 127.0.0.1 -d 3000<\/strong><\/p>\n\n\n\n<p class=\"has-light-green-cyan-background-color has-background\"><strong>Connecting to a PyRDP player when the MITM is running on a server<\/strong><\/p>\n\n\n\n<p>If you are running the MITM on a server and still want to see live RDP connections, you should use&nbsp;SSH remote port<a href=\"https:\/\/www.booleanworld.com\/guide-ssh-port-forwarding-tunnelling\/\"> <\/a>forwarding&nbsp;to forward a port on your server to the player&#8217;s port on your machine. Once this is done, you pass&nbsp;<code>127.0.0.1<\/code>&nbsp;and the forwarded port as arguments to the MITM. For example, if port 4000 on the server is forwarded to the player&#8217;s port on your machine, this would be the command to use:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>pyrdp-mitm.py 192.168.1.10 -i 127.0.0.1 -d 4000<\/strong><\/p>\n\n\n\n<ul class=\"has-light-green-cyan-background-color has-background wp-block-list\"><li><strong>Running payloads on new connections<\/strong><\/li><\/ul>\n\n\n\n<p>PyRDP has support for running console commands or PowerShell payloads automatically when new connections are made. Due to the nature of RDP, the process is a bit hackish and is not always 100% reliable. Here is how it works:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Wait for the user to be authenticated.<\/li><li>Block the client&#8217;s input \/ output to hide the payload and prevent interference.<\/li><li>Send a fake Windows+R sequence and run&nbsp;<code><strong>cmd.exe<\/strong><\/code>.<\/li><li>Run the payload as a console command and exit the console. If a PowerShell payload is configured, it is run with&nbsp;<code><strong>powershell -enc<\/strong> <strong>&lt;PAYLOAD&gt;<\/strong><\/code>.<\/li><li>Wait a bit to allow the payload to complete.<\/li><li>Restore the client&#8217;s input \/ output.<\/li><\/ul>\n\n\n\n<p>For this to work, you need to set 3 arguments:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>the payload<\/li><li>the delay before the payload starts<\/li><li>the payload&#8217;s duration<\/li><\/ul>\n\n\n\n<p class=\"has-light-green-cyan-background-color has-background\"><a href=\"https:\/\/github.com\/GoSecure\/pyrdp#setting-the-payload\"><\/a><strong>Setting the payload<\/strong><\/p>\n\n\n\n<p>You can use one of the following arguments to set the payload to run:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><code><strong>--payload<\/strong><\/code>, a string containing console commands<\/li><li><code><strong>--payload-powershell<\/strong><\/code>, a string containing PowerShell commands<\/li><li><code><strong>--payload-powershell-file<\/strong><\/code>, a path to a PowerShell script<\/li><\/ul>\n\n\n\n<p class=\"has-light-green-cyan-background-color has-background\"><a href=\"https:\/\/github.com\/GoSecure\/pyrdp#choosing-when-to-start-the-payload\"><\/a><strong>Choosing when to start the payload<\/strong><\/p>\n\n\n\n<p>For the moment, PyRDP does not detect when the user is logged on. You must give it an amount of time to wait for before running the payload. After this amount of time has passed, it will send the fake key sequences and expect the payload to run properly. To do this, you use the&nbsp;<code><strong>--payload-delay<\/strong><\/code>&nbsp;argument. The delay is in milliseconds. For example, if you expect the user to be logged in within the first 5 seconds, you would use the following arguments:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>&#8211;payload-delay 5000<\/strong><\/p>\n\n\n\n<p>This could be made more accurate by leveraging some messages exchanged during RDPDR initialization. See&nbsp;this issue&nbsp;if you&#8217;re interested in making this work better.<\/p>\n\n\n\n<p class=\"has-light-green-cyan-background-color has-background\"><a href=\"https:\/\/github.com\/GoSecure\/pyrdp#choosing-when-to-resume-normal-activity\"><\/a><strong>Choosing when to resume normal activity<\/strong><\/p>\n\n\n\n<p>Because there is no direct way to know when the console has stopped running, you must tell PyRDP how long you want the client&#8217;s input \/ output to be blocked. We recommend you set this to the maximum amount of time you would expect the console that is running your payload to be visible. In other words, the amount of time you would expect your payload to complete. To set the payload duration, you use the&nbsp;<code><strong>--payload-duration<\/strong><\/code>&nbsp;argument with an amount of time in milliseconds. For example, if you expect your payload to take up to 5 seconds to complete, you would use the following argument:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>&#8211;payload-duration 5000<\/strong><\/p>\n\n\n\n<p>This will block the client&#8217;s input \/ output for 5 seconds to hide the console and prevent interference. After 5 seconds, input \/ output is restored back to normal.<\/p>\n\n\n\n<p class=\"has-light-green-cyan-background-color has-background\"><a href=\"https:\/\/github.com\/GoSecure\/pyrdp#other-mitm-arguments\"><\/a><strong>Other MITM arguments<\/strong><\/p>\n\n\n\n<p>Run&nbsp;<code><strong>pyrdp-mitm.py --help<\/strong><\/code>&nbsp;for a full list of arguments.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/GoSecure\/pyrdp#--no-downgrade\"><\/a><code><strong>--no-downgrade<\/strong><\/code><\/h5>\n\n\n\n<p>This argument is useful when running PyRDP in Honeypot scenarios to avoid scanner fingerprinting. When the switch is enabled, PyRDP will not downgrade unsupported extensions and let the traffic through transparently. The player will likely not be able to successfully replay video traffic, but the following supported channels should still be accessible:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Keystroke recording<\/li><li>Mouse position updates<\/li><li>Clipboard access (passively)<\/li><li>Drive access (passively)<\/li><\/ul>\n\n\n\n<p>This feature is still a work in progress and some downgrading is currently unavoidable to allow the connection to be established. The following are currently not affected by this switch and will still be disabled:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>FIPS Encryption<\/li><li>Non-TLS encryption protocols<\/li><li>ClientInfo compression<\/li><li>Virtual Channel compression<\/li><\/ul>\n\n\n\n<p class=\"has-luminous-vivid-amber-background-color has-background\"><strong>NOTE<\/strong>: If being able to eventually replay the full session is important, a good solution is to record the raw RDP traffic using Wireshark and keep the TLS master secrets. Whenever PyRDP adds support for additional extensions, it would then become possible to extract a valid RDP replay file from the raw network capture.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/GoSecure\/pyrdp#--transparent\"><\/a><code>--transparent<\/code><\/h5>\n\n\n\n<p>Tells PyRDP to attempt to spoof the source IP address of the client so that the server sees the real IP address instead of the MITM one. This option is only useful in certain scenarios where the MITM is physically a gateway between clients and the server and sees all traffic.&nbsp;Specific examples can be found here<a href=\"https:\/\/github.com\/GoSecure\/pyrdp\/blob\/master\/docs\/transparent-proxy.md\">.<\/a><\/p>\n\n\n\n<p class=\"has-luminous-vivid-amber-background-color has-background\"><strong>NOTE<\/strong>: This requires root privileges, only works on Linux and requires manual firewall configuration to ensure that traffic is routed properly.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/GoSecure\/pyrdp#--no-gdi-disable-accelerated-graphics-pipeline\"><\/a><code>--no-gdi<\/code>: Disable Accelerated Graphics Pipeline<\/h5>\n\n\n\n<p>PyRDP downgrades video to the the most recent graphics pipeline that it supports. This switch explicitly tells the MITM to not use the&nbsp;Graphics Device Interface Acceleration&nbsp;extensions to stream video. The advantage of this mode is a significant reduction in required bandwidth for high resolution connections.<\/p>\n\n\n\n<p>Note that some GDI drawing orders are currently unimplemented because they appear to be unused. If you have a replay which contains any unsupported or untested order, do not hesitate to share it with the project maintainers so that support can be added as required. (Make sure that the trace does not contain sensitive information)<\/p>\n\n\n\n<p class=\"has-light-green-cyan-background-color has-background\"><a href=\"https:\/\/github.com\/GoSecure\/pyrdp#using-the-pyrdp-player\"><\/a><strong>Using the PyRDP Player<\/strong><\/p>\n\n\n\n<p>Use&nbsp;<code><strong>pyrdp-player.py<\/strong><\/code>&nbsp;to run the player.<\/p>\n\n\n\n<p class=\"has-light-green-cyan-background-color has-background\"><a href=\"https:\/\/github.com\/GoSecure\/pyrdp#playing-a-replay-file\"><\/a><strong>Playing a replay file<\/strong><\/p>\n\n\n\n<p>You can use the menu to open a new replay file: File &gt; Open.<\/p>\n\n\n\n<p>You can also open replay files when launching the player:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>pyrdp-player.py \u2026<\/strong><\/p>\n\n\n\n<p class=\"has-light-green-cyan-background-color has-background\"><strong>Listening for live connections<\/strong><\/p>\n\n\n\n<p>The player always listens for live connections. By default, the listening port is 3000, but it can be changed:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>pyrdp-player.py -p<\/strong><\/p>\n\n\n\n<p class=\"has-light-green-cyan-background-color has-background\"><strong>Changing the listening address<\/strong><\/p>\n\n\n\n<p>By default, the player only listens to connections coming from the local machine. We do not recommend opening up the player to other machines. If you still want to change the listening address, you can do it with&nbsp;<code>-b<\/code>:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>pyrdp-player.py -b<\/strong><\/p>\n\n\n\n<p class=\"has-light-green-cyan-background-color has-background\"><strong>Other player arguments<\/strong><\/p>\n\n\n\n<p>Run&nbsp;<code>pyrdp-player.py --help<\/code>&nbsp;for a full list of arguments.<\/p>\n\n\n\n<p class=\"has-text-align-center has-vivid-green-cyan-background-color has-background\"><a href=\"https:\/\/github.com\/GoSecure\/pyrdp#using-the-pyrdp-certificate-cloner\"><\/a><strong>Using the PyRDP Certificate Cloner<\/strong><\/p>\n\n\n\n<p>The PyRDP certificate cloner creates a brand new X509 certificate by using the values from an existing RDP server&#8217;s certificate. It connects to an RDP server, downloads its certificate, generates a new private key and replaces the public key and signature of the certificate using the new private key. This can be used in a pentest if, for example, you&#8217;re trying to trick a legitimate user into going through your MITM. Using a certificate that looks like a legitimate certificate could increase your success rate.<\/p>\n\n\n\n<p class=\"has-light-green-cyan-background-color has-background\"><a href=\"https:\/\/github.com\/GoSecure\/pyrdp#cloning-a-certificate\"><\/a><strong>Cloning a certificate<\/strong><\/p>\n\n\n\n<p>You can clone a certificate by using&nbsp;<code><strong>pyrdp-clonecert.py<\/strong><\/code>:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>pyrdp-clonecert.py 192.168.1.10 cert.pem -o key.pem<\/strong><\/p>\n\n\n\n<p>The&nbsp;<code><strong>-o<\/strong><\/code>&nbsp;parameter defines the path name to use for the generated private key.<\/p>\n\n\n\n<p class=\"has-text-align-center has-vivid-green-cyan-background-color has-background\"><a href=\"https:\/\/github.com\/GoSecure\/pyrdp#using-a-custom-private-key\"><\/a><strong>Using a custom private key<\/strong><\/p>\n\n\n\n<p>If you want to use your own private key instead of generating a new one:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>pyrdp-clonecert.py 192.168.1.10 cert.pem -i input_key.pem<\/strong><\/p>\n\n\n\n<p class=\"has-light-green-cyan-background-color has-background\"><strong>Other cloner arguments<\/strong><\/p>\n\n\n\n<p>Run&nbsp;<code><strong>pyrdp-clonecert.py --help<\/strong><\/code>&nbsp;for a full list of arguments.<\/p>\n\n\n\n<p class=\"has-text-align-center has-vivid-green-cyan-background-color has-background\"><a href=\"https:\/\/github.com\/GoSecure\/pyrdp#using-pyrdp-convert\"><\/a><strong>Using PyRDP Convert<\/strong><\/p>\n\n\n\n<p><code><strong>pyrdp-convert<\/strong><\/code>&nbsp;is a helper script that performs several useful conversions. The script has the best chance of working on traffic captured by PyRDP due to unsupported RDP protocol features that might be used in a non-intercepted connection.<\/p>\n\n\n\n<p>The following conversions are supported:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Network Capture (PCAP) to PyRDP replay file<\/li><li>Network Capture to MP4 video file<\/li><li>Replay file to MP4 video file<\/li><\/ul>\n\n\n\n<p>The script supports both encrypted (TLS) network captures (by providing&nbsp;<code><strong>--secrets ssl.log<\/strong><\/code>) and decrypted PDU exports.<\/p>\n\n\n\n<p class=\"has-luminous-vivid-amber-background-color has-background\"><strong>WARNING<\/strong>: pcapng and pcap with nanosecond timestamps are not compatible with&nbsp;<code><strong>pyrdp-convert<\/strong><\/code>&nbsp;and will create replay files that fail to playback or export to MP4. This is due to incompatible timestamp formats.<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>Export the session coming client 10.2.0.198 to a .pyrdp file.<br>pyrdp-convert.py &#8211;src 10.2.0.198 &#8211;secrets ssl.log -o path\/to\/output capture.pcap<br>Or as an MP4 video<\/strong><br><strong>pyrdp-convert.py &#8211;src 10.2.0.198 &#8211;secrets ssl.log -o path\/to\/output -f mp4 capture.pcap<br>List the sessions in a network trace, along with the decryptable ones.<br>pyrdp-convert.py &#8211;list capture.pcap<\/strong><\/p>\n\n\n\n<p>Note that MP4 conversion requires libavcodec and ffmpeg, so this may require extra steps on Windows.<\/p>\n\n\n\n<p>Manually decrypted network traces can be exported from Wireshark by selecting&nbsp;<code><strong>File &gt; Export PDUs<\/strong><\/code>&nbsp;and selecting&nbsp;<code>O<strong>SI Layer 7<\/strong><\/code>. When using this method, it is also recommended to filter the exported stream to only contain the TCP stream of the RDP session which must be converted.<\/p>\n\n\n\n<p>First, make sure you configured wireshark to load TLS secrets:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEhs-rC_oA5mOs_oYA2ewFM6KOReqBIBSq-sS9OgKFyZ0-Yac49fLDrjrracpRi1qFCQH2MeK0Xf2t3peOVhgSQUWNeZ2DOfU2Jv4T9MgxGSXPVY8jyJ_fn7z8cgH3SjAl1jCmwzFkts9fGyMnLxjG2S8j84xe-zv8E4QMPe0lmU5cjOqX4WZvBN9v_D=s910\" alt=\"\" \/><\/figure>\n\n\n\n<p>Next, export OSI Layer 7 PDUs:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEjAWwEy4pvYWwhYNDyPEhpTgj6IfLB6mVcYxUYenjamjZuN64R9KLDCRUwo6JJW4FDWLHPNzU1rPhKvya7g7PUCXULku6Lfz4rOTtUCp-lcuHIbCu0qHbPKWwhnv21jxZRCyE629vdEYNcwC8ZSAhI3zpLZZxKy-YplDMym2x_Xd4pDNx1pklyQ8SdW=s773\" alt=\"\" \/><figcaption>And lastly, filter down the trace to contain only the conversation of interest (Optional but recommended) by applying a display filter and clicking&nbsp;<code>File &gt; Export Specified Packets...<\/code><\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEjhKQVwVwSR7TkhB58X7oMqwb_LlvNaUcj_1B9ifIj7hpdLyFCgqdTfgJLs6WXHtMDKC0w__26Ej-RY4iHaqLgtB8LR-7eeYtcU2GdqVyWHi6l_wjevMLPJgAzurZVRuSZl7av1RtaP948N4eElYBZcXWs1Fnw-VADQnyOHbOgYx15zcX8iEqDh8LTM=s1269\" alt=\"\" \/><\/figure>\n\n\n\n<p>Now this trace can be used directly in&nbsp;<code>pyrdp-convert<\/code>.<\/p>\n\n\n\n<p class=\"has-text-align-center has-vivid-green-cyan-background-color has-background\"><a href=\"https:\/\/github.com\/GoSecure\/pyrdp#configuring-pyrdp\"><\/a><strong>Configuring PyRDP<\/strong><\/p>\n\n\n\n<p>Most of the PyRDP configurations are done through command line switches, but it is also possible to use a configuration file for certain settings such as log configuration.<\/p>\n\n\n\n<p>The default configuration files used by PyRDP are located in&nbsp;<a href=\"https:\/\/github.com\/GoSecure\/pyrdp\/blob\/master\/pyrdp\/mitm\/mitm.default.ini\">mitm.default.ini<\/a>&nbsp;and&nbsp;player.default.ini. Both files are thoroughly documented and can serve as a basis for further configuration.<\/p>\n\n\n\n<p>In the future there are plans to support other aspects of PyRDP configuration through those configuration files.<\/p>\n\n\n\n<p class=\"has-text-align-center has-vivid-green-cyan-background-color has-background\"><a href=\"https:\/\/github.com\/GoSecure\/pyrdp#using-pyrdp-as-a-library\"><\/a><strong>Using PyRDP as a Library<\/strong><\/p>\n\n\n\n<p>If you&#8217;re interested in experimenting with RDP and making your own tools, head over to our&nbsp;documentation section&nbsp;for more information.<\/p>\n\n\n\n<p class=\"has-text-align-center has-vivid-green-cyan-background-color has-background\"><a href=\"https:\/\/github.com\/GoSecure\/pyrdp#using-pyrdp-with-twistd\"><\/a><strong>Using PyRDP with twistd<\/strong><\/p>\n\n\n\n<p>The PyRDP MITM component was also implemented as a twistd plugin. This enables you to run it in debug mode and allows you to get an interactive debugging repl (pdb) if you send a&nbsp;<code><strong>SIGUSR2<\/strong><\/code>&nbsp;to the twistd process.<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>twistd &#8211;debug pyrdp -t<\/strong><\/p>\n\n\n\n<p>Then to get the repl:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>killall -SIGUSR2 twistd<\/strong><\/p>\n\n\n\n<p class=\"has-text-align-center has-vivid-green-cyan-background-color has-background\"><strong>Using PyRDP with twistd in Docker<\/strong><\/p>\n\n\n\n<p>In a directory with our&nbsp;<code><strong>docker-compose.yml<\/strong><\/code>&nbsp;you can run something like this:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>docker-compose run -p 3389:3389 pyrdp twistd &#8211;debug pyrdp &#8211;target 192.168.1.10:3389<\/strong><\/p>\n\n\n\n<p>This will allocate a TTY and you will have access to&nbsp;<code><strong>Pdb<\/strong><\/code>&#8216;s REPL. Trying to add&nbsp;<code><strong>--debug<\/strong><\/code>&nbsp;to the&nbsp;<code><strong>docker-compose.yml<\/strong><\/code>&nbsp;command will fail because there is no TTY allocated.<\/p>\n\n\n\n<p class=\"has-text-align-center has-vivid-green-cyan-background-color has-background\"><a href=\"https:\/\/github.com\/GoSecure\/pyrdp#using-pyrdp-with-bettercap\"><\/a><strong>Using PyRDP with Bettercap<\/strong><\/p>\n\n\n\n<p>We developped our own Bettercap module,&nbsp;<code><strong>rdp.proxy<\/strong><\/code>, to monster-in-the-middle all RDP connections on a given LAN. Check out&nbsp;this document&nbsp;for more information.<\/p>\n\n\n\n<p class=\"has-text-align-center has-vivid-green-cyan-background-color has-background\"><a href=\"https:\/\/github.com\/GoSecure\/pyrdp#docker-specific-usage-instructions\"><\/a><strong>Docker Specific Usage<\/strong> <strong>Instructions<\/strong><\/p>\n\n\n\n<p>Since docker restricts the interactions with the host system (filesystem and network), the PyRDP docker image must be run with some parameters depending on your use case. This section documents those parameters.<\/p>\n\n\n\n<p>We refer to the publicly provided docker image but if you&nbsp;built your own&nbsp;replace&nbsp;<code><strong>gosecure\/pyrdp<\/strong><\/code>&nbsp;with the name of your locally built image.<\/p>\n\n\n\n<p class=\"has-text-align-center has-vivid-green-cyan-background-color has-background\"><a href=\"https:\/\/github.com\/GoSecure\/pyrdp#mapping-a-listening-port\"><\/a><strong>Mapping a Listening Port<\/strong><\/p>\n\n\n\n<p>In most of the monster-in-the-middle cases you will need to map a port of your host into the docker image. This is achieved by the&nbsp;<strong><code>--publish<\/code>&nbsp;(<code>-p<\/code><\/strong>) parameters applied to&nbsp;<strong><code>docker run<\/code>.<\/strong><\/p>\n\n\n\n<p>For example, to listen on 3389 (RDP&#8217;s default port) on all interfaces, use:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>docker run -p 3389:3389 gosecure\/pyrdp pyrdp-mitm.py 192.168.1.10<\/strong><\/p>\n\n\n\n<p class=\"has-text-align-center has-vivid-green-cyan-background-color has-background\"><strong>Logs and Artifacts Storage<\/strong><\/p>\n\n\n\n<p>To store the PyRDP output permanently (logs, files, etc.), add the&nbsp;<strong><code>--volume<\/code>&nbsp;(<code>-<\/code><\/strong><code>v<\/code>) option to the previous command. In this example we store the files relatively to the current directory in&nbsp;<code><strong>pyrdp_outp<\/strong>ut<\/code>:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\">d<strong>ocker run -v $PWD\/pyrdp_output:\/home\/pyrdp\/pyrdp_output -p 3389:3389 gosecure\/pyrdp pyrdp-mitm.py 192.168.1.10docker run -v $PWD\/pyrdp_output:\/home\/pyrdp\/pyrdp_output -p 3389:3389 gosecure\/pyrdp pyrdp-mitm.py 192.168.1.10<\/strong><\/p>\n\n\n\n<p>Make sure that your destination directory is owned by a user with a UID of 1000, otherwise you will get permission denied errors. If you are the only non-root user on the system, usually your user will be assigned UID 1000.<\/p>\n\n\n\n<p class=\"has-text-align-center has-vivid-green-cyan-background-color has-background\"><a href=\"https:\/\/github.com\/GoSecure\/pyrdp#logging-the-host-ip-address\"><\/a><strong>Logging the host IP address<\/strong><\/p>\n\n\n\n<p>If you want PyRDP to log the host IP address in its logs, you can set the&nbsp;<code><strong>HOST_IP<\/strong><\/code>&nbsp;environment variable when using&nbsp;<code><strong>docker run<\/strong><\/code>:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>docker run -p 3389:3389 -e HOST_IP=192.168.1.9 gosecure\/pyrdp pyrdp-mitm.py 192.168.1.10<\/strong><\/p>\n\n\n\n<p class=\"has-text-align-center has-vivid-green-cyan-background-color has-background\"><strong>Using the GUI Player in Docker<\/strong><\/p>\n\n\n\n<p>Using the player will require you to export the&nbsp;<code><strong>DISPLAY<\/strong><\/code>&nbsp;environment variable from the host to the docker. This redirects the GUI of the player to the host screen. You also need to expose the host&#8217;s network and prevent Qt from using the MIT-SHM X11 Shared Memory Extension. To do so, add the&nbsp;<code><strong>-e<\/strong><\/code>&nbsp;and&nbsp;<code><strong>--net<\/strong><\/code>&nbsp;options to the run comm<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>docker run -e DISPLAY=$DISPLAY -e QT_X11_NO_MITSHM=1 &#8211;net=host gosecure\/pyrdp pyrdp-player.pyand:<\/strong><\/p>\n\n\n\n<p>Keep in mind that exposing the host&#8217;s network to docker can compromise the isolation between your container and the host. If you plan on using the player, X11 forwarding using an SSH connection would be a more secure way.<\/p>\n\n\n\n<div class=\"wp-block-buttons is-content-justification-center is-layout-flex wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button is-style-outline is-style-outline--1\"><a class=\"wp-block-button__link has-vivid-cyan-blue-background-color has-background\" href=\"https:\/\/github.com\/GoSecure\/pyrdp#supported-systems\">Download<\/a><\/div>\n<\/div>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>PyRDP is a Python Remote Desktop Protocol (RDP) Monster-in-the-Middle (MITM) tool and library. It features a few tools: RDP Monster-in-the-Middle Logs credentials used when connecting Steals data copied to the clipboard Saves a copy of the files transferred over the network Crawls shared drives in the background and saves them locally Saves replays of connections [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":20527,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEjB0iiez9IeK8Sqavc6UFvtCsZ65hVFDO5Hg0IeaW2yzGz2HLUldv9qEZijDbw3Lt1pQm5upI87urwjNP99D6KKUmJ03d92FoMANr9FwG2_sV23X_biVrUz1YLCkktCC9cc0J9pkA35qCqJ64UnBs9rihDiTRFWMpEi_qvUpMWKtUs9n_nHgstmdZao=s728","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[28],"tags":[2093,2670,2676,2739],"class_list":["post-20462","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-kali","tag-mitm","tag-pyrdp","tag-python","tag-rdp"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>PyRDP : RDP Monster-In-The-Middle (Mitm) And Library For Python<\/title>\n<meta name=\"description\" content=\"PyRDP is a Python Remote Desktop Protocol (RDP) Monster-in-the-Middle (MITM) tool and library. Logs credentials used when connecting.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/kalilinuxtutorials.com\/pyrdp\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"PyRDP : RDP Monster-In-The-Middle (Mitm) And Library For Python\" \/>\n<meta property=\"og:description\" content=\"PyRDP is a Python Remote Desktop Protocol (RDP) Monster-in-the-Middle (MITM) tool and library. Logs credentials used when connecting.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/kalilinuxtutorials.com\/pyrdp\/\" \/>\n<meta property=\"og:site_name\" content=\"Kali Linux Tutorials\" \/>\n<meta property=\"article:published_time\" content=\"2021-11-29T05:28:18+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-11-29T05:28:22+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEjB0iiez9IeK8Sqavc6UFvtCsZ65hVFDO5Hg0IeaW2yzGz2HLUldv9qEZijDbw3Lt1pQm5upI87urwjNP99D6KKUmJ03d92FoMANr9FwG2_sV23X_biVrUz1YLCkktCC9cc0J9pkA35qCqJ64UnBs9rihDiTRFWMpEi_qvUpMWKtUs9n_nHgstmdZao=s728\" \/>\n<meta name=\"author\" content=\"R K\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEjB0iiez9IeK8Sqavc6UFvtCsZ65hVFDO5Hg0IeaW2yzGz2HLUldv9qEZijDbw3Lt1pQm5upI87urwjNP99D6KKUmJ03d92FoMANr9FwG2_sV23X_biVrUz1YLCkktCC9cc0J9pkA35qCqJ64UnBs9rihDiTRFWMpEi_qvUpMWKtUs9n_nHgstmdZao=s728\" \/>\n<meta name=\"twitter:creator\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:site\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"R K\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/pyrdp\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/pyrdp\/\"},\"author\":{\"name\":\"R K\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\"},\"headline\":\"PyRDP : RDP Monster-In-The-Middle (Mitm) And Library For Python With The Ability To Watch Connections Live Or After The Fact\",\"datePublished\":\"2021-11-29T05:28:18+00:00\",\"dateModified\":\"2021-11-29T05:28:22+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/pyrdp\/\"},\"wordCount\":3161,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/pyrdp\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEjB0iiez9IeK8Sqavc6UFvtCsZ65hVFDO5Hg0IeaW2yzGz2HLUldv9qEZijDbw3Lt1pQm5upI87urwjNP99D6KKUmJ03d92FoMANr9FwG2_sV23X_biVrUz1YLCkktCC9cc0J9pkA35qCqJ64UnBs9rihDiTRFWMpEi_qvUpMWKtUs9n_nHgstmdZao=s728\",\"keywords\":[\"MITM\",\"Pyrdp\",\"Python\",\"RDP\"],\"articleSection\":[\"Kali Linux\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/kalilinuxtutorials.com\/pyrdp\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/pyrdp\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/pyrdp\/\",\"name\":\"PyRDP : RDP Monster-In-The-Middle (Mitm) And Library For Python\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/pyrdp\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/pyrdp\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEjB0iiez9IeK8Sqavc6UFvtCsZ65hVFDO5Hg0IeaW2yzGz2HLUldv9qEZijDbw3Lt1pQm5upI87urwjNP99D6KKUmJ03d92FoMANr9FwG2_sV23X_biVrUz1YLCkktCC9cc0J9pkA35qCqJ64UnBs9rihDiTRFWMpEi_qvUpMWKtUs9n_nHgstmdZao=s728\",\"datePublished\":\"2021-11-29T05:28:18+00:00\",\"dateModified\":\"2021-11-29T05:28:22+00:00\",\"description\":\"PyRDP is a Python Remote Desktop Protocol (RDP) Monster-in-the-Middle (MITM) tool and library. Logs credentials used when connecting.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/kalilinuxtutorials.com\/pyrdp\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/pyrdp\/#primaryimage\",\"url\":\"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEjB0iiez9IeK8Sqavc6UFvtCsZ65hVFDO5Hg0IeaW2yzGz2HLUldv9qEZijDbw3Lt1pQm5upI87urwjNP99D6KKUmJ03d92FoMANr9FwG2_sV23X_biVrUz1YLCkktCC9cc0J9pkA35qCqJ64UnBs9rihDiTRFWMpEi_qvUpMWKtUs9n_nHgstmdZao=s728\",\"contentUrl\":\"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEjB0iiez9IeK8Sqavc6UFvtCsZ65hVFDO5Hg0IeaW2yzGz2HLUldv9qEZijDbw3Lt1pQm5upI87urwjNP99D6KKUmJ03d92FoMANr9FwG2_sV23X_biVrUz1YLCkktCC9cc0J9pkA35qCqJ64UnBs9rihDiTRFWMpEi_qvUpMWKtUs9n_nHgstmdZao=s728\",\"width\":\"728\",\"height\":\"380\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"name\":\"Kali Linux Tutorials\",\"description\":\"Kali Linux Tutorials\",\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\",\"name\":\"Kali Linux Tutorials\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"contentUrl\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"width\":272,\"height\":90,\"caption\":\"Kali Linux Tutorials\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/CyberEdition\",\"https:\/\/www.threads.com\/@cybersecurityedition\",\"https:\/\/www.linkedin.com\/company\/cyberedition\",\"https:\/\/www.instagram.com\/cybersecurityedition\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\",\"name\":\"R K\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"caption\":\"R K\"},\"url\":\"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"PyRDP : RDP Monster-In-The-Middle (Mitm) And Library For Python","description":"PyRDP is a Python Remote Desktop Protocol (RDP) Monster-in-the-Middle (MITM) tool and library. Logs credentials used when connecting.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/kalilinuxtutorials.com\/pyrdp\/","og_locale":"en_US","og_type":"article","og_title":"PyRDP : RDP Monster-In-The-Middle (Mitm) And Library For Python","og_description":"PyRDP is a Python Remote Desktop Protocol (RDP) Monster-in-the-Middle (MITM) tool and library. Logs credentials used when connecting.","og_url":"https:\/\/kalilinuxtutorials.com\/pyrdp\/","og_site_name":"Kali Linux Tutorials","article_published_time":"2021-11-29T05:28:18+00:00","article_modified_time":"2021-11-29T05:28:22+00:00","og_image":[{"url":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEjB0iiez9IeK8Sqavc6UFvtCsZ65hVFDO5Hg0IeaW2yzGz2HLUldv9qEZijDbw3Lt1pQm5upI87urwjNP99D6KKUmJ03d92FoMANr9FwG2_sV23X_biVrUz1YLCkktCC9cc0J9pkA35qCqJ64UnBs9rihDiTRFWMpEi_qvUpMWKtUs9n_nHgstmdZao=s728","type":"","width":"","height":""}],"author":"R K","twitter_card":"summary_large_image","twitter_image":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEjB0iiez9IeK8Sqavc6UFvtCsZ65hVFDO5Hg0IeaW2yzGz2HLUldv9qEZijDbw3Lt1pQm5upI87urwjNP99D6KKUmJ03d92FoMANr9FwG2_sV23X_biVrUz1YLCkktCC9cc0J9pkA35qCqJ64UnBs9rihDiTRFWMpEi_qvUpMWKtUs9n_nHgstmdZao=s728","twitter_creator":"@CyberEdition","twitter_site":"@CyberEdition","twitter_misc":{"Written by":"R K","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/kalilinuxtutorials.com\/pyrdp\/#article","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/pyrdp\/"},"author":{"name":"R K","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad"},"headline":"PyRDP : RDP Monster-In-The-Middle (Mitm) And Library For Python With The Ability To Watch Connections Live Or After The Fact","datePublished":"2021-11-29T05:28:18+00:00","dateModified":"2021-11-29T05:28:22+00:00","mainEntityOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/pyrdp\/"},"wordCount":3161,"commentCount":0,"publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/pyrdp\/#primaryimage"},"thumbnailUrl":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEjB0iiez9IeK8Sqavc6UFvtCsZ65hVFDO5Hg0IeaW2yzGz2HLUldv9qEZijDbw3Lt1pQm5upI87urwjNP99D6KKUmJ03d92FoMANr9FwG2_sV23X_biVrUz1YLCkktCC9cc0J9pkA35qCqJ64UnBs9rihDiTRFWMpEi_qvUpMWKtUs9n_nHgstmdZao=s728","keywords":["MITM","Pyrdp","Python","RDP"],"articleSection":["Kali Linux"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/kalilinuxtutorials.com\/pyrdp\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/kalilinuxtutorials.com\/pyrdp\/","url":"https:\/\/kalilinuxtutorials.com\/pyrdp\/","name":"PyRDP : RDP Monster-In-The-Middle (Mitm) And Library For Python","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/pyrdp\/#primaryimage"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/pyrdp\/#primaryimage"},"thumbnailUrl":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEjB0iiez9IeK8Sqavc6UFvtCsZ65hVFDO5Hg0IeaW2yzGz2HLUldv9qEZijDbw3Lt1pQm5upI87urwjNP99D6KKUmJ03d92FoMANr9FwG2_sV23X_biVrUz1YLCkktCC9cc0J9pkA35qCqJ64UnBs9rihDiTRFWMpEi_qvUpMWKtUs9n_nHgstmdZao=s728","datePublished":"2021-11-29T05:28:18+00:00","dateModified":"2021-11-29T05:28:22+00:00","description":"PyRDP is a Python Remote Desktop Protocol (RDP) Monster-in-the-Middle (MITM) tool and library. Logs credentials used when connecting.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/kalilinuxtutorials.com\/pyrdp\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/pyrdp\/#primaryimage","url":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEjB0iiez9IeK8Sqavc6UFvtCsZ65hVFDO5Hg0IeaW2yzGz2HLUldv9qEZijDbw3Lt1pQm5upI87urwjNP99D6KKUmJ03d92FoMANr9FwG2_sV23X_biVrUz1YLCkktCC9cc0J9pkA35qCqJ64UnBs9rihDiTRFWMpEi_qvUpMWKtUs9n_nHgstmdZao=s728","contentUrl":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEjB0iiez9IeK8Sqavc6UFvtCsZ65hVFDO5Hg0IeaW2yzGz2HLUldv9qEZijDbw3Lt1pQm5upI87urwjNP99D6KKUmJ03d92FoMANr9FwG2_sV23X_biVrUz1YLCkktCC9cc0J9pkA35qCqJ64UnBs9rihDiTRFWMpEi_qvUpMWKtUs9n_nHgstmdZao=s728","width":"728","height":"380"},{"@type":"WebSite","@id":"https:\/\/kalilinuxtutorials.com\/#website","url":"https:\/\/kalilinuxtutorials.com\/","name":"Kali Linux Tutorials","description":"Kali Linux Tutorials","publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/kalilinuxtutorials.com\/#organization","name":"Kali Linux Tutorials","url":"https:\/\/kalilinuxtutorials.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/","url":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","contentUrl":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","width":272,"height":90,"caption":"Kali Linux Tutorials"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/CyberEdition","https:\/\/www.threads.com\/@cybersecurityedition","https:\/\/www.linkedin.com\/company\/cyberedition","https:\/\/www.instagram.com\/cybersecurityedition\/"]},{"@type":"Person","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad","name":"R K","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","caption":"R K"},"url":"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/"}]}},"jetpack_featured_media_url":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEjB0iiez9IeK8Sqavc6UFvtCsZ65hVFDO5Hg0IeaW2yzGz2HLUldv9qEZijDbw3Lt1pQm5upI87urwjNP99D6KKUmJ03d92FoMANr9FwG2_sV23X_biVrUz1YLCkktCC9cc0J9pkA35qCqJ64UnBs9rihDiTRFWMpEi_qvUpMWKtUs9n_nHgstmdZao=s728","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":6534,"url":"https:\/\/kalilinuxtutorials.com\/pyrdp-mitm-library-for-python-3-with-the-ability-to-watch-connections-live-or-after-the-fact\/","url_meta":{"origin":20462,"position":0},"title":"Pyrdp : MITM &#038; Library For Python 3 With The Ability To Watch Connections Live Or After The Fact","author":"R K","date":"September 18, 2019","format":false,"excerpt":"PyRDP is a Python 3 Remote Desktop Protocol (RDP) Man-in-the-Middle (MITM) and library. It features a few tools: RDP Man-in-the-MiddleLogs credentials used when connectingSteals data copied to the clipboardSaves a copy of the files transferred over the networkCrawls shared drives in the background and saves them locallySaves replays of connections\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5422,"url":"https:\/\/kalilinuxtutorials.com\/seth-mitm-attack-rdp-connections\/","url_meta":{"origin":20462,"position":1},"title":"Seth : Perform A MitM Attack &#038; Extract Clear Text Credentials From RDP Connections","author":"R K","date":"June 20, 2019","format":false,"excerpt":"Seth is a tool written in Python and Bash to MitM RDP connections by attempting to downgrade the connection in order to extract clear text credentials. It was developed to raise awareness and educate about the importance of properly configured RDP connections in the context of pentests, workshops or talks.\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/wdPkY7gykf4\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":2583,"url":"https:\/\/kalilinuxtutorials.com\/firework-tool-interact-microsoft-workplaces\/","url_meta":{"origin":20462,"position":2},"title":"Firework &#8211;  Tool To Interact With Microsoft Workplaces Creating Valid Files","author":"R K","date":"September 13, 2018","format":false,"excerpt":"Firework is a proof of concept tool to interact with Microsoft Workplaces creating valid files required for the provisioning process. The tool also wraps some code from Responder to leverage its ability to capture NetNTLM hashes from a system that provisions a Workplace feed via it. This tool may be\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2018\/04\/button_download.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":37302,"url":"https:\/\/kalilinuxtutorials.com\/evilrdp\/","url_meta":{"origin":20462,"position":3},"title":"evilrdp : The Ultimate Tool For Elevated RDP Command Control","author":"Varshini","date":"March 26, 2025","format":false,"excerpt":"In the realm of remote desktop management, evilrdp stands out as a powerful tool designed to provide extended control over RDP connections. Built on the aardwolf RDP client library, it offers a combination of GUI and command-line functionalities, making it an invaluable asset for both administrators and security professionals. Features\u2026","rel":"","context":"In &quot;Hacking Tools&quot;","block_context":{"text":"Hacking Tools","link":"https:\/\/kalilinuxtutorials.com\/category\/hacking-tools\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/03\/evilrdp.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/03\/evilrdp.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/03\/evilrdp.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/03\/evilrdp.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/03\/evilrdp.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/03\/evilrdp.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":4930,"url":"https:\/\/kalilinuxtutorials.com\/brutedum\/","url_meta":{"origin":20462,"position":4},"title":"BruteDum : Brute Force Attacks SSH, FTP, Telnet, PostgreSQL, RDP, VNC with Hydra, Medusa and Ncrack","author":"R K","date":"May 11, 2019","format":false,"excerpt":"BruteDum is a SSH, FTP, Telnet, PostgreSQL, RDP, VNC brute forcing tool with Hydra, Medusa and Ncrack. It can work with any Linux distros if they have Python 3. Features SSH, FTP, Telnet, PostgreSQL, RDP, VNC with Hydra (recommended)SSH, FTP, Telnet, PostgreSQL, RDP, VNC with MedusaSSH, FTP, Telnet, PostgreSQL, RDP,\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5461,"url":"https:\/\/kalilinuxtutorials.com\/boomer-local-vulnerabilities\/","url_meta":{"origin":20462,"position":5},"title":"BoomER : Framework For Exploiting Local Vulnerabilities","author":"R K","date":"June 24, 2019","format":false,"excerpt":"BoomER is an open source framework, developed in Python. The tool is focused on post-exploitation, with a main objective, the detection and exploitation of local vulnerabilities, as well as the collection of information from a system, such as the installed applications they have. The framework allows the extension by third\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/20462","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/comments?post=20462"}],"version-history":[{"count":52,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/20462\/revisions"}],"predecessor-version":[{"id":20629,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/20462\/revisions\/20629"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media\/20527"}],"wp:attachment":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media?parent=20462"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/categories?post=20462"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/tags?post=20462"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}