Skip to content

1.1.0
Compare
Choose a tag to compare
@obilodeau obilodeau released this 05 Aug 18:05
v1.1.0
ea4b846

Release Highlights

Released just in time for our BlackHat USA Arsenal 2021 presentation! Here are the high-level release highlights:

  • Network-Level Authentication (NLA) redirection: if target is NLA redirect to a different non-NLA host (see this as a dynamic downgrade attack)
  • Improved file collection capabilities: file deduplication, preserving client-side file hierarchies and preserve partial copies
  • More reliable, powerful and faster pyrdp-convert
  • Attempted credentials collection (NTLMSSP hashes in NLA context and plaintext otherwise)
  • Improved logging in error conditions and general bug fixes

Full list of changes follows.

Breaking Changes

  • pyrdp-convert command-line interface change: --list is now --list-only to better reflect what it does. The short form -l didn't change. (#311)
  • Log fields changes: hash is now shasum (#302)

Enhancements

Security

  • Cryptography dependency updated to 3.3.2 due to upstream security issues which we are not really concerned about for this project's use case (See #259, #295)
  • Pillow dependency updated to 8.2.0 due to upstream security issues (see #306 and #317)
  • rsa dependency updated to 4.7 due to upstream security issues (see #314)

Tools

  • pyrdp-convert now relies on scapy for session reconstruction from a pcap. This is more reliable and can handle multiple sessions at once. (#311, #221)
  • pyrdp-convert MP4 conversion is now 2x faster! (See #234 and #273)
  • Added a JSON output format to pyrdp-convert (See #236)
  • Use a proper progress bar with completion percentage and ETA in pyrdp-convert (See #274)

MITM

  • NLA Redirection: if the original destination server requires NLA we can now redirect the connection to a different destination server as specified by the --nla-redirection-host and --nla-redirection-port switches (#260, #308)
  • Added NTLMSSP hash logging when NLA is used with NTLM as the authentication protocol. Hashes are logged to pyrdp_output/logs/ntlmssp.log in addition to stdout and JSON. (See #307)
  • Added attempted credentials logging when using graphical login (non-NLA). It is using a heuristic of Enter being pressed or mouse being clicked in specific areas. (See #303)
  • PyRDP will log the value of the HOST_IP variable on start if it exists. You can set it to the IP address of the host running PyRDP. This is mostly helpful when you're using PyRDP in Docker and you want the IP of the Docker host in the logs.
  • Added detection function for BlueKeep scans/exploit attempts. PyRDP will log the attempt and shut down the connection. The JSON log has an exploitInfo attribute as well as a parserInfo attribute to help investigate what happened.
  • Added better logging for parser errors. PyRDP will now log which parser crashed and the data that was fed to that parser to make it crash. This makes it easier to investigate bugs and exploits. In JSON logs, this information shows up in the parserInfo attribute.
  • Files intercepted or crawled by the MITM are now named according to the sha1 hash of their contents and stored in the pyrdp_output/files folder (see #261)
  • Files that are currently being downloaded by the MITM but are not complete are stored in the pyrdp_output/files/tmp folder
  • Both the file stealer and the file crawler components now mimick the victim's filesystem by creating the same file hierarchy in the pyrdp_output/filesystems/<SESSION_ID> folders. Files in these folders are symbolic links to files in the pyrdp_output/files folder to avoid useless duplication. The symlinks are relative, which allows you to move the folder around without losing the mapping. (See #270, #272 and #299)
  • File interceptor will keep a copy of interrupted file transfers in pyrdp_output/files/tmp/ and mention it in the logs (#333)
  • All JSON logs now have a clientIp field once a client IP address is known (#321, #326)
  • Removed mapping.json file since all the information it would contain can be obtained by checking the pyrdp_output/filesystems folder
  • Added tests for the DeviceRedirectionMITM and FileMapping classes (#268)
  • Added clientPort field to the message when a new client is connected (#310)

Bug fixes

  • Added SO_REUSEADDR to MITM socket to avoid having to wait for sockets stuck in TIME_WAIT
  • Fixed a bug causing the connection to crash when the pointerCacheSize field is absent in PointerCapability (See #287)
  • Fixed a bug causing the connection to crash when the client sends no connection negotiation flags (See #283)
  • Fixed a bug preventing files opened by the RDPDR file stealer from being closed (#264)
  • Fixed an issue with ghost mouse pointers in replays converted to MP4 (#271)
  • Fixed a regression with the --sensor-id (-s) command line argument. It would not work since 1.0. (#279)
  • doc: README update to fix Windows install (#301)
  • Now handling space characters in password attempts (#303)
  • Fixed 'Too Many Files Open' situations (#265, #309)
  • core.ssl JSON logs now properly carry the commonName and certFile variables (#326)
  • Fixed wrong date format string for sessions converted from a pcap (#330, #332)
  • Fixed a crash when deleting active file transfers on a disconnect (#322, #333)

Infrastructure

  • Add automated tests to CI configuration
  • Fixed pip timeout issues when building full docker image on slow networks (#320)
  • Updated our dependencies to the latest stable versions for Docker builds (#327)

Credits

Thanks to the following people who contributed to this release:

Alexandre Beaulieu (@alxbl), @dependabot[bot], @exys228, Francis Labelle (@xshill), Olivier Bilodeau (@obilodeau)

Contributors

obilodeau, alxbl, and 3 other contributors
Assets 2
Loading