FreeRDP-ResearchServer/
: a modified FreeRDP 2.2.0 that completes a RDP handshake, kicks out the user (since there are no accounts set up), and dumps the six messages into/tmp
FreeRDP-Pot-Patches/
: patches for FreeRDP server which is intended for production that completes a RDP handshake, kicks out the user (since there are no accounts set up), and dumps the six messages into/tmp
dump/
: captured Negotiate/Challenge/Authenticate Out/In message dumpsNCC-FreeRDP-pyparser/nccfreerdppyparser.py
: extracts message dumps fromdump/
and prints hashes out in the formatusername:workstation:domain:$NLA$UserDomain$ntlm_v2_temp_chal$msg$EncryptedRandomSessionKey$MessageIntegrityCheck
hashes.txt
: hashes generated bynccfreerdppyparser.py
NCC-FreeRDP-pyparser/crack.py
: cracks hashes fromnccfreerdppyparser.py
docker/build.sh
: buildsFreeRDP-ResearchServer/
docker/dump.sh
: connects a FreeRDP client to a FreeRDP server, to dump RDP connection messages
The goal is to deploy honeypots that can capture RDP handshakes, then crack them offline in an effort to understand which passwords are being sprayed at RDP honeypots we deploy, are they organization-specific, etc. Currently we can successfully capture the handshakes (see FreeRDP-ResearchServer/
), extract the relevant data (see nccfreerdppyparser.py
), and crack them (see crack.py
).
Next steps:
- rewrite
crack.py
as a hashcat plugin clean upFreeRDP-ResearchServer/
to be production ready- are there authentication methods that require SAM databases?