🚩 This is the public repository of aardwolf, for latest version and updates please consider supporting us through https://porchetta.industries/

This project is aimed to play around the RDP and VNC protocols.

If you want to sponsors this project and have the latest updates on this project, latest issues fixed, latest features, please support us on https://porchetta.industries/

Come hang out on Discord!

This is a headless client, for GUI functionality use the aardwolfgui package.

• Supports credssp auth via NTLM/Kerberos.
• Built-in proxy client allows SOCKS/HTTP proxy tunneling without 3rd part software
• PtH via CredSSP+Restricted admin mode
• Scriptable Keyboard, Mouse input and Clipboard input/output
• Can run in headless mode, no GUI required (read: no need for Qt)
• Support for Duckyscript files to emulate keystrokes

• aardpscreenshot RDP ?screenshotter? scans the given target/s or network ranges for open RDP clients, tries to log in either with or without credentials and takes a screemshot
• aardpcapscan RDP login capability scanner identifies the supported login protocols on a target or network ranges.
• aardploginscan RDP login scanner.

As usual the scripts take the target/scredentials in URL format. Below some examples

• rdp+kerberos-password://TEST\Administrator:[email protected]/?dc=10.10.10.2&proxytype=socks5&proxyhost=127.0.0.1&proxyport=1080
  CredSSP (aka HYBRID) auth using Kerberos auth + password via socks5 to win2016ad.test.corp, the domain controller (kerberos service) is at 10.10.10.2. The socks proxy is on 127.0.0.1:1080
• rdp+ntlm-password://TEST\Administrator:[email protected]
  CredSSP (aka HYBRID) auth using NTLM auth + password connecting to RDP server 10.10.10.103
• rdp+ntlm-password://TEST\Administrator:<NThash>@10.10.10.103
  CredSSP (aka HYBRID) auth using Pass-the-Hash (NTLM) auth connecting to RDP server 10.10.10.103
• rdp+plain://Administrator:[email protected]
  Plain authentication (No SSL, encryption is RC4) using password connecting to RDP server 10.10.10.103
• vnc+plain://[email protected]
  VNC client with VNC authentication using password connecting to RDP server 10.10.10.103
• vnc+plain://[email protected]
  VNC client with VNC authentication using password connecting to RDP server 10.10.10.103
• vnc+plain://:admin:[email protected]
  VNC client with VNC authentication using password admin:aa connecting to RDP server 10.10.10.103. Note that if the password contains : char you will have to prepend the password with :

• Citronneur's rdpy. The decompression code and the QT image magic was really valuable.
• Marc-André Moreau (@awakecoding) for providing suggestions on fixes