PyRDP v0.3 releases: Python 3 Remote Desktop Protocol Man-in-the-Middle


PyRDP is a Python 3 Remote Desktop Protocol (RDP) Man-in-the-Middle (MITM) and library.

It features a few tools:

  • RDP Man-in-the-Middle
    • Logs credentials used when connecting
    • Steals data copied to the clipboard
    • Saves a copy of the files transferred over the network
    • Saves replays of connections so you can look at them later
    • Run console commands or PowerShell payloads automatically on new connections
  • RDP Player:
    • See live RDP connections coming from the MITM
    • View replays of RDP connections
    • Take control of active RDP sessions while hiding your actions
    • List the client’s mapped drives and download files from them during active sessions
  • RDP Certificate Cloner:
    • Create a self-signed X509 certificate with the same fields as an RDP server’s certificate

We have used this tool as part of an RDP honeypot which records sessions and saves a copy of the malware dropped on our target machine.

PyRDP was first introduced in a blogpost in which we demonstrated that we can catch a real threat actor in action. In May 2019 a presentation by its authors was given at NorthSec and two demos were performed. The first one covered credential logging, clipboard stealing, client-side file browsing, and a session take-over. The second one covered the execution of cmd or powershell payloads when a client successfully authenticates. In August 2019, PyRDP was demo’ed at BlackHat Arsenal (slides).

Changelog v0.3


  • Added Windows support ({uri-issue}129[#129])
  • Improved documentation for operation with Bettercap ({uri-issue}107[#107])
  • Added a heuristics-based credential logger to enable credentials collection at scale ({uri-issue}106[#106])
  • Dependency update: Replaced pycrypto with pycryptodome ({uri-issue}128[#128])
  • UX improvements to the PyRDP-Player ({uri-issue}119[#119], {uri-issue}124[#124])
  • Improved handling of X224 Negotiation Failures like NLA ({uri-issue}102[#102])
  • Accept and log connections from scanners better ({uri-issue}136[#136])
  • Added BlueKeep specific detection and logging ({uri-issue}114[#114])
  • Added a log entry that summarizes a connection, useful to hunt specific connections ({uri-issue}117[#117])
  • Logging minor improvements ({uri-issue}123[#123], {uri-issue}112[#112])

Bug fixes

  • Added support for RDP v10.7 in the connection handshake ({uri-issue}135[#135])
  • Fixed issue with virtualenv setup ({uri-issue}110[#110])
  • Fixed connections to Windows servers with RDS enabled ({uri-issue}118[#118])
  • Shared Folders: Fixed a case where DOSName had no nullbyte ({uri-issue}121[#121])

Install && Use

Copyright (C) 2018 GoSecure

Anastasis Vasileiadis

PC Technical || Penetration Tester || Ethical Hacker || Cyber Security Expert || Cyber Security Analyst || Information Security Researcher || Malware analyst || Malware Investigator || Reverse Engineering

SC ProDefence SRL - Cyber Security Services