Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Harvest credentials entered on Windows lock screen #103

Closed
Pourliver opened this issue May 8, 2019 · 5 comments
Closed

Harvest credentials entered on Windows lock screen #103

Pourliver opened this issue May 8, 2019 · 5 comments
Assignees
@Pourliver
Labels
enhancement New feature or request

Comments

@Pourliver
Copy link
Contributor

Hey ! 👋

Currently, PyRDP logs any credentials sent by the RDP client when initializing the connection. The builtin RDP clients in Windows 7 and up won't send any username / password in the initialization by default. They can be configured to send a username, but not a password. In that scenario, the user proceeds to manually enter his credentials in the Windows lock screen, and it is not logged by PyRDP.

Even though we can still get the username and password by watching the replay, via the keylogger, I think it would be a great addition to automatically scrape the keylogger and harvest the username and password from the lock screen.

I'll try a proof of concept tomorrow. If you have any suggestions please let me know.
@Pourliver Pourliver added the enhancement New feature or request label May 8, 2019
@Pourliver
Copy link
Contributor Author

Pourliver commented May 9, 2019
edited
Loading

Without going into implementation details, I have a basic keylogger that prints the first 3 inputs whenever a client connects. Here is a very filtered output showcasing this feature.

Screenshot from 2019-05-09 15-36-38

I plan on making the number of keylogged input configurable, and default to 2. This keylogger doesn't handle backspaces, since the user may have to fill both the username and password field.

Correct me if I'm wrong, but I haven't noticed any way to know if the user passed the lock screen. This implies that we won't be able to reliably steal the user input 100% of the time, since the user may enter wrong credentials a few times. It still saves a lot of time, without disrupting the honeypot case.

@xshill
Copy link
Collaborator

xshill commented May 9, 2019

Seems like a neat feature. For detecting log ins, look at the message sent through the RDPDR channel when the user is logged on (I talked about it in this issue: #98).

@Res260
Copy link
Collaborator

Res260 commented May 9, 2019

^ However, if the RDPDR channel doesnt exist, it won't get sent, so keep that in mind :)

@Pourliver
Copy link
Contributor Author

Yeah I've seen that issue, but I was not too sure if it was reliable. Since it is used by default in WIndows, I'll print the last input before "PAKID_CORE_USER_LOGGEDON". If the channel never exists, then I think it would be fine if the credentials are never printed.

@Pourliver Pourliver mentioned this issue May 13, 2019
Merged
@Pourliver
Copy link
Contributor Author

Implemented in #106

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Pourliver Pourliver

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Pourliver @Res260 @xshill