RDPY is an RDP Security Tool in Twisted Python with RDP Man in the Middle proxy support which can record sessions and Honeypot functionality.
RDPY is a pure Python implementation of the Microsoft RDP (Remote Desktop Protocol) protocol (client and server side). RDPY is built over the event driven network engine Twisted. RDPY support standard RDP security layer, RDP over SSL and NLA authentication (through ntlmv2 authentication protocol).
RDPY RDP Security Tool Features
RDPY provides the following RDP and VNC binaries:
- RDP Man In The Middle proxy which record session
- RDP Honeypot
- RDP Screenshoter
- RDP Client
- VNC Client
- VNC Screenshoter
- RSS Player
RDPY is fully implemented in python, except the bitmap decompression algorithm which is implemented in C for performance purposes.
RDPY Hacking RDP Binaries
rdpy-rdpclient is a simple RDP Qt4 client.
$ rdpy-rdpclient.py [-u username] [-p password] [-d domain] [-r rss_ouput_file] [...] XXX.XXX.XXX.XXX[:3389]
You can use rdpy-rdpclient in a Recorder Session Scenario, used in rdpy-rdphoneypot.
rdpy-vncclient is a simple VNC Qt4 client.
$ rdpy-vncclient.py [-p password] XXX.XXX.XXX.XXX[:5900]
rdpy-rdpscreenshot saves login screen in file.
$ rdpy-rdpscreenshot.py [-w width] [-l height] [-o output_file_path] XXX.XXX.XXX.XXX[:3389]
rdpy-vncscreenshot saves the first screen update in file.
$ rdpy-vncscreenshot.py [-p password] [-o output_file_path] XXX.XXX.XXX.XXX[:5900]
rdpy-rdpmitm is a RDP proxy allows you to do a Man In The Middle attack on RDP protocol. Record Session Scenario into rss file which can be replayed by rdpy-rssplayer.
$ rdpy-rdpmitm.py -o output_dir [-l listen_port] [-k private_key_file_path] [-c certificate_file_path] [-r (for XP or server 2003 client)] target_host[:target_port]
Output directory is used to save the rss file with following format (YYYYMMDDHHMMSS_ip_index.rss) The private key file and the certificate file are classic cryptographic files for SSL connections. The RDP protocol can negotiate its own security layer If one of both parameters are omitted, the server use standard RDP as security layer.
rdpy-rdphoneypot is an RDP honey Pot. Use Recorded Session Scenario to replay scenario through RDP Protocol.
$ rdpy-rdphoneypot.py [-l listen_port] [-k private_key_file_path] [-c certificate_file_path] rss_file_path_1 ... rss_file_path_N
The private key file and the certificate file are classic cryptographic files for SSL connections. The RDP protocol can negotiate its own security layer. If one of both parameters are omitted, the server use standard RDP as security layer. You can specify more than one files to match more common screen size.
rdpy-rssplayer is use to replay Record Session Scenario (rss) files generates by either rdpy-rdpmitm or rdpy-rdpclient binaries.
$ rdpy-rssplayer.py rss_file_path
There’s also another related tool which can extract RDP sessions:
And there is of course Seth – RDP Man In The Middle Attack Tool.
You can download RDPY here:
Or read more here.
Once again the old, default Amazon AWS S3 settings are catching people out, this time the US Military has left terabytes of social media spying S3 data exposed to everyone for years.
It’s not long ago since a Time Warner vendor and their sloppy AWS S3 config leaked over 4 million customer records and left S3 data exposed, and that’s not the only case – there’s plenty more.
Three misconfigured AWS S3 buckets have been discovered wide open on the public internet containing “dozens of terabytes” of social media posts and similar pages – all scraped from around the world by the US military to identify and profile persons of interest.
The archives were found by UpGuard’s veteran security-breach hunter Chris Vickery during a routine scan of open Amazon-hosted data silos, and the trio weren’t exactly hidden. The buckets were named centcom-backup, centcom-archive, and pacom-archive.
CENTCOM is the common abbreviation for the US Central Command, which controls army operations in the Middle East, North Africa and Central Asia. PACOM is the name for US Pacific Command, covering the rest of southern Asia, China and Australasia.
Vickery told The Register today he stumbled upon them by accident while running a scan for the word “COM” in publicly accessible S3 buckets. After refining his search, the CENTCOM archive popped up, and at first he thought it was related to Chinese multinational Tencent, but quickly realized it was a US military archive of astounding size.
“For the research I downloaded 400GB of samples but there were many terabytes of data up there,” he said. “It’s mainly compressed text files that can expand out by a factor of ten so there’s dozens and dozens of terabytes out there and that’s a conservative estimate.”
I’m curious to know if anyone else found these buckets before, I should hope being the US Military they at least have access logging turned on for these buckets, but considering the fact they were open to World – that may not be the case.
It just goes to show (as with MongoDB) you can’t trust people with lax defaults because most of the time developers wont change them.
Just one of the buckets contained 1.8 billion social media posts automatically fetched over the past eight years up to today. It mainly contains postings made in central Asia, however Vickery noted that some of the material is taken from comments made by American citizens.
The databases also reveal some interesting clues as to what this information is being used for. Documents make reference to the fact that the archive was collected as part of the US government’s Outpost program, which is a social media monitoring and influencing campaign designed to target overseas youths and steer them away from terrorism.
Vickery found the Outpost development configuration files in the archive, as well as Apache Lucene indexes of keywords designed to be used with the open-source search engine Elasticsearch. Another file refers to Coral, which may well be a reference to the US military’s Coral Reef data-mining program.
“Coral Reef is a way to analyze a major data source to provide the analyst the ability to mine significant amounts of data and provide suggestive associations between individuals to build out that social network,” Mark Kitz, technical director for the Army Distributed Common Ground System – Army, told the Armed Forces Communications and Electronics Association magazine Signal back in 2012.
“Previously, we would mine through those intelligence reports or whatever data would be available, and that would be very manual-intensive.”
I guess tools like this are just making it easier to find exposed buckets:
There is definitely going to be more of these cases popping up and more people jump on the cloud bandwagon without really understanding the security implications, “Hey the URL is not public so we don’t need to protect it because no one can find it” – etc.
Source: The Register
SNIFFlab is a set of scripts in Python that enable you to create your own MITM test environment for packet sniffing through a WiFi access point.
Essentially it’s a WiFi hotspot that is continually collecting all the packets transmitted across it. All connected clients’ HTTPS communications are subjected to a “Man-in-the-middle” attack, whereby they can later be decrypted for analysis
What is SNIFFLab MITM Test Environment
In our environment, dubbed Snifflab, a researcher simply connects to the Snifflab WiFi network, is prompted to install a custom certificate authority on the device, and then can use their device as needed for the test.
All traffic on the network is logged by a Raspberry Pi dedicated to that task. The traffic is cloned by a Great Scott Gadgets Throwing Star LAN Tap, which routes it both to its destination, and to our Raspberry Pi. The Pi continually collects packet data, creating new packet capture (pcap) files at a regular interval, or once the active file reaches a configurable size. Saved files are regularly transferred to another machine for persistent storage. Users with SSH access to the Pi can also manually restart the pcap service, to get instant access to the captured packets, instead of waiting for the interval.
The custom certificate that each client must install enables the proxy server through which SNIFFlab routes its traffic to intercept HTTPS requests to the outside world, and re-encrypt them using certificates generated on-the-fly. This allows for the researcher to later decrypt most captured network traffic sent over HTTPS.
Using SNIFFLab MITM Enivronment
-i (specify the network interface)
-s (specify the file size limit)
-t (specify the time interval, in seconds, between new PCAP files)
-f (specify a filename suffix to append to each PCAP.
-u (specify a ssh username for a remote backup)
-h (specify a ssh host for remote backup)
-p (specify the path on the remote host for backup)
There are some other related tools here:
– mitmproxy – Intercepting HTTP Proxy Tool aka MITM
– MANA Toolkit – Rogue Access Point (evilAP) And MiTM Attack Tool
– BetterCap – Modular, Portable MiTM Framework
– MITMf – Man-In-The-Middle Attack Tool
You can download SNIFFlab here:
Or read more here.
Skype Log Viewer allows you to download and view the Skype history and log files, on Windows, without actually downloading the Skype client itself.
What does Skype Log Viewer do?
This program allows you to view all of your Skype chat logs and then easily export them as text files.
It correctly organizes them by conversation and makes sure that group conversations do not get jumbled with one on one chats.
Skype Log Viewer Features
- Download Skype Logs
- Broken Database Support
- Change Export Format
- Organized by conversation in Skype
It’s been a while since anything regarding Skype has been in the news, honestly, since Hangouts, Bluejeans, Appear.in, Facetime and all the other options have emerged I don’t think that many people are still using it – other than perhaps Skype for business.
There was a Skype worm WAY back in 2006 – Skype Worm in the Wild – W32.Chatosky
You can download Skype Log Viewer here:
Or read more here.
If you are into cryptocurrency or blockchain at all, you will have heard about the Ethereum Parity Bug that has basically thrown $280 Million value or more of Ethereum tokens in the bin. It’s a bit of a mess really, and a mistake by the developers who introduced it after fixing another bug back in […]
WPSeku is a black box WordPress Security scanner that can be used to scan remote WordPress installations to find security issues and vulnerabilities. Features of WPSeku WordPress Security Scanner WPSeku supports various types of scanning including: Testing for XSS Vulnerabilities Testing for SQL Injection Vulnerabilities Testing for LFI Vulnerabilities Bruteforce login via xmlrpc Username Enumeration […]