{"id":4738,"date":"2017-09-12T22:13:19","date_gmt":"2017-09-12T14:13:19","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=4738"},"modified":"2020-02-14T22:50:54","modified_gmt":"2020-02-14T14:50:54","slug":"seth-rdp-man-in-the-middle-attack-tool","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2017\/09\/seth-rdp-man-in-the-middle-attack-tool\/","title":{"rendered":"Seth &#8211; RDP Man In The Middle Attack Tool"},"content":{"rendered":"<p>Seth is an RDP Man In The Middle attack tool written in Python to MiTM RDP connections by attempting to downgrade the connection in order to extract clear text credentials.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2017\/09\/Seth-RDP-Man-In-The-Middle-Attack-Tool-640x369.png\" alt=\"Seth - RDP Man In The Middle Attack Tool\" width=\"640\" height=\"369\" class=\"aligncenter size-medium wp-image-4740\" srcset=\"https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2017\/09\/Seth-RDP-Man-In-The-Middle-Attack-Tool-640x369.png 640w, https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2017\/09\/Seth-RDP-Man-In-The-Middle-Attack-Tool-1024x591.png 1024w, https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2017\/09\/Seth-RDP-Man-In-The-Middle-Attack-Tool.png 1149w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><\/p>\n<script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3033787195489589\"\r\n     crossorigin=\"anonymous\"><\/script>\r\n<!-- Darknet Responsive Post Ad Links [previously link ad unit] -->\r\n<ins class=\"adsbygoogle\"\r\n     style=\"display:block\"\r\n     data-ad-client=\"ca-pub-3033787195489589\"\r\n     data-ad-slot=\"5456620019\"\r\n     data-ad-format=\"auto\"><\/ins>\r\n<script>\r\n     (adsbygoogle = window.adsbygoogle || []).push({});\r\n<\/script>\n<p>It was developed to raise awareness and educate about the importance of properly configured RDP connections in the context of pentests, workshops or talks.<\/p>\n<h2>Usage of Seth RDP Man In The Middle Attack Tool<\/h2>\n<p>Run it like this:<\/p>\n<pre>$ .\/seth.sh <INTERFACE> <ATTACKER IP> <VICTIM IP> <GATEWAY IP|HOST IP><\/pre>\n<p>Unless the RDP host is on the same subnet as the victim machine, the last IP address must be that of the gateway.<\/p>\n<p>The script performs ARP spoofing to gain a Man-in-the-Middle position and redirects the traffic such that it runs through an RDP proxy. The proxy can be called separately:<\/p>\n<pre>$ .\/rdp-cred-sniffer.py -h\r\nusage: rdp-cred-sniffer.py [-h] [-d] [-p LISTEN_PORT] [-b BIND_IP]\r\n                           [-g {0,1,3,11}] -c CERTFILE -k KEYFILE\r\n                           target_host [target_port]\r\n\r\nRDP credential sniffer -- Adrian Vollmer, SySS GmbH 2017\r\n\r\npositional arguments:\r\n  target_host           target host of the RDP service\r\n  target_port           TCP port of the target RDP service (default 3389)\r\n\r\noptional arguments:\r\n  -h, --help            show this help message and exit\r\n  -d, --debug           show debug information\r\n  -p LISTEN_PORT, --listen-port LISTEN_PORT\r\n                        TCP port to listen on (default 3389)\r\n  -b BIND_IP, --bind-ip BIND_IP\r\n                        IP address to bind the fake service to (default all)\r\n  -g {0,1,3,11}, --downgrade {0,1,3,11}\r\n                        downgrade the authentication protocol to this (default\r\n                        3)\r\n  -c CERTFILE, --certfile CERTFILE\r\n                        path to the certificate file\r\n  -k KEYFILE, --keyfile KEYFILE\r\n                        path to the key file<\/pre>\n<script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3033787195489589\"\r\n     crossorigin=\"anonymous\"><\/script>\r\n<!-- Darknet Responsive Post Ad Links [previously link ad unit] -->\r\n<ins class=\"adsbygoogle\"\r\n     style=\"display:block\"\r\n     data-ad-client=\"ca-pub-3033787195489589\"\r\n     data-ad-slot=\"5456620019\"\r\n     data-ad-format=\"auto\"><\/ins>\r\n<script>\r\n     (adsbygoogle = window.adsbygoogle || []).push({});\r\n<\/script>\n<h3>Requirements for Seth RDP MiTM Attack Tool<\/h3>\n<ul>\n<li>python3<\/li>\n<li>tcpdump<\/li>\n<li>arpspoof (<em>arpspoof is part of <a href=\"https:\/\/www.darknet.org.uk\/2020\/02\/dsniff-download-tools-for-network-auditing-password-sniffing\/\">dsniff<\/a><\/em>)<\/li>\n<li>openssl < 1.1.0f<\/li>\n<\/ul>\n<p>OpenSSL should not be too recent, as it does not support older versions of the SSL protocol and thus may be incompatible with older version of the Windows RDP client.<\/p>\n<p>You can check out the full paper here:<\/p>\n<p>&#8211; <a href=\"https:\/\/github.com\/SySS-Research\/Seth\/blob\/master\/doc\/paper\/Attacking_RDP-Paper.pdf\">Attacking RDP How to Eavesdrop on Poorly Secured RDP Connections<\/a><\/p>\n<p>There&#8217;s also another related tool which can extract RDP sessions:<\/p>\n<p>&#8211; <a href=\"https:\/\/www.darknet.org.uk\/2017\/03\/sessiongopher-session-extraction-tool\/\">SessionGopher \u2013 Session Extraction Tool<\/a><\/p>\n<p>You can download Seth for RDP MiTM here:<\/p>\n<p><a href=\"https:\/\/github.com\/SySS-Research\/Seth\/archive\/master.zip\">Seth-master.zip<\/a><\/p>\n<p>Or read more <a href=\"https:\/\/github.com\/SySS-Research\/Seth\">here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Seth is an RDP Man In The Middle attack tool written in Python to MiTM RDP connections by attempting to downgrade the connection in order to extract clear text credentials. It was developed to raise awareness and educate about the importance of properly configured RDP connections in the context of pentests, workshops or talks. Usage [&hellip;]<\/p>\n","protected":false},"author":25,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"none","_seopress_titles_title":"","_seopress_titles_desc":"Seth is an RDP Man In The Middle attack tool written in Python to MiTM RDP connections by attempting to downgrade the connection to extract clear text creds","_seopress_robots_index":"","_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[9],"tags":[10626],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Darknet","author_link":"https:\/\/www.darknet.org.uk\/author\/darknet\/"},"_links":{"self":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/4738"}],"collection":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/users\/25"}],"replies":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/comments?post=4738"}],"version-history":[{"count":0,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/4738\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/media?parent=4738"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/categories?post=4738"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/tags?post=4738"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}