-
Notifications
You must be signed in to change notification settings - Fork 374
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhancement: RDP Module #89
Conversation
wow, this looks really cool! The only reason I haven't merged it yet is that this project is now migrating to Porchetta Industries "group" and you just sent it after the gitlab sync. We are trying to figure out what would be the best way to get it right. |
not working using UPDATE: worked after using 64bit interpreter. |
@ThePwn1sher can you please reach out to me via twitter DM (same handle) or on porchetta discord? It would be appreciated. |
Rdp: WinServer2019 x64
|
t += '\t\tdomainname %s\n' % self.domainname | ||
t += '\t\tusername %s\n' % self.username | ||
t += '\t\tpassword \'%s\'\n' % self.password | ||
t += '\t\tpassword_raw %s\n' % self.password_raw.hex() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
change this to:
t += '\t\tpassword_raw %s\n' % self.password_raw
other tests:
|
Hi @byehack, thank you for your tests. |
after added 2884036. but it still doesn't show password. |
Weird, I can't reproduce the bug: Do you have the latest version of minidump installed? |
@ThePwn1sher yes, all of Dependencies updated.
if you have telegram send me msg for dump file @byehack. otherwise give me an address to dm you. |
also in mimikatz:
|
it seems works on other system:
|
So if I understand correctly, Mimikatz AND Pypykatz are not able to retrieve RDP credentials in your mstsc.exe. You can share your mstsc minidump here: https://nx5494.your-storageshare.de/s/SJteWj3PPbg8jBA (@skelsec will forward it to me). |
i think too. i should solve this problem with Mimikatz. i think in newer version of windows it is unable to get passwords. |
Finally I got around testing it, thank you for the contribution! |
Hi @skelsec,
This PR updates the RDP module.
It allows the extraction of RDP connection information through 2 methods:
pypykatz rdp logonpasswords -h
: this option extracts RDP credentials information from a memory dump of the terminal service. The code is the same as the previous RDP module, only a few more checks were added to improve accuracy (taken from mimikatz source code).pypykatz rdp mstsc -h
: this option extracts RDP credentials information from a memory dump of the process mstsc.exe, created when a user opens the remote desktop connection application. The extraction method used is the one implemented by @gentilkiwi and detailed in mimikatz.In order to work properly, you need to apply the pull request #21.
It makes a minor fix in the minidump library, more precisely in the function which is looking for patterns in memory segments.
I did some tests and everything seems to work like a charm on win2012r2, win2016, win2019 and win10 (x64). Further testing is welcome :)
Kind regards