Enhancement: RDP Module #89

anotheronemoretime · 2021-08-15T21:05:25Z

This PR updates the RDP module.

It allows the extraction of RDP connection information through 2 methods:

pypykatz rdp logonpasswords -h: this option extracts RDP credentials information from a memory dump of the terminal service. The code is the same as the previous RDP module, only a few more checks were added to improve accuracy (taken from mimikatz source code).
pypykatz rdp mstsc -h: this option extracts RDP credentials information from a memory dump of the process mstsc.exe, created when a user opens the remote desktop connection application. The extraction method used is the one implemented by @gentilkiwi and detailed in mimikatz.

In order to work properly, you need to apply the pull request #21.
It makes a minor fix in the minidump library, more precisely in the function which is looking for patterns in memory segments.

I did some tests and everything seems to work like a charm on win2012r2, win2016, win2019 and win10 (x64). Further testing is welcome :)

Kind regards

skelsec · 2021-08-29T21:38:16Z

wow, this looks really cool! The only reason I haven't merged it yet is that this project is now migrating to Porchetta Industries "group" and you just sent it after the gitlab sync. We are trying to figure out what would be the best way to get it right.
Sorry for the inconvenience, we're on it.

byehack · 2021-09-04T07:37:39Z

not working using RDPCredParser.parse_minidump_file in win10 20h2.

UPDATE: worked after using 64bit interpreter.

skelsec · 2021-09-04T10:47:57Z

@ThePwn1sher can you please reach out to me via twitter DM (same handle) or on porchetta discord? It would be appreciated.

byehack · 2021-09-04T23:41:04Z

Rdp: WinServer2019 x64
System: Win10 20h2 x64
interpreter: Py37 x64

c:\Python37>python -m pypykatz live rdp mstsc
Traceback (most recent call last):
  File "c:\Python37\lib\runpy.py", line 193, in _run_module_as_main
    "__main__", mod_spec)
  File "c:\Python37\lib\runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "c:\Python37\lib\site-packages\pypykatz\__main__.py", line 151, in <module>
    main()
  File "c:\Python37\lib\site-packages\pypykatz\__main__.py", line 84, in main
    helper.execute(args)
  File "c:\Python37\lib\site-packages\pypykatz\rdp\cmdhelper.py", line 59, in execute
    self.run_live(args)
  File "c:\Python37\lib\site-packages\pypykatz\rdp\cmdhelper.py", line 65, in run_live
    print(str(cred))
  File "c:\Python37\lib\site-packages\pypykatz\rdp\packages\creds\decryptor.py", line 38, in __str__
    t += '\t\tpassword_raw %s\n' % self.password_raw.hex()
AttributeError: 'str' object has no attribute 'hex'

byehack · 2021-09-04T23:46:10Z

pypykatz/rdp/packages/creds/decryptor.py

+        t += '\t\tdomainname %s\n' % self.domainname
+        t += '\t\tusername %s\n' % self.username
+        t += '\t\tpassword \'%s\'\n' % self.password
+        t += '\t\tpassword_raw %s\n' % self.password_raw.hex()


change this to:

t += '\t\tpassword_raw %s\n' % self.password_raw

byehack · 2021-09-05T00:04:59Z

other tests:

c:\Python37>python -m pypykatz live rdp mstsc
        == RDP Credential ==
                domainname SERVER
                username user
                password 'None'             # <---------- why None inside string?
                password_raw
                isencrypted: None
                servername: 'x.x.x.x'
                serverfqdn: ''

c:\Python37>python -m pypykatz rdp mstsc minidump c:/mstsc.dmp
        == RDP Credential ==
                domainname SERVER
                username user
                password ''
                password_raw
                isencrypted: True
                servername: 'x.x.x.x'
                serverfqdn: ''

anotheronemoretime · 2021-09-05T08:56:44Z

Hi @byehack, thank you for your tests.
I made a commit which should fix these bugs, at least I hope :).
Keep me updated if this solved your issues.

byehack · 2021-09-05T12:58:04Z

c:\Python37>python -m pypykatz live rdp mstsc
        == RDP Credential ==
                domainname SERVER
                username user
                password 'None'
                password_raw
                isencrypted: None
                servername: 'x.x.x.x'
                serverfqdn: ''

after added 2884036. but it still doesn't show password.

anotheronemoretime · 2021-09-05T20:40:42Z

Weird, I can't reproduce the bug:

Do you have the latest version of minidump installed?
Otherwise, I'll need your mstsc.dmp file for debugging.

byehack · 2021-09-06T02:48:17Z

@ThePwn1sher yes, all of Dependencies updated.

c:\Python37>python -m pypykatz rdp mstsc minidump mstsc.dmp
        == RDP Credential ==
                domainname YES_LOG
                username file
                password ''
                password_raw
                isencrypted: True
                servername: 'x.x.x.x'
                serverfqdn: ''


c:\Python37>python -m pypykatz live rdp mstsc
        == RDP Credential ==
                domainname YES_LOG
                username file
                password 'None'
                password_raw
                isencrypted: None
                servername: 'x.x.x.x'
                serverfqdn: ''


c:\Python37>python --version
Python 3.7.7

c:\Python37>python -m pip show minidump
Name: minidump
Version: 0.0.19
Summary: Python library to parse Windows minidump file format
Home-page: https://github.com/skelsec/minidump
Author: Tamas Jos
Author-email: skelsecprojects@gmail.com
License: UNKNOWN
Location: c:\python37\lib\site-packages
Requires:
Required-by: pypykatz

c:\Python37>systeminfo

Host Name:                 SYSTEM
OS Name:                   Microsoft Windows 10 Enterprise
OS Version:                10.0.19042 N/A Build 19042

## RDP INFO
C:\Users\file>systeminfo

Host Name:                 YES_LOG
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.19043 N/A Build 19043

if you have telegram send me msg for dump file @byehack. otherwise give me an address to dm you.

byehack · 2021-09-06T09:20:59Z

also in mimikatz:


mimikatz # privilege::debug
Privilege '20' OK

mimikatz # ts::mstsc
!!! Warning: false positives can be listed !!!

| PID 16224     mstsc.exe (module @ 0x00000000010DF990)

ServerName                                [wstring] 'x.x.x.x'
ServerFqdn                                [wstring] ''
UserSpecifiedServerName                   [wstring] 'x.x.x.x'
UserName                                  [wstring] 'file'
Domain                                    [wstring] 'YES_LOG'
Password                                  [protect]
SmartCardReaderName                       [wstring] ''
PasswordContainsSCardPin                  [ bool  ] FALSE
ServerNameUsedForAuthentication           [wstring] 'x.x.x.x'
RDmiUsername                              [wstring] 'file'

byehack · 2021-09-06T10:36:54Z

it seems works on other system:

C:\Users\User>systeminfo

Host Name:                 WIN-R5831VUIAI5
OS Name:                   Microsoft Windows Server 2012 R2 Standard
OS Version:                6.3.9600 N/A Build 9600

mimikatz # ts::mstsc
!!! Warning: false positives can be listed !!!

| PID 20200     mstsc.exe (module @ 0x000000000104FBB0)

ServerName                                [wstring] 'x.x.x.x'
ServerFqdn                                [wstring] ''
UserSpecifiedServerName                   [wstring] 'x.x.x.x'
UserName                                  [wstring] 'file'
Domain                                    [wstring] ''
Password                                  [protect] 'PASSWord'
SmartCardReaderName                       [wstring] ''
PasswordContainsSCardPin                  [ bool  ] FALSE
ServerNameUsedForAuthentication           [wstring] 'x.x.x.x'

anotheronemoretime · 2021-09-06T15:49:20Z

So if I understand correctly, Mimikatz AND Pypykatz are not able to retrieve RDP credentials in your mstsc.exe.

You can share your mstsc minidump here: https://nx5494.your-storageshare.de/s/SJteWj3PPbg8jBA (@skelsec will forward it to me).
I'll take a look, but if it's also a Mimikatz issue, I'm not sure how to fix it. You may address this issue to @gentilkiwi.

byehack · 2021-09-06T17:04:09Z

but if it's also a Mimikatz issue, I'm not sure how to fix it. You may address this issue to @gentilkiwi.

i think too. i should solve this problem with Mimikatz. i think in newer version of windows it is unable to get passwords.

…nd, upper_bound

anotheronemoretime · 2021-09-08T17:57:30Z

Commit 841f7c1 will work properly only if the PR #22 is merged.

skelsec · 2022-04-11T13:23:43Z

Finally I got around testing it, thank you for the contribution!

anotheronemoretime added 4 commits August 15, 2021 13:32

parse RDP creds from svchost and mstsc memory dumps

4ce9797

live parsing mstsc/svchost rdp creds

6422a2f

cmdhelper

ddd2112

check username length (logonpasswords)

0fb9beb

byehack reviewed Sep 4, 2021

View reviewed changes

fix: password = 'None' and print password_raw

2884036

byehack mentioned this pull request Sep 6, 2021

ts::mstsc doesn't get passwords. gentilkiwi/mimikatz#372

Open

add arguments to speed up the minidump parsing: find_first, lower_bou…

841f7c1

…nd, upper_bound

skelsec merged commit fcb2c93 into skelsec:master Apr 11, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Enhancement: RDP Module #89

Enhancement: RDP Module #89

Enhancement: RDP Module #89

Enhancement: RDP Module #89

Conversation

Choose a reason for hiding this comment