DEF CON Safe Mode Demo Labs - Olivier Bilodeau - PyRDP

PyRDP is a Remote Desktop Protocol (RDP) monster-in-the-middle (MITM) tool and library useful in intrusion testing and malware research. Its out of the box offensive capabilities can be divided in three broad categories: client-side, MITM-side and server-side. On the client-side PyRDP can actively steal any clipboard activity, crawl mapped drives and collect all keystrokes. On the MITM-side PyRDP records everything on the wire in several formats (logs, json events), allows the attacker to take control of an active session and performs a pixel perfect recording of the RDP screen. On the server-side, on-logon PowerShell or cmd injection can be performed when a legitimate client connects. Over the last year, we implemented several features that we are going to uncover in this brand-new demo lab workshop: a headless mode that allows deployment on systems with less resources or without an X11 stack, a fully transparent layer-2 deployment capability leveraging IP_TRANSPARENT sockets, a brand new Windows Graphical Device Interface (GDI) implementation and the ability to convert recorded sessions into MP4 videos. On the malware research side, PyRDP can be used as part of a fully interactive honeypot. It can be placed in front of a Windows RDP server to intercept malicious sessions. It can replace the credentials provided in the connection sequence with working credentials to accelerate compromise and malicious behavior collection. It also saves a visual and textual recording of each RDP session, which is useful for investigation or to generate IOCs. Additionally, PyRDP saves a copy of the files that are transferred via the drive redirection feature, allowing it to collect malicious payloads.