RDP man-in-the-middle attack

RDP man-in-the-middle attack

Almost all networks use Remote Desktop Protocol (RDP), which allows users to remotely manage windows servers and have full control over the server desktop. Some users also like to use it to schedule or install applications, and some like to use powershell to quickly and automatically manage the system.

Now, the question is whether there is a way to directly intrude into RDP.

To connect to RDP, you must first pass the creden of the server. The next user needs to connect to the system according to the system configuration file. This is a standard method for connecting and using RDP, but to hijack the protocol, you can use the RDPY tool to execute MITM to attack RDP sessions.

RDPY is an open-source python script. Therefore, you can hijack RDP sessions and initiate MITM attacks to record communications and display operations performed on the server. This tool not only executes man-in-the-middle attacks, but also runs RDP Honeypot, so that the attacker's system can run a false RDP Session.

RDP honeypot sets up a daemon. You can use this process on the network to detect or test suspicious activities, such as worms, or brute force cracking devices on the network.

The RDP module in RDPY can be used for running RDP sessions. In this way, if you need to check which programs the user has opened, you only need to record the applications running on the remote system.

RDPY not only includes the RDP Attack Module, but also supports VNC attacks. This tool has the same performance as VNC without a honeypot. In addition, the rssplayer module is used to play back session scenarios during MITM attacks. These scenarios are captured by man-in-the-middle proxy module or redpclient. In this way, you can play back the session and find what you want.