-
Notifications
You must be signed in to change notification settings - Fork 252
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Harvest credentials entered on Windows lock screen #103
Comments
Without going into implementation details, I have a basic keylogger that prints the first 3 inputs whenever a client connects. Here is a very filtered output showcasing this feature. I plan on making the number of keylogged input configurable, and default to 2. This keylogger doesn't handle backspaces, since the user may have to fill both the username and password field. Correct me if I'm wrong, but I haven't noticed any way to know if the user passed the lock screen. This implies that we won't be able to reliably steal the user input 100% of the time, since the user may enter wrong credentials a few times. It still saves a lot of time, without disrupting the honeypot case. |
Seems like a neat feature. For detecting log ins, look at the message sent through the RDPDR channel when the user is logged on (I talked about it in this issue: #98). |
^ However, if the RDPDR channel doesnt exist, it won't get sent, so keep that in mind :) |
Yeah I've seen that issue, but I was not too sure if it was reliable. Since it is used by default in WIndows, I'll print the last input before "PAKID_CORE_USER_LOGGEDON". If the channel never exists, then I think it would be fine if the credentials are never printed. |
Implemented in #106 |
Hey ! 👋
Currently, PyRDP logs any credentials sent by the RDP client when initializing the connection. The builtin RDP clients in Windows 7 and up won't send any username / password in the initialization by default. They can be configured to send a username, but not a password. In that scenario, the user proceeds to manually enter his credentials in the Windows lock screen, and it is not logged by PyRDP.
Even though we can still get the username and password by watching the replay, via the keylogger, I think it would be a great addition to automatically scrape the keylogger and harvest the username and password from the lock screen.
I'll try a proof of concept tomorrow. If you have any suggestions please let me know.
The text was updated successfully, but these errors were encountered: