Remote Desktop Protocol (RDP) is the de facto protocol to remotely access Windows systems. Two years ago, we released PyRDP, a free and open-source RDP Monster-In-The-Middle (MITM) tool to tangibly demonstrate some of RDP’s common misconfigurations and associated risks. Since then, more RDP servers are exposed online and Microsoft’s RDP implementation has been the target of serious vulnerabilities like BlueKeep. This presentation will quickly summarize what PyRDP’s MITM can do, including taking control of sessions, actively steal client-side clipboards as well as browse the client-side filesystem in both manual and automated fashion. Then, the latest, and trickier, improvements to the whole suite, including fully transparent layer-2 deployment, Windows Graphical Device Interface (GDI) support and the ability to extract videos of recorded sessions, will be discussed. We will also present scenarios using the tool during intrusion testing and provide real war stories where threat actors were caught on-tape, allowing attendees to grasp the tool’s powerful abilities. Lastly, we will show how to prevent RDP man-in-the-middle attacks, thus helping defenders protect their networks, a necessary measure in the current remote-working era.
