From f18d4991ff834c52794e3ac460cf0a78e16b3775 Mon Sep 17 00:00:00 2001 From: Seb <5796850+sebch-@users.noreply.github.com> Date: Wed, 12 Oct 2022 19:47:40 +0200 Subject: [PATCH] Update Active Directory Attack.md --- .../Active Directory Attack.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index c62feae..0de3723 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -2219,6 +2219,21 @@ secretsdump.py -k -no-pass target.lab.local # IP of PC1: 10.0.0.4 ``` +#### Man-in-the-middle RDP connections with pyrdp-mitm +* https://github.com/GoSecure/pyrdp +* https://www.gosecure.net/blog/2018/12/19/rdp-man-in-the-middle-smile-youre-on-camera/ +* Usage +```sh +pyrdp-mitm.py +pyrdp-mitp.py : # with custom port +pyrdp-mitm.py -k private_key.pem -c certificate.pem # with custom key and certificate +``` +* Exploitation + * If Network Level Authentication (NLA) is enabled, you will obtain the client's NetNTLMv2 challenge + * If NLA is disabled, you will obtain the password in plaintext + * Other features are available such as keystroke recording +* Alternatives + * S3th: https://github.com/SySS-Research/Seth, performs ARP spoofing prior to launching the RDP listener ### Active Directory Certificate Services