PyRDP Files

Release blog post: https://www.gosecure.net/blog/2022/12/23/a-new-pyrdp-release-the-rudolph-desktop-protocol/

Release highlights

• Net-NTLMv2 Hash Capture
• 6x faster pyrdp-convert
• RDP Version 10.9 and 10.10 supported
• Python 3.10 support
• Plugged memory leak and fixed important long-standing bugs

Full list of changes follows.

Backwards Compatibility Changes

• Collected files are now stored as their SHA-256 hash value instead of SHA-1 (#389)
• The log field shasum now holds the SHA-256 hash value of files instead of SHA-1 (#389)

Security

• Backported security fixes from rdesktop to our Python C extension doing RLE processing. Exploitability wasn't verified. (#357)

Enhancements

• Support for RDP version 10.9 and 10.10 (#396, [#397])
• Capture and log NetNTLMv2 hash if the server enforces NLA and we don't have the NLA redirection attack activated (#367, [#358])
• The Net-NTLMv2 challenge can be defined via --ssp-challenge allowing to do more efficient parallel cracking or leverage rainbow tables (#405, [#418])
• pyrdp-convert video conversion is now 6x faster! (See [#349])
• pyrdp-convert video format can be viewed during encoding and will play even if the conversion process crashes or is halted (#352, [#353])
• pyrdp-convert can now handle exported PDUs (decrypted pcaps) with multiple sessions in them (#313, [#368])
• pyrdp-convert can now extract session information including keyboard and mouse movement information in JSON from pcap and PDUs (#331, [#366])
• pyrdp-convert has better success messages, error reporting and exit status (#361, [#369])
• pyrdp-mitm added --address argument to choose the IP address where PyRDP is listening (#411, [#412])
• Minor CLI improvements
• Improved type hints
• Updated instructions to extract the RDP certificate and private key (#345)
• Documentation updates (#335, [#339], [#340], [#360], [#371], [#381], [#383], [#384], [#408], [#420])
• Replaced unmaintained dependency notify2 with py-notifier (#363, [#365])
• Some Python 3.10 compatibility work (#366, [#380], [#421])
• Enable play/pause replay on the Player by pressing the Space key (#403).

Bug fixes

• Fixed situations where device redirection or clipboard sharing would hang and timeout (#139, [#422])
• Fixed a memory leak in the bitmap decoding routine preventing the conversion or the replay of very large captures (#352, [#353])
• Fixed pyrdp-player on macOS platforms (#362)
• Fixed pyrdp-convert pcap processing when victim IP and MITM IP are the same (#366)
• Fixed a pyrdp-convert segmentation fault in QT in some MP4 conversions (#378, [#428], [#429])
• Fixed NLA redirection problems if original target and NLA redirection target are the same (#342, [#343])
• Fixed leak of file descriptors due to missing close on replay file recording (#392, [#413], [#415])
• Added a missing dependency for the GUI on Ubuntu 20.04 LTS (#348, [#351], [#355])
• No longer assuming every connection will have VirtualChannels (#375)
• Some minor protocol-level fixes (#408)

Infrastructure

• The slim flavor of our Docker image is now provided for the ARM64 platform (#346, [#388])
• Docker images are now built and pushed via GitHub Actions (#334, [#341])
• Added an automated video conversion test to CI configuration (#349)
• Added an automated JSON conversion test to CI configuration with some validation (#369)
• Added an automated replay conversion test to CI configuration (#369)
• Test refactoring to allow running most GitHub CI tests locally when developing (#368)
• Added Python 3.10 to CI test configuration (#387)
• Updated our dependencies to the latest stable versions (#386, [#391], [#400], [#414], [#417])

Credits

Thanks to the following people who contributed to this release:

Alexandre Beaulieu (@alxbl), Lisandro Ubiedo (@lubiedo), Francis Labelle (@xshill), Lukas Kupczyk (@lkupczyk), Olivier Bilodeau (@obilodeau), simonhuang (@thelongestusernameofall), Jonas (@spameier) and Flare Systems