feat(creds): DEBT-040 Phase 2 — RDP X.224 cookie capture
Replace Twisted-based connection logger with an asyncio handler that parses the X.224 Connection Request, extracts the mstshash routing cookie (universal across mstsc / FreeRDP / Hydra / ncrack / MSF rdp_login), records the rdpNegRequest.requestedProtocols flags, and answers with a well-formed X.224 Connection Confirm selecting PROTOCOL_RDP. Scope-down vs. the original DEBT-040 plan: full TS_INFO_PACKET extraction would require either Standard-RDP-Security RC4 stream- cipher implementation (with our own RSA pair + MS-RDPBCGR signing) or a complete MCS+GCC ASN.1/BER stack for the SSL path — both far exceed the 150 LoC budget the DEBT cited. The mstshash cookie is the only piece of credential information that flows in plaintext on the wire when the attacker speaks RDP, so capturing it is the highest- value-per-byte signal available without going down either rabbit hole. Phase 3 (CredSSP/NLA, next commit) is where actual NTLMv2 hashes land. - Drops Twisted dependency from rdp/Dockerfile; adds ntlmssp.py copy ahead of the NLA path that consumes it. - 7 unit tests cover cookie capture, requestedProtocols recording, CC framing, no-cookie path, and oversized/non-TPKT drops.
This commit is contained in:
@@ -2,13 +2,11 @@ ARG BASE_IMAGE=debian:bookworm-slim
|
||||
FROM ${BASE_IMAGE}
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
python3 python3-pip \
|
||||
python3 \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
ENV PIP_BREAK_SYSTEM_PACKAGES=1
|
||||
RUN pip3 install --no-cache-dir twisted jinja2
|
||||
|
||||
COPY syslog_bridge.py /opt/syslog_bridge.py
|
||||
COPY ntlmssp.py /opt/ntlmssp.py
|
||||
COPY server.py /opt/server.py
|
||||
COPY entrypoint.sh /entrypoint.sh
|
||||
RUN chmod +x /entrypoint.sh
|
||||
|
||||
Reference in New Issue
Block a user