An RDP (Remote Desktop Protocol) Man-in-the-Middle (MitM) attack exploits weaknesses in the protocol to intercept, manipulate, or capture data transferred between the client and the RDP server. Here’s a breakdown of how it works and common tools/techniques involved:

1. Understanding the RDP Protocol

Port: Default is TCP/UDP 3389.

Encryption: RDP supports encryption to secure communication. However, older or improperly configured RDP versions may use weak encryption or no encryption.

Authentication: If the authentication mechanism is weak (e.g., NTLMv1), it can be exploited

2. RDP MitM Attack Workflow

Positioning as the MitM:

  • Use ARP poisoning, DNS spoofing, or routing manipulation to position yourself between the client and the RDP server.

Intercepting Communication:

  • Capture traffic between the client and server. Tools like Wireshark can help observe encrypted or unencrypted RDP sessions.

Exploiting Encryption:

  • If the connection uses weak encryption, decrypt the data in transit.
  • Some RDP MitM attacks exploit the lack of server certificate validation to present a fake certificate to the client.

Hijacking the Session:

  • Inject commands or malicious payloads into the intercepted session.

3. Tools for RDP MitM Attacks

  • mitm6: For IPv6-based MitM attacks (e.g., DNS poisoning).
  • Responder: To capture NTLM hashes during RDP authentication and potentially relay them.
  • Seth:A specialized tool for RDP MitM. It sets up an RDP proxy, downgrades encryption, and intercepts user credentials and session data.

4. Exploit Example:

  1. Clone the Seth Repository: git clone https://github.com/SySS-Research/Seth.git
  2. Install Required Dependencies: Seth requires Python 3 and Scapy. Install dependencies with:
    sudo apt update
    sudo apt install python3 python3-pip
    pip3 install scapy
  3. Verify Seth is working by running the help menu:
    python3 seth.sh

Network Configuration

  1. Ensure your attacking machine is on the same network as the victim and the RDP server.
  2. Identify the IP addresses of:
    Victim Machine (e.g., 192.168.1.10).
    RDP Server (e.g., 192.168.1.20).

Launching the Seth Attack

Run the Seth Script

Run Seth with follwing command.

./seth.sh <victim_ip> <server_ip> <attacker_IP>

Where:

  • 192.168.66.130 is the victim’s IP.
  • 192.168.66.142 is the RDP server’s IP.
  • 192.168.66.139 is the attacker’s IP.

When the victim attempts to connect to the RDP server from their system, Seth intercepts the connection request, capturing the hashed credentials. It then decrypts and reveals the username and password details, as demonstrated in the image below.

5. Mitigations

To protect against Seth and similar attacks:

  1. Enable Network Level Authentication (NLA):
    • Enforces authentication before establishing an RDP session.
  2. Use Strong Encryption:
    • Configure RDP to require TLS.
  3. Deploy ARP Spoofing Protections:
    • Use network security tools like ARPWatch or Port Security features on switches.
  4. Monitor Logs:
    • Regularly review RDP access logs for unusual activity.

Categorized in:

CTF & LabsInfrastructure securityOSCP