Merge pull request #199 from GoSecure/mp4-conversion

Add support for exporting replays as MP4

.github/workflows/ci.yml

@@ -42,6 +42,9 @@ jobs:
       run: sudo apt install python3-setuptools
     - name: Install PyRDP dependencies
       run: sudo apt install libdbus-1-dev libdbus-glib-1-dev libgl1-mesa-glx git python3-dev
+    - name: Install wheel
+      working-directory: .
+      run: pip install wheel
     - name: Install PyRDP
       working-directory: .
       run: pip install -U -e .[full]
@@ -87,6 +90,9 @@ jobs:
         run: python --version
       - name: Pip version
         run: pip --version
+      - name: Install wheel
+        working-directory: .
+        run: pip install wheel
       - name: Install PyRDP
         working-directory: .
         run: pip install -U -e .[full]

Dockerfile

@@ -9,16 +9,17 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
         python3-venv \
         # Required to build RLE module and dbus-python (GUI)
         build-essential python3-dev \
-        libdbus-1-dev \
-        libdbus-glib-1-dev
+        libdbus-1-dev libdbus-glib-1-dev
 
 RUN python3 -m venv /opt/venv
 # Make sure we use the virtualenv:
 ENV PATH="/opt/venv/bin:$PATH"
 
 # Install dependencies only (speeds repetitive builds)
 COPY requirements.txt /pyrdp/requirements.txt
-RUN cd /pyrdp && pip3 --no-cache-dir install -r requirements.txt
+RUN cd /pyrdp && \
+    pip3 install wheel && \
+    pip3 --no-cache-dir install -r requirements.txt
 
 # Compile only our C extension and install
 # This way changes to source tree will not trigger full images rebuilds
@@ -41,6 +42,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends python3 \
         # GUI and notifications stuff
         libgl1-mesa-glx \
         notify-osd dbus-x11 libxkbcommon-x11-0 \
+        # Runtime requirement by progressbar (required by pyrdp-convert)
+        python3-distutils \
         && rm -rf /var/lib/apt/lists/*
 
 # Copy preinstalled dependencies from compile image

README.md

@@ -61,6 +61,7 @@ research use cases in mind.
     + [Cloning a certificate](#cloning-a-certificate)
     + [Using a custom private key](#using-a-custom-private-key)
     + [Other cloner arguments](#other-cloner-arguments)
+  * [Using PyRDP Convert](#using-pyrdp-convert)
   * [Configuring PyRDP](#configuring-pyrdp)
   * [Using PyRDP as a Library](#using-pyrdp-as-a-library)
   * [Using PyRDP with twistd](#using-pyrdp-with-twistd)
@@ -435,6 +436,54 @@ pyrdp-clonecert.py 192.168.1.10 cert.pem -i input_key.pem
 #### Other cloner arguments
 Run `pyrdp-clonecert.py --help` for a full list of arguments.
 
+### Using PyRDP Convert
+
+`pyrdp-convert` is a helper script that performs several useful conversions. The script has the best chance of working
+on traffic captured by PyRDP due to unsupported RDP protocol features that might be used in a non-intercepted
+connection.
+
+The following conversions are supported:
+
+- Network Capture (PCAP) to PyRDP replay file
+- Network Capture to MP4 video file
+- Replay file to MP4 video file
+
+The script supports both encrypted (TLS) network captures (by providing `--secrets ssl.log`) and decrypted PDU exports.
+
+```
+# Export the session coming client 10.2.0.198 to a .pyrdp file.
+pyrdp-convert.py --src 10.2.0.198 --secrets ssl.log -o path/to/output capture.pcapng
+
+# Or as an MP4 video
+pyrdp-convert.py --src 10.2.0.198 --secrets ssl.log -o path/to/output -f mp4 capture.pcapng
+
+# List the sessions in a network trace, along with the decryptable ones.
+pyrdp-convert.py --list capture.pcapng
+```
+
+Note that MP4 conversion requires libavcodec and ffmpeg, so this may require extra steps on Windows.
+
+Manually decrypted network traces can be exported from Wireshark by selecting `File > Export PDUs` and selecting `OSI
+Layer 7`. When using this method, it is also recommended to filter the exported stream to only contain the TCP stream of
+the RDP session which must be converted.
+
+First, make sure you configured wireshark to load TLS secrets:
+
+![Configure TLS secrets log](docs/screens/wireshark-tls.png)
+
+Next, export OSI Layer 7 PDUs:
+
+![Export OSI Layer 7](docs/screens/wireshark-export.png)
+
+And lastly, filter down the trace to contain only the conversation of interest (Optional but recommended) by applying a
+display filter and clicking `File > Export Specified Packets...`
+
+![Filtering the exported trace](docs/screens/wireshark-export-specified.png)
+
+
+Now this trace can be used directly in `pyrdp-convert`.
+
+
 ### Configuring PyRDP
 
 Most of the PyRDP configurations are done through command line switches, but it is also possible to use a