Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The IP of the connection isn't logged if exited before receiving ClientInfoPDU #122

Closed
Pourliver opened this issue Jun 19, 2019 · 3 comments · Fixed by #123
Closed

The IP of the connection isn't logged if exited before receiving ClientInfoPDU #122

Pourliver opened this issue Jun 19, 2019 · 3 comments · Fixed by #123

Comments

@Pourliver
Copy link
Contributor

Currently, most of the incoming connections are scanners. Scanners won't send a ClientInfoPDU since it's later in the protocol.

With our current logging, we have no way of identifying WHO connected to pyrdp. This would be really useful to correlate data. Should this be added in #117, or appended to
New Client connected?

Ex:
New client connected from 127.0.0.1
@Res260
Copy link
Collaborator

Res260 commented Jun 19, 2019

The IP in the ClientInfo PDU is the local IP address and is different from the IP address of the connection.

The IP address of the connection should be logged in the first log statement. Isn’t it the case? Maybe it’s just a debug statement, but I know we used to log that information.

@Pourliver
Copy link
Contributor Author

Thanks for the correction, I guess I didn't pay attention to that part.

Looks like it isn't, even in DEBUG. Here is a short connection to demonstrate.

[2019-06-17 15:01:42,233] - INFO - Anna900855 - pyrdp.mitm.connections.tcp - New client connected
[2019-06-17 15:01:42,236] - INFO - Anna900855 - pyrdp.mitm.connections.x224 - No cookie for this connection
[2019-06-17 15:01:42,236] - DEBUG - Anna900855 - pyrdp.mitm.connections.client.x224 - Received X224ConnectionRequestPDU{'payload': b'\x01\x00\x08\x00\x00\x00\x00\x00', 'header': <X224PDUType.X224_TPDU_CONNECTION_REQUEST: 14>, 'credit': 0, 'destination': 0, 'source': 0, 'options': 0}
[2019-06-17 15:01:42,280] - INFO - Anna900855 - pyrdp.mitm.connections.tcp - Server connected
[2019-06-17 15:01:42,281] - INFO - Anna900855 - pyrdp.mitm.connections.tcp - Attacker connected
[2019-06-17 15:01:42,324] - DEBUG - Anna900855 - pyrdp.mitm.connections.server.x224 - Received X224ConnectionConfirmPDU{'payload': b'\x02\t\x08\x00\x00\x00\x00\x00', 'header': <X224PDUType.X224_TPDU_CONNECTION_CONFIRM: 13>, 'credit': 0, 'destination': 4660, 'source': 0, 'options': 0}
[2019-06-17 15:01:42,451] - INFO - Anna900855 - pyrdp.mitm.connections.tcp - Client connection closed. Connection was closed cleanly.
[2019-06-17 15:01:42,452] - INFO - Anna900855 - pyrdp.mitm.connections.tcp - Client connection time: 0.21841096878051758 secs
[2019-06-17 15:01:42,452] - INFO - Anna900855 - pyrdp.mitm.connections.tcp - Attacker connection closed. Connection was closed cleanly.

@Res260
Copy link
Collaborator

Res260 commented Jun 19, 2019 via email

@Pourliver Pourliver mentioned this issue Jun 19, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Added client's IP and clientData to allow client identification GoSecure/pyrdp
2 participants
@Pourliver @Res260