NLA Honeypot Associated Research

• FreeRDP-ResearchServer/: a modified FreeRDP 2.2.0 that completes a RDP handshake, kicks out the user (since there are no accounts set up), and dumps the six messages into /tmp
• FreeRDP-Pot-Patches/: patches for FreeRDP server which is intended for production that completes a RDP handshake, kicks out the user (since there are no accounts set up), and dumps the six messages into /tmp
• dump/: captured Negotiate/Challenge/Authenticate Out/In message dumps
• NCC-FreeRDP-pyparser/nccfreerdppyparser.py: extracts message dumps from dump/ and prints hashes out in the format username:workstation:domain:$NLA$UserDomain$ntlm_v2_temp_chal$msg$EncryptedRandomSessionKey$MessageIntegrityCheck
• hashes.txt: hashes generated by nccfreerdppyparser.py
• NCC-FreeRDP-pyparser/crack.py: cracks hashes from nccfreerdppyparser.py
• docker/build.sh: builds FreeRDP-ResearchServer/
• docker/dump.sh: connects a FreeRDP client to a FreeRDP server, to dump RDP connection messages

The goal is to deploy honeypots that can capture RDP handshakes, then crack them offline in an effort to understand which passwords are being sprayed at RDP honeypots we deploy, are they organization-specific, etc. Currently we can successfully capture the handshakes (see FreeRDP-ResearchServer/), extract the relevant data (see nccfreerdppyparser.py), and crack them (see crack.py).

Next steps:

• rewrite crack.py as a hashcat plugin
• clean up FreeRDP-ResearchServer/ to be production ready
• are there authentication methods that require SAM databases?