Urgences 24 sur 7 – (888) 287-5858   Connexion au Portail TitanSupport    Contactez-nous      Blogue

A red-nosed reindeer hacking on a computerIsn’t there a better moment than the Holiday season to release a major update of our RDP Attack and Eavesdropping tool PyRDP? That’s right, pour yourself a little glass of eggnog, sit in a comfortable chair, put on some Christmas music and read about the PyRDP updates by the fire.

 

On Comet, on Cupid, on Donner and Blitzen!

Like flying reindeers, pyrdp-convert, the tool to convert RDP captures into video, is fast and it got 6x faster with the last release! Additionally, we made it more robust by reducing the number of crashes, more flexible by allowing greater conversion flexibility and by improving session identification in Pcap files.

 

Had a very shiny nose…

The headline feature for this release is the ability to capture NetNTLM hashes on any connection we can intercept. A feature we documented in a blog post earlier this year:

 
A diagram that explains how we can capture the NetNTLM hash of a user with PyRDP

 
This feature offers password cracking and pass-the-hash opportunities to the attacker and the ability to detect and prevent this type of attack is quite limited.

 

 
As you can see from the above video demo, the potential certificate error is never displayed to the user. Certificate validation happens after the NetNTLM exchange under RDP’s Network Level Authentication (NLA) which is why it is never displayed. We reported this issue to Microsoft and they told us it works “as designed”. Since then, our advice has always been the same: RDP shouldn’t be used on untrusted networks like public Wi-Fi. It needs to be wrapped in a VPN.

Also recently added to this release is the ability to set the Net-NTLM challenge to a predefined value which can significantly accelerate hash cracking.

 

You would even say it glows…

Other polish and improvements include:

  • New protocol versions supported: RDP 10.9 and 10.10
  • A bind-address option for the Monster-In-The-Middle (MITM component)
  • Documentation updates including improved certificate extraction instructions to mount RDP NLA Attacks

 

Then one foggy Christmas Eve…

This release includes fixes to an important memory leak when converting very large captures to video.

There is also a security update backported from rDesktop for vulnerabilities that Checkpoint found and disclosed in 2018.

Important fixes around device redirection (for file capture) and clipboard stealing were also made recently. If you had PyRDP stall on you during file transfers, you should give this version a try since this hard-to-debug long-standing issue has been resolved once and for all.

 

Won’t you guide my sleigh tonight?

Starting with this version, we are now packaging PyRDP in ARM64 docker images. Docker ARM64 images pave the way to future embedded RDP attacks. One day, Santa could install a transparent RDP interceptor on a Raspberry Pi in your network as he brings gifts to households!

We also significantly improved our testing infrastructure to catch errors sooner and validate the PRs we receive.

 

You’ll go down in history…

Most of the changes discussed in this blog post were featured in last year’s BlackHat Arsenal. Descriptions of attack scenarios and mitigation advice can be found in presentations that we have given recently around RDP Attacks.

Last but not least, we did some backward incompatible changes of concern to those who consume the JSON event stream that you can read about here.

You can grab version 1.2.0 from our GitHub repository.

A special thanks to the contributors of this release: Alexandre Beaulieu, Lisandro Ubiedo, Francis Labelle, Lukas Kupczyk, simonhuang, Jonas and Flare Systems!

 
Happy Holidays and see you next year!

Détection et réponse gérées et étendues GoSecure TitanMC (MXDR)

Détection et réponse gérées et étendues GoSecure TitanMC (MXDR) Fondation

Gestion des vulnérabilités en tant que service GoSecure TitanMC (VMaaS)

Surveillance des événements liés aux informations de sécurité gérée GoSecure TitanMC (SIEM gérée)

Défense du périmètre gérée GoSecure TitanMC (pare-feu)

Détection et réponse des boîtes de messagerie GoSecure TitanMC (IDR)

Passerelle de messagerie sécurisée GoSecure TitanMC (SEG)

Modélisateur de menaces GoSecure TitanMC

Identity GoSecure TitanMC

Plateforme GoSecure TitanMC

Services de sécurité professionnels de GoSecure

Services de réponse aux incidents

Évaluation de la maturité de la sécurité

Services de confidentialité

Services PCI DSS

Services de piratage éthique

Opérations de sécurité

MicrosoftLogo

GoSecure MXDR pour Microsoft

Visibilité et réponse complètes au sein de votre environnement de sécurité Microsoft

CAS D'UTILISATION

Cyberrisques

Mesures de sécurité basées sur les risques

Sociétés de financement par capitaux propres

Prendre des décisions éclairées

Sécurité des données sensibles

Protéger les informations sensibles

Conformité en matière de cybersécurité

Respecter les obligations réglementaires

Cyberassurance

Une stratégie précieuse de gestion des risques

Rançongiciels

Combattre les rançongiciels grâce à une sécurité innovante

Attaques de type « zero-day »

Arrêter les exploits de type « zero-day » grâce à une protection avancée

Consolider, évoluer et prospérer

Prenez de l'avance et gagnez la course avec la Plateforme GoSecure TitanMC.

24/7 MXDR

Détection et réponse sur les terminaux GoSecure TitanMC (EDR)

Antivirus de nouvelle génération GoSecure TitanMC (NGAV)

Surveillance des événements liés aux informations de sécurité GoSecure TitanMC (SIEM)

Détection et réponse des boîtes de messagerie GoSecure TitanMC (IDR)

Intelligence GoSecure TitanMC

Notre SOC

Défense proactive, 24h/24, 7j/7

À PROPOS DE GOSECURE

GoSecure est un leader et un innovateur reconnu en matière de cybersécurité, pionnier de l'intégration de la détection des menaces au niveau des terminaux, du réseau et des courriels en un seul service de détection et réponse gérées et étendues (MXDR). Depuis plus de 20 ans, GoSecure aide ses clients à mieux comprendre leurs failles en matière de sécurité et à améliorer leurs risques organisationnels ainsi que leur maturité en matière de sécurité grâce aux solutions MXDR et aux services professionnels fournis par l'une des équipes les plus fiables et les plus compétentes de l'industrie.

CALENDRIER D’ÉVÉNEMENTS

No upcoming events.

DERNIER COMMUNIQUÉ DE PRESSE

AVIS DE SÉCURITÉ

Urgences 24 sur 7 – (888) 287-5858