graph LR
RDPMITMOrchestrator["RDPMITMOrchestrator"]
SecurityMITM["SecurityMITM"]
ClipboardMITM["ClipboardMITM"]
DeviceRedirectionMITM["DeviceRedirectionMITM"]
FileCrawlerMITM["FileCrawlerMITM"]
LoggingObserver["LoggingObserver"]
NTLMSSPParser["NTLMSSPParser"]
ClipboardParser["ClipboardParser"]
RDPMITMOrchestrator -- "integrates" --> SecurityMITM
RDPMITMOrchestrator -- "integrates" --> ClipboardMITM
RDPMITMOrchestrator -- "integrates" --> DeviceRedirectionMITM
SecurityMITM -- "utilizes" --> NTLMSSPParser
ClipboardMITM -- "relies on" --> ClipboardParser
DeviceRedirectionMITM -- "provides capabilities to" --> FileCrawlerMITM
FileCrawlerMITM -- "interacts with" --> DeviceRedirectionMITM
SecurityMITM -- "send data to" --> LoggingObserver
ClipboardMITM -- "send data to" --> LoggingObserver
DeviceRedirectionMITM -- "send data to" --> LoggingObserver
FileCrawlerMITM -- "send data to" --> LoggingObserver
The pyrdp.mitm subsystem acts as the core Man-in-the-Middle (MITM) framework for RDP traffic. The central RDPMITMOrchestrator (pyrdp.mitm.RDPMITM) is responsible for setting up and coordinating various specialized MITM components. These components, such as SecurityMITM, ClipboardMITM, DeviceRedirectionMITM, and FileCrawlerMITM, intercept and manipulate specific RDP virtual channels or protocol layers. SecurityMITM focuses on credential capture, leveraging NTLMSSPParser for NTLM message analysis. ClipboardMITM handles clipboard data, relying on ClipboardParser for data serialization and deserialization. DeviceRedirectionMITM manages file system interactions, providing the foundation for FileCrawlerMITM to automate file exfiltration. All these MITM components feed extracted data and events to the LoggingObserver for persistent storage and analysis.
The primary orchestrator for the MITM functionality. It is responsible for instantiating, configuring, and integrating various MITM components into the RDP traffic flow, ensuring they can intercept and process relevant data.
Related Classes/Methods:
Intercepts and processes RDP security exchanges, specifically designed to extract NTLM hashes and client capabilities. It acts as a credential logger, capturing authentication-related artifacts.
Related Classes/Methods:
Intercepts, manipulates, and exfiltrates clipboard content exchanged over the RDP virtual channel. It enables the capture and potential modification of data copied and pasted by users.
Related Classes/Methods:
Handles the RDP device redirection virtual channel, enabling file system interactions (listing, reading, writing) and forging responses to facilitate file exfiltration. It provides the foundational capabilities for remote drive crawling.
Related Classes/Methods:
Orchestrates the crawling of remote file systems and initiates file downloads based on predefined patterns. It leverages the capabilities provided by DeviceRedirectionMITM to automate file exfiltration.
Related Classes/Methods:
A crucial component for recording artifacts. It acts as a central consumer of data and events generated by other MITM components, ensuring that extracted information (like NTLM hashes, clipboard content, or exfiltrated files) is properly logged or stored.
Related Classes/Methods:
A specialized parser responsible for interpreting and extracting information from NTLMSSP (NT LAN Manager Security Support Provider) messages. It is specifically utilized by SecurityMITM for NTLM hash extraction.
Related Classes/Methods:
Handles the parsing of incoming clipboard data and the serialization of outgoing clipboard data according to the RDP clipboard protocol. It is a key dependency for ClipboardMITM.
Related Classes/Methods: