awesome-architecture-mds/security-privacy/pyrdp/on_boarding.md at main · CodeBoarding/awesome-architecture-mds

graph LR
    RDP_MITM_Core["RDP MITM Core"]
    Data_Interception_Artifacts["Data Interception & Artifacts"]
    Data_Persistence_Recording["Data Persistence & Recording"]
    Session_Analysis_Playback["Session Analysis & Playback"]
    Security_Certificate_Management["Security & Certificate Management"]
    User_Interface["User Interface"]
    PCAP_Conversion_Utilities["PCAP Conversion Utilities"]
    RDP_MITM_Core -- "Initiates/Controls" --> User_Interface
    RDP_MITM_Core -- "Uses/Provides Crypto" --> Security_Certificate_Management
    RDP_MITM_Core -- "Feeds Raw Data" --> Data_Interception_Artifacts
    RDP_MITM_Core -- "Records Session Data" --> Data_Persistence_Recording
    Data_Interception_Artifacts -- "Extracts Data From" --> RDP_MITM_Core
    Data_Interception_Artifacts -- "Stores Extracted Artifacts" --> Data_Persistence_Recording
    Data_Interception_Artifacts -- "Displays Live Data To" --> User_Interface
    Data_Persistence_Recording -- "Stores Data From" --> RDP_MITM_Core
    Data_Persistence_Recording -- "Stores Artifacts From" --> Data_Interception_Artifacts
    Data_Persistence_Recording -- "Provides Recorded Data To" --> Session_Analysis_Playback
    Data_Persistence_Recording -- "Receives Converted Data From" --> PCAP_Conversion_Utilities
    Session_Analysis_Playback -- "Retrieves Data From" --> Data_Persistence_Recording
    Session_Analysis_Playback -- "Displays Replay To" --> User_Interface
    Session_Analysis_Playback -- "Receives Converted Data From" --> PCAP_Conversion_Utilities
    Security_Certificate_Management -- "Provides Crypto Services To" --> RDP_MITM_Core
    Security_Certificate_Management -- "Provides Crypto Services To" --> PCAP_Conversion_Utilities
    User_Interface -- "Controls" --> RDP_MITM_Core
    User_Interface -- "Controls" --> Session_Analysis_Playback
    User_Interface -- "Displays Live Data From" --> Data_Interception_Artifacts
    User_Interface -- "Displays Replay From" --> Session_Analysis_Playback
    PCAP_Conversion_Utilities -- "Uses Crypto From" --> Security_Certificate_Management
    PCAP_Conversion_Utilities -- "Outputs Converted Data To" --> Data_Persistence_Recording
    PCAP_Conversion_Utilities -- "Feeds Converted Data To" --> Session_Analysis_Playback
    click RDP_MITM_Core href "https://github.com/CodeBoarding/GeneratedOnBoardings/blob/main/pyrdp/RDP_MITM_Core.md" "Details"
    click Data_Interception_Artifacts href "https://github.com/CodeBoarding/GeneratedOnBoardings/blob/main/pyrdp/Data_Interception_Artifacts.md" "Details"
    click Data_Persistence_Recording href "https://github.com/CodeBoarding/GeneratedOnBoardings/blob/main/pyrdp/Data_Persistence_Recording.md" "Details"
    click Session_Analysis_Playback href "https://github.com/CodeBoarding/GeneratedOnBoardings/blob/main/pyrdp/Session_Analysis_Playback.md" "Details"
    click Security_Certificate_Management href "https://github.com/CodeBoarding/GeneratedOnBoardings/blob/main/pyrdp/Security_Certificate_Management.md" "Details"
    click User_Interface href "https://github.com/CodeBoarding/GeneratedOnBoardings/blob/main/pyrdp/User_Interface.md" "Details"
    click PCAP_Conversion_Utilities href "https://github.com/CodeBoarding/GeneratedOnBoardings/blob/main/pyrdp/PCAP_Conversion_Utilities.md" "Details"

Details

The pyrdp project is architected around a core Man-in-the-Middle (MITM) engine for RDP sessions, complemented by modules for data interception, persistence, session analysis, and a user interface. Security and PCAP conversion utilities support the main functionalities. The architecture is designed for both live RDP session manipulation and post-capture analysis, providing a comprehensive tool for RDP security research and forensics.

RDP MITM Core [Expand]

The central engine for pyrdp, establishing and managing TCP connections for RDP sessions as a Man-in-the-Middle. It handles the intricate parsing, serialization, and processing of all RDP protocol data units (PDUs) across various layers (X.224, MCS, Security, Fast Path, Slow Path, Virtual Channels), and defines the fundamental structure of these PDUs.

Related Classes/Methods:

Data Interception & Artifacts [Expand]

Implements the "Monster-in-the-Middle" features, specifically designed to extract sensitive information (NTLM hashes, client capabilities) and to intercept, manipulate, and exfiltrate files and clipboard content exchanged over RDP virtual channels.

Related Classes/Methods:

Data Persistence & Recording [Expand]

Manages the persistent storage of all intercepted RDP session data, including raw traffic, extracted artifacts (like credentials and files), and session metadata, typically saving them to local files for later analysis or replay.

Related Classes/Methods:

Session Analysis & Playback [Expand]

Responsible for post-capture analysis and visual playback of recorded RDP sessions. It reads stored session data, reconstructs the sequence of events, interprets RDP graphics orders (GDI commands), and renders them onto a display surface, enabling a visual replay of the RDP session.

Related Classes/Methods:

Security & Certificate Management [Expand]

A supporting component handling all cryptographic operations and certificate management necessary for secure RDP MITM connections. It includes functionalities for fetching, cloning, and generating SSL/TLS certificates, as well as implementing various cryptographic algorithms (e.g., NTLMSSP, TLS encryption/decryption, RC4) and key management.

Related Classes/Methods:

User Interface [Expand]

Provides the interactive front-end for pyrdp, offering both command-line (CLI) and graphical user interface (GUI) options. Users can control MITM operations, view live RDP sessions, and initiate the replay of recorded sessions through this component.

Related Classes/Methods:

PCAP Conversion Utilities [Expand]

Provides utilities for converting raw network capture files (PCAP) into a format that can be replayed or analyzed by pyrdp. This includes specialized functionality for decrypting TLS streams within PCAP files to expose the underlying RDP traffic.

Related Classes/Methods:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Details

RDP MITM Core [Expand]

Data Interception & Artifacts [Expand]

Data Persistence & Recording [Expand]

Session Analysis & Playback [Expand]

Security & Certificate Management [Expand]

User Interface [Expand]

PCAP Conversion Utilities [Expand]

FAQ

FilesExpand file tree

on_boarding.md

Latest commit

History

on_boarding.md

File metadata and controls

Details

RDP MITM Core [Expand]

Data Interception & Artifacts [Expand]

Data Persistence & Recording [Expand]

Session Analysis & Playback [Expand]

Security & Certificate Management [Expand]

User Interface [Expand]

PCAP Conversion Utilities [Expand]

FAQ