Build an easy RDP Honeypot with Raspberry PI 3 and observe the infamous attacks as (BlueKeep) CVE-2019–0708

Jun 5 · 5 min read
RDP Honeypot Raspberry PI 3

Technical Requirements:

1. Raspberry PI3
Essential Packages
1. Wireshark
2. tcpdump
3. bro
4. rdpy
5. tcpick


Flashing SD card with Etcher
# apt-get update && apt-get upgrade && apt-get dist-upgrade
Kali on Raspberry PI 3
# pip install twisted pyopenssl qt4reactor service_identity rsa pyasn1
# pip install rdpy
# apt-get install python-qt4
Note: On Kali Linux I received some errors with Twisted packages just I fixed with following commands: # wget -c
# bzip2 -d Twisted-19.2.0.tar.bz2
# tar -xvf Twisted-19.2.0.tar
# python install
Executing &
# -o /root/honeypots_arsenal/ is the real Windows Server 2008 IP address with RDP service enableStart a RDP connection to your localhost or using xfreerdp# xfreerdp --no-nla see:[*] INFO: *******************************************
[*] INFO: * SSL Security selected *
[*] INFO: *******************************************
RDP session recorded (RSS file)
# 20190601025837_127.0.0.1_1.rss
# 20190601025837_127.0.0.1_1.rss
Executing with session recorded (RSS file)
# nmap -F localhost
Running nmap to check the RDP service is listen locally
NAT/PAT Setup Orange Router
nmap -F (your external IP address)
Running nmap to check the RDP service is listen remote
# tcpdump tcp port 3389 -i eth0 -vvX -w rdp.pcap
Capturing traffic on port 3389 with tcpdump

Packet Analysis

# apt-get install tcpick
# apt-get install wireshark
# apt-get install cmake make gcc g++ flex git bison python-dev swig libpcap-dev libssl-dev zlib1g-dev -y
# apt-get install libgeoip-dev -y
# apt-get install libmaxminddb-dev
# apt-get install bro broctl bro-aux -y
Packet analysis with tcpick
# tcpick -C -yP -r rdp.pcap | more
Executing tcpick (Packet Analysis)
# bro -r rdp.pcap -C
Generating human readable logs with bro command
# cat rdp.log | bro-cut id.orig_h id.orig_p id.resp_h id.resp_p cookie result security_protocol keyboard_layout client_build client_name | more 
Reading rdp.log file with bro-cut



Written by


Red Teamer | PentTester | Bug Bounty | 0day guy! | Lone Wolf…l A handy collection of my public Exploits & CVE's, all in one place.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade