Build an easy RDP Honeypot with Raspberry PI 3 and observe the infamous attacks as (BlueKeep) CVE-2019–0708

alt3kx
alt3kx
Jun 5 · 5 min read
RDP Honeypot Raspberry PI 3

Technical Requirements:

Hardware: 
1. Raspberry PI3
Essential Packages
1. Wireshark
2. tcpdump
3. bro
4. rdpy
5. tcpick

Installation

Flashing SD card with Etcher
# apt-get update && apt-get upgrade && apt-get dist-upgrade
Kali on Raspberry PI 3
# pip install twisted pyopenssl qt4reactor service_identity rsa pyasn1
# pip install rdpy
# apt-get install python-qt4
# rdpy-rdpcredsspmitm.py
# rdpy-rdpmitm.py
# rdpy-rssplayer.py
# rdpy-vncscreenshot.py
# rdpy-rdpclient.py
# rdpy-rdphoneypot.py
# rdpy-rdpscreenshot.py
# rdpy-vncclient.py
Note: On Kali Linux I received some errors with Twisted packages just I fixed with following commands: # wget -c https://twistedmatrix.com/Releases/Twisted/19.2/Twisted-19.2.0.tar.bz2
# bzip2 -d Twisted-19.2.0.tar.bz2
# tar -xvf Twisted-19.2.0.tar
# python setup.py install
Executing rdpy-rdpclient.py & rdpy-rdphoneypot.py
# rdpy-rdpmitm.py -o /root/honeypots_arsenal/ 192.168.1.17Where 192.168.1.17 is the real Windows Server 2008 IP address with RDP service enableStart a RDP connection to your localhost or 127.0.0.1 using xfreerdp# xfreerdp --no-nla 127.0.0.1To see:[*] INFO: *******************************************
[*] INFO: * SSL Security selected *
[*] INFO: *******************************************
^C
RDP session recorded (RSS file)
# rdpy-rssplayer.py 20190601025837_127.0.0.1_1.rss
# rdpy-rdphoneypot.py 20190601025837_127.0.0.1_1.rss
Executing rdpy-rdphoneypot.py with session recorded (RSS file)
# nmap -F localhost
Running nmap to check the RDP service is listen locally
NAT/PAT Setup Orange Router
nmap -F (your external IP address)
Running nmap to check the RDP service is listen remote
# tcpdump tcp port 3389 -i eth0 -vvX -w rdp.pcap
Capturing traffic on port 3389 with tcpdump

Packet Analysis

# apt-get install tcpick
# apt-get install wireshark
# apt-get install cmake make gcc g++ flex git bison python-dev swig libpcap-dev libssl-dev zlib1g-dev -y
# apt-get install libgeoip-dev -y
# apt-get install libmaxminddb-dev
# apt-get install bro broctl bro-aux -y
Packet analysis with tcpick
# tcpick -C -yP -r rdp.pcap | more
Voila!
Executing tcpick (Packet Analysis)
# bro -r rdp.pcap -C
Generating human readable logs with bro command
# cat rdp.log | bro-cut id.orig_h id.orig_p id.resp_h id.resp_p cookie result security_protocol keyboard_layout client_build client_name | more 
Reading rdp.log file with bro-cut

Resources

alt3kx

Written by

alt3kx

Red Teamer | PentTester | Bug Bounty | 0day guy! | Lone Wolf…l A handy collection of my public Exploits & CVE's, all in one place. https://github.com/alt3kx

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade