Install PIP and run

pip rdpy --trusted-host --trusted-host 
pip install pyinstaller --trusted-host --trusted-host 
pip install pywin32 --trusted-host --trusted-host


git python install

for python 2.7 Then Install PyQt4 from here, note that this only works on 2.7 -> You may also get the link from here, (in the windows section)

(This will not work and will error out, this is for 2.7 only) for python 3.8+ Run this instead pip install rdpy –trusted-host –trusted-host


C:\Python27\Lib\site-packages\rdpy\protocol\rdp\nla\ Edit this file with the following below. then execute the following command

C:\Python27\Scripts\dist>rdpy-rdpclient.exe -u Username -p !32:70:ae:1e:3e:93:a1:65:85:7d:dc:53:a9:37:fc:e4 -d Domain ServerHostNameToRDPTo:3389

use “!” to indicate it’s a hash

def HMAC_MD5(key, data):
    @summary: classic HMAC algorithm with MD5 sum
    @param key: {str} key
    @param data: {str} data
    #for line in traceback.format_stack():
    #Digets =, data, hashlib.md5).digest()
    #print "HMAC_MD5" + ":".join("{:02x}".format(ord(c)) for c in Digets )
    return, data, hashlib.md5).digest()

def NTOWFv2(Passwd, User, UserDom):
    @summary: Version 2 of NTLM hash function
    @param Passwd: {str} Password
    @param User: {str} Username
    @param UserDom: {str} microsoft domain
    #for line in traceback.format_stack():
    print "NTOWFv2 UNICODE(User.upper() + UserDom)" + ":".join("{:02x}".format(ord(c)) for c in UNICODE(User.upper() + UserDom))
    print "NTOWFv2 MD4(UNICODE(Passwd)" + ":".join("{:02x}".format(ord(c)) for c in MD4(UNICODE(Passwd)))
    HMACHASH = HMAC_MD5(MD4(UNICODE(Passwd)), UNICODE(User.upper() + UserDom))
    print "HMAC_MD5 hash-> " + ":".join("{:02x}".format(ord(c)) for c in HMACHASH)
    return HMACHASH

def LMOWFv2(Passwd, User, UserDom):
    @summary: Same as NTOWFv2
    @param Passwd: {str} Password
    @param User: {str} Username
    @param UserDom: {str} microsoft domain
    return NTOWFv2(Passwd, User, UserDom)

def ComputeResponsev2(ResponseKeyNT, ResponseKeyLM, ServerChallenge, ClientChallenge, Time, ServerName):
    @summary: process NTLMv2 Authenticate hash
    @param NegFlg: {int} Negotiation flags come from challenge message
    Responserversion = "\x01"
    HiResponserversion = "\x01"

    temp = Responserversion + HiResponserversion + Z(6) + Time + ClientChallenge + Z(4) + ServerName
    NTProofStr = HMAC_MD5(ResponseKeyNT, ServerChallenge + temp)
    NtChallengeResponse = NTProofStr + temp
    LmChallengeResponse = HMAC_MD5(ResponseKeyLM, ServerChallenge + ClientChallenge) + ClientChallenge

    SessionBaseKey = HMAC_MD5(ResponseKeyNT, NTProofStr)

    return NtChallengeResponse, LmChallengeResponse, SessionBaseKey

def MAC(handle, SigningKey, SeqNum, Message):
    @summary: generate signature for application message
    @param handle: {rc4.RC4Key} handle on crypt
    @param SigningKey: {str} Signing key
    @param SeqNum: {int} Sequence number
    @param Message: Message to sign
    signature = MessageSignatureEx()
    signature.SeqNum.value = SeqNum

    #write the SeqNum
    s = Stream()

    signature.Checksum.value = rc4.crypt(handle, HMAC_MD5(SigningKey, s.getvalue() + Message)[:8])

    return signature

def MIC(ExportedSessionKey, negotiateMessage, challengeMessage, authenticateMessage):
    @summary: Compute MIC signature
    @param negotiateMessage: {NegotiateMessage}
    @param challengeMessage: {ChallengeMessage}
    @param authenticateMessage: {AuthenticateMessage}
    @return: {str} signature
    s = Stream()
    s.writeType((negotiateMessage, challengeMessage, authenticateMessage))
    return HMAC_MD5(ExportedSessionKey, s.getvalue())

class NTLMv2(sspi.IAuthenticationProtocol):
    @summary: Handle NTLMv2 Authentication
    def __init__(self, domain, user, password):
        self._domain = domain
        self._user = user
        self._password = password
        self._enableUnicode = False
    if password.startswith("!"):
            print "HASH -> " + password[1:].replace(":", "")
        HMACHASH = HMAC_MD5(password[1:].replace(":", "").decode("hex"), UNICODE(user.upper() + domain))
        print "HMAC_MD5 hash-> " + ":".join("{:02x}".format(ord(c)) for c in HMACHASH)
        print "NTOWFv2 UNICODE(User.upper() + UserDom)" + ":".join("{:02x}".format(ord(c)) for c in UNICODE(user.upper() + domain))
            print "NTOWFv2 password" + ":".join("{:02x}".format(ord(c)) for c in password[1:].replace(":", "").decode("hex"))
        self._ResponseKeyNT = HMACHASH
        self._ResponseKeyLM = HMACHASH
        self._ResponseKeyNT = NTOWFv2(password, user, domain)
            self._ResponseKeyLM = LMOWFv2(password, user, domain)
        print ":".join("{:02x}".format(ord(c)) for c in self._ResponseKeyNT)
            print ":".join("{:02x}".format(ord(c)) for c in self._ResponseKeyLM)

    #For MIC computation
        self._negotiateMessage = None
        self._challengeMessage = None
        self._authenticateMessage = None

    def getNegotiateMessage(self):
        @summary: generate first handshake messgae
        self._negotiateMessage = NegotiateMessage()
        self._negotiateMessage.NegotiateFlags.value = (Negotiate.NTLMSSP_NEGOTIATE_KEY_EXCH |
                                        Negotiate.NTLMSSP_NEGOTIATE_128 |
                                        Negotiate.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY |
                                        Negotiate.NTLMSSP_NEGOTIATE_ALWAYS_SIGN |
                                        Negotiate.NTLMSSP_NEGOTIATE_NTLM |
                                        Negotiate.NTLMSSP_NEGOTIATE_SEAL |
                                        Negotiate.NTLMSSP_NEGOTIATE_SIGN |
                                        Negotiate.NTLMSSP_REQUEST_TARGET |
        return self._negotiateMessage

Leave a Reply

Your email address will not be published. Required fields are marked *