Install PIP and run
1 2 3 4 |
pip rdpy --trusted-host pypi.org --trusted-host files.pythonhosted.org pip install pyinstaller --trusted-host pypi.org --trusted-host files.pythonhosted.org pip install pywin32 --trusted-host pypi.org --trusted-host files.pythonhosted.org |
or
1 2 |
git https://github.com/citronneur/rdpy.git python setup.py install |
for python 2.7 Then Install PyQt4 from here, note that this only works on 2.7 -> https://pypi.org/project/PyQt4/ You may also get the link from here, https://github.com/citronneur/rdpy (in the windows section)
(This will not work and will error out, this is for 2.7 only) for python 3.8+ Run this instead pip install rdpy –trusted-host pypi.org –trusted-host files.pythonhosted.org
Then
C:\Python27\Lib\site-packages\rdpy\protocol\rdp\nla\ntlm.py Edit this file with the following below. then execute the following command
C:\Python27\Scripts\dist>rdpy-rdpclient.exe -u Username -p !32:70:ae:1e:3e:93:a1:65:85:7d:dc:53:a9:37:fc:e4 -d Domain ServerHostNameToRDPTo:3389
use “!” to indicate it’s a hash
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 |
def HMAC_MD5(key, data): """ @summary: classic HMAC algorithm with MD5 sum @param key: {str} key @param data: {str} data """ #for line in traceback.format_stack(): #print(line.strip()) #Digets = hmac.new(key, data, hashlib.md5).digest() #print "HMAC_MD5" + ":".join("{:02x}".format(ord(c)) for c in Digets ) return hmac.new(key, data, hashlib.md5).digest() def NTOWFv2(Passwd, User, UserDom): """ @summary: Version 2 of NTLM hash function @param Passwd: {str} Password @param User: {str} Username @param UserDom: {str} microsoft domain @see: https://msdn.microsoft.com/en-us/library/cc236700.aspx """ #for line in traceback.format_stack(): #print(line.strip()) print "NTOWFv2 UNICODE(User.upper() + UserDom)" + ":".join("{:02x}".format(ord(c)) for c in UNICODE(User.upper() + UserDom)) print "NTOWFv2 MD4(UNICODE(Passwd)" + ":".join("{:02x}".format(ord(c)) for c in MD4(UNICODE(Passwd))) HMACHASH = HMAC_MD5(MD4(UNICODE(Passwd)), UNICODE(User.upper() + UserDom)) print "HMAC_MD5 hash-> " + ":".join("{:02x}".format(ord(c)) for c in HMACHASH) return HMACHASH def LMOWFv2(Passwd, User, UserDom): """ @summary: Same as NTOWFv2 @param Passwd: {str} Password @param User: {str} Username @param UserDom: {str} microsoft domain @see: https://msdn.microsoft.com/en-us/library/cc236700.aspx """ return NTOWFv2(Passwd, User, UserDom) def ComputeResponsev2(ResponseKeyNT, ResponseKeyLM, ServerChallenge, ClientChallenge, Time, ServerName): """ @summary: process NTLMv2 Authenticate hash @param NegFlg: {int} Negotiation flags come from challenge message @see: https://msdn.microsoft.com/en-us/library/cc236700.aspx """ Responserversion = "\x01" HiResponserversion = "\x01" temp = Responserversion + HiResponserversion + Z(6) + Time + ClientChallenge + Z(4) + ServerName NTProofStr = HMAC_MD5(ResponseKeyNT, ServerChallenge + temp) NtChallengeResponse = NTProofStr + temp LmChallengeResponse = HMAC_MD5(ResponseKeyLM, ServerChallenge + ClientChallenge) + ClientChallenge SessionBaseKey = HMAC_MD5(ResponseKeyNT, NTProofStr) return NtChallengeResponse, LmChallengeResponse, SessionBaseKey def MAC(handle, SigningKey, SeqNum, Message): """ @summary: generate signature for application message @param handle: {rc4.RC4Key} handle on crypt @param SigningKey: {str} Signing key @param SeqNum: {int} Sequence number @param Message: Message to sign @see: https://msdn.microsoft.com/en-us/library/cc422952.aspx """ signature = MessageSignatureEx() signature.SeqNum.value = SeqNum #write the SeqNum s = Stream() s.writeType(signature.SeqNum) signature.Checksum.value = rc4.crypt(handle, HMAC_MD5(SigningKey, s.getvalue() + Message)[:8]) return signature def MIC(ExportedSessionKey, negotiateMessage, challengeMessage, authenticateMessage): """ @summary: Compute MIC signature @param negotiateMessage: {NegotiateMessage} @param challengeMessage: {ChallengeMessage} @param authenticateMessage: {AuthenticateMessage} @return: {str} signature @see: https://msdn.microsoft.com/en-us/library/cc236676.aspx """ s = Stream() s.writeType((negotiateMessage, challengeMessage, authenticateMessage)) return HMAC_MD5(ExportedSessionKey, s.getvalue()) class NTLMv2(sspi.IAuthenticationProtocol): """ @summary: Handle NTLMv2 Authentication """ def __init__(self, domain, user, password): self._domain = domain self._user = user self._password = password self._enableUnicode = False if password.startswith("!"): print "HASH -> " + password[1:].replace(":", "") HMACHASH = HMAC_MD5(password[1:].replace(":", "").decode("hex"), UNICODE(user.upper() + domain)) print "HMAC_MD5 hash-> " + ":".join("{:02x}".format(ord(c)) for c in HMACHASH) print "NTOWFv2 UNICODE(User.upper() + UserDom)" + ":".join("{:02x}".format(ord(c)) for c in UNICODE(user.upper() + domain)) print "NTOWFv2 password" + ":".join("{:02x}".format(ord(c)) for c in password[1:].replace(":", "").decode("hex")) self._ResponseKeyNT = HMACHASH self._ResponseKeyLM = HMACHASH else: #https://msdn.microsoft.com/en-us/library/cc236700.aspx self._ResponseKeyNT = NTOWFv2(password, user, domain) self._ResponseKeyLM = LMOWFv2(password, user, domain) print ":".join("{:02x}".format(ord(c)) for c in self._ResponseKeyNT) print ":".join("{:02x}".format(ord(c)) for c in self._ResponseKeyLM) #For MIC computation self._negotiateMessage = None self._challengeMessage = None self._authenticateMessage = None def getNegotiateMessage(self): """ @summary: generate first handshake messgae """ self._negotiateMessage = NegotiateMessage() self._negotiateMessage.NegotiateFlags.value = (Negotiate.NTLMSSP_NEGOTIATE_KEY_EXCH | Negotiate.NTLMSSP_NEGOTIATE_128 | Negotiate.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY | Negotiate.NTLMSSP_NEGOTIATE_ALWAYS_SIGN | Negotiate.NTLMSSP_NEGOTIATE_NTLM | Negotiate.NTLMSSP_NEGOTIATE_SEAL | Negotiate.NTLMSSP_NEGOTIATE_SIGN | Negotiate.NTLMSSP_REQUEST_TARGET | Negotiate.NTLMSSP_NEGOTIATE_UNICODE) return self._negotiateMessage |