{"id":13773834,"url":"https://github.com/ctxis/rdp-replay","last_synced_at":"2026-01-22T08:18:19.490Z","repository":{"id":73927108,"uuid":"57199525","full_name":"ctxis/RDP-Replay","owner":"ctxis","description":"Replay RDP traffic from PCAP","archived":false,"fork":false,"pushed_at":"2019-06-25T12:13:56.000Z","size":25928,"stargazers_count":187,"open_issues_count":9,"forks_count":61,"subscribers_count":24,"default_branch":"master","last_synced_at":"2024-11-17T09:38:21.568Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ctxis.png","metadata":{"files":{"readme":"README","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2016-04-27T09:03:06.000Z","updated_at":"2024-11-16T19:48:17.000Z","dependencies_parsed_at":"2023-07-03T05:26:39.587Z","dependency_job_id":null,"html_url":"https://github.com/ctxis/RDP-Replay","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ctxis%2FRDP-Replay","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ctxis%2FRDP-Replay/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ctxis%2FRDP-Replay/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ctxis%2FRDP-Replay/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ctxis","download_url":"https://codeload.github.com/ctxis/RDP-Replay/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253528362,"owners_count":21922623,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T17:01:20.687Z","updated_at":"2026-01-22T08:18:19.484Z","avatar_url":"https://github.com/ctxis.png","language":"C","funding_links":[],"categories":["\u003ca id=\"58b6684347a223e01d4d76d9ca185a88\"\u003e\u003c/a\u003eReplay\u0026\u0026重播"],"sub_categories":[],"readme":" RDP REPLAY\n ==========\n\nContents\n========\n\nextractrdpkeys/ Source and binaries for extracting RDP keys from DPAPI\nlibfree_rdp/ Original library circa 2013\nREADME You found this already!\ntest/ Test samples and instructions\nMakefile Top level make file\nreplay/ Source directory for the replay tool\ntools/ Other support software\n\n=============================================================================\nUsage\n=====\n\n$ rdp_replay -h\nUsage: rdp_replay \u003coptions\u003e\n -h Help. You're reading it!\n -l \u003clsa_secrets_file\u003e File containing LSA secrets for RDP decryption\n -L \u003clsa_raw_secret\u003e File containing a single binary LSA secret\n -o \u003coutput_file\u003e Output video file (e.g. \"rdp.avi\")\n -p \u003crsa_priv_file\u003e PEM file with SSL key (can be repeated)\n -r \u003cpcap_file\u003e The pcap file (default is stdin)\n -t \u003cport\u003e The TCP port to select in the pcap (default: any)\n -x \u003cnum\u003e Playback tcp stream at \u003cnum\u003e times realtime\n --clipboard_16le Clipboard is assumed to be UTF16le and stripped back up 8-bit\n --debug_chan Show channel messages\n --debug_caps Show capabilities messages\n --fullspeed Playback tcp stream at full-speed\n --help Help. You're still reading it!\n --no_cksum Don't check the packet (IP and TCP) checksums\n --no_cursor Don't show the cursor\n --realtime Playback tcp stream in realtime\n --reverse Reverse client/server direction (sometimes useful for extracted data)\n --save_clipboard Save clipboard events to file (e.g. \"clip-00000000-up\")\n --show_time Display packet capture time\n --show_keys Display keypress (repeat for verbose)\n --sound Play sounds\n --rdprd Display RDPDR channel requests\n --sw Use SW_GDI for rendering (not recommended)\n\nSimple example:\n$ rdp_replay -l RC4priv.txt -r capture.pcap\n\n=============================================================================\nBuilding\n=========\n\nThese instructions are for building on Ubuntu 14.04.\n\nThis package contains the LibfreeRDP package and the enhancements for the\nreplay tool. Once dependencies are met, run make.\n\nThe following line (run as root) should install all required packages.\n\n# apt-get install -y build-essential git-core cmake libssl-dev libx11-dev libxext-dev libxinerama-dev libxcursor-dev libxdamage-dev libxv-dev libxkbfile-dev libasound2-dev libcups2-dev libxml2 libxml2-dev libxrandr-dev libgstreamer0.10-dev libgstreamer-plugins-base0.10-dev libavutil-dev libavcodec-dev libavformat-dev libpcap-dev libreadline-dev\n\nOnce these are installed, run make.\nThis will (hopefully) produce ./replay/rdp_replay\n\n=============================================================================\nPrivate Keys:\n\n There is a blog post available online (http://www.contextis.com/blog/rdp-replay/)\nthat covers extracting RDP keys in some detail.\n\nOld style RC4 keys should be put in a file of the form:\n\n # Comment lines start with #\n # Blank lines are ignored\n\n \u003cname\u003e,\u003cpublic_key\u003e,\u003cprivate_key\u003e\n\nAn example:\n\n Example_RC4,5253413148000000000200003f00000001000100edf118339e6cf30888cad52a43921547e3ce962eb3639785dc2433588a8c89e21606c2394095d8c4816045818e007d26178ff5c79d7a461b03836bdf6660dabd0000000000000000,81e95dd837c1adc5a68202cfa7d01d9fae10c99f690acdc458bd76de3cdc9d7f1e31d1c0ad2fa89b8433735c5dce29d7126041d62cad3f70a7248c60e9488239\n\nThese RC4 key files are specified on the command line.\n\nSSL private keys (PEM files) are specified directly on the command line.\n=============================================================================\nLSA secrets:\n\n Private keys for RDP services (pre Vista) are stored as LSA secrets. There is\na simple program available (from passcape) to read them. Example:\n\nC:\\\u003eLsaSecretReader.exe L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75\n======================================================\n= LSA secret reader by Passcape Software =\n= Visit http://www.passcape.com for more information =\n======================================================\n\n0000: 52 53 41 32 48 00 00 00 00 02 00 00 3F 00 00 00\n0010: 01 00 01 00 ED F1 18 33 9E 6C F3 08 88 CA D5 2A\n0020: 43 92 15 47 E3 CE 96 2E B3 63 97 85 DC 24 33 58\n0030: 8A 8C 89 E2 16 06 C2 39 40 95 D8 C4 81 60 45 81\n0040: 8E 00 7D 26 17 8F F5 C7 9D 7A 46 1B 03 83 6B DF\n0050: 66 60 DA BD 00 00 00 00 00 00 00 00 C5 2E C2 9A\n0060: CD 5C 85 91 09 37 C7 45 A8 76 C3 9F E8 AD D6 D6\n0070: 21 2B 44 FF 9A 5B 99 70 62 88 24 ED 00 00 00 00\n0080: 09 E9 24 CA 37 F3 88 DE B2 E5 02 BF F7 4B E9 C2\n0090: 0C 28 D3 D8 40 72 6F 49 D2 CC E6 D3 62 2D F3 CC\n00A0: 00 00 00 00 CD 0B 24 05 48 0A CA A0 F6 54 5B 32\n00B0: A2 0F 3F AB EC 2A DF C9 BD D7 FB BE C0 D1 E6 CA\n00C0: 25 5A C5 E3 00 00 00 00 B9 D7 FD 7F EB AB EF D5\n00D0: 57 10 F0 6C F5 76 9B 79 9E 91 E3 D4 7F C7 74 71\n00E0: C1 C7 2E 67 B3 DE 49 17 00 00 00 00 3B 44 55 4B\n00F0: 46 21 AC 8F 38 A6 A8 A5 D7 06 31 0D 2A DA D1 D6\n0100: E4 2C ED D9 4F A4 D3 6D 35 E4 54 06 00 00 00 00\n0110: 81 E9 5D D8 37 C1 AD C5 A6 82 02 CF A7 D0 1D 9F\n0120: AE 10 C9 9F 69 0A CD C4 58 BD 76 DE 3C DC 9D 7F\n0130: 1E 31 D1 C0 AD 2F A8 9B 84 33 73 5C 5D CE 29 D7\n0140: 12 60 41 D6 2C AD 3F 70 A7 24 8C 60 E9 48 82 39\n0150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n0160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n0170: 00 00 00 00 00 00 00 00 00 00 00 00\n\nThis gives public key of:\n 52 53 41 31 48 00 00 00 00 02 00 00 3f 00 00 00\n 01 00 01 00 ed f1 18 33 9e 6c f3 08 88 ca d5 2a\n 43 92 15 47 e3 ce 96 2e b3 63 97 85 dc 24 33 58\n 8a 8c 89 e2 16 06 c2 39 40 95 d8 c4 81 60 45 81\n 8e 00 7d 26 17 8f f5 c7 9d 7a 46 1b 03 83 6b df\n 66 60 da bd 00 00 00 00 00 00 00 00\n\n..and private key of\n 81 e9 5d d8 37 c1 ad c5 a6 82 02 cf a7 d0 1d 9f\n ae 10 c9 9f 69 0a cd c4 58 bd 76 de 3c dc 9d 7f\n 1e 31 d1 c0 ad 2f a8 9b 84 33 73 5c 5d ce 29 d7\n 12 60 41 d6 2c ad 3f 70 a7 24 8c 60 e9 48 82 39\n\n NOTE: The public part of the key (from LsaSecret) starts \"RSA2\", but it will\nbe \"RSA1\" when transmitted as public-only, in the secure exchange. You can see\nthis easily in wireshark.\n\nHow to extract the 2 available keys is shown below:\n\nLsaSecretReader.exe L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75\nLsaSecretReader.exe L$HYDRAENCKEY_52d1ad03-4565-44f3-8bfd-bbb0591f4b9d\n\n=============================================================================\nFor SSL (Cert) based: You need mimikatz and psexec (SysInternals)\n\nMimikatz as system: (psexec -s mimicatz.exe)\n privilege::debug\n crypto::patchcapi\n crypto::patchcng\n crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE \"Remote Desktop\"\n\n This will produce a .pfx file (probably in the current directory or the one\ncontaining mimikatz.exe)\n\nBreak the private key out of the pfx (windows) file:\n$ openssl pkcs12 -in file.pfx -nodes -out x509.pem\nUse password: mimikatz\nGet out the x509 private key.\n\nIf you want to view a x509 PEM private key:\n$ openssl rsa -noout -in x509.pem -text\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fctxis%2Frdp-replay","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fctxis%2Frdp-replay","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fctxis%2Frdp-replay/lists"}