{"id":13827267,"url":"https://github.com/shramos/winregmitm","last_synced_at":"2025-08-02T11:03:42.805Z","repository":{"id":95217574,"uuid":"102988166","full_name":"shramos/winregmitm","owner":"shramos","description":"Perform MiTM attack and remove encryption on Windows Remote Registry Protocol.","archived":false,"fork":false,"pushed_at":"2017-09-10T21:58:10.000Z","size":24,"stargazers_count":34,"open_issues_count":0,"forks_count":7,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-04-29T20:39:40.318Z","etag":null,"topics":["cipher","communication","decipher","downgrade","encryption","execution","force","middle","mitm","packets","payload","protocol","remote","remote-machine","tcp","victim","windows-registry","winreg"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/shramos.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-09-09T22:16:06.000Z","updated_at":"2025-04-27T21:35:35.000Z","dependencies_parsed_at":"2023-04-09T19:31:46.171Z","dependency_job_id":null,"html_url":"https://github.com/shramos/winregmitm","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/shramos/winregmitm","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shramos%2Fwinregmitm","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shramos%2Fwinregmitm/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shramos%2Fwinregmitm/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shramos%2Fwinregmitm/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/shramos","download_url":"https://codeload.github.com/shramos/winregmitm/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shramos%2Fwinregmitm/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":268378334,"owners_count":24240894,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-02T02:00:12.353Z","response_time":74,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cipher","communication","decipher","downgrade","encryption","execution","force","middle","mitm","packets","payload","protocol","remote","remote-machine","tcp","victim","windows-registry","winreg"],"created_at":"2024-08-04T09:01:53.025Z","updated_at":"2025-08-02T11:03:42.754Z","avatar_url":"https://github.com/shramos.png","language":"Python","funding_links":[],"categories":["\u003ca id=\"42f9e068b6511bcbb47d6b2b273097da\"\u003e\u003c/a\u003e未分类"],"sub_categories":["\u003ca id=\"3bd67ee9f322e2c85854991c85ed6da0\"\u003e\u003c/a\u003e投毒\u0026\u0026Poisoning"],"readme":"# Description\nWinregmitm is a tool that performs filtering, processing and forwarding of packets from the Windows Remote Registry protocol. To perform these actions, the tool must be placed in the middle of the communication between a client and a server that are exchanging information through this protocol. The tool will be able to capture the packets and modify them depending on the type of packet or the information to be entered, in such a way that allows the insertion of random data in the victim's Windows registry and consequently, the execution of commands remotely. To perform this process, the tool interprets all the raw bytes of the packets, including the layers: IP / TCP / NetBIOS / SMB2 / DCE-RPC / WINREG. In addition to this, it implements a correction mechanism for the sequence numbers of a TCP / IP session, so that, even if a packet size is increased or decreased in the middle of the communication between the client and the server, the connection is still active.\nIn addition, there are situations in which the Windows Remote Registry Protocol encrypts the payload of the WINREG layer, which prevents this attack. To solve this, the tool implements a mechanism that allows to force the authentication of a session that is supposed to be encrypted, so that it goes unencrypted. To force the authentication, the tool implements some mechanisms for breaking a session in progress.\nWinregmitm is the first public tool capable of modifying the packets that come from the Windows Remote Registry Protocol, modify the values that are being put in the remote registry of the victim, modify the name of the keys that are being opened or modify the path and the name of the new keys being created.\n\n# Installation\nFirst of all, we need to install netfilterQueue, for doing that, on Debian or Ubuntu, run the next command:\n\n```apt-get install build-essential python-dev libnetfilter-queue-dev```\n\nAfter that, we need to install all python requirements:\n\n```pip install -r requirements.txt```\n\nThat's all! You are ready to rock!\n\n# Examples\n\n## Video Examples\n\n###### Setting a test enviroment for winregMITM tool in Windows 10\nhttps://www.youtube.com/watch?v=fzkeEJG7l4Q\n\n###### Breaking and forcing a Windows Remote Registry Protocol session to go unencrypted in Windows 10\nhttps://www.youtube.com/watch?v=gZ37Pkp9ic4\n\n## Without parameters\n\nWith the command:\n\n```python winregmitm.py```\n\nthe tool will enter in monitoring mode, it will record all the client movements in the server Windows Registry. It may be useful to select when to insert a particular value or extract the name of a key to use with the option ```--key```.\n\n## SetValue operation\n\nThe ```--value``` or ```-val``` option is used to intercept all **setvalue** packets that flow from the client to the server, these types of packages are used to establish a value in a certain key of the windows registry of the remote machine. The use of this option is very simple:\n\n```python winregmitm.py --value attackervalue```\n\nThis statement will replace the original value that the **setvalue** packet contains by the value *attackervalue*.\n\n## OpenKey operation\n\nThe ```--key``` or ```-k``` option is used to intercept all **openkey** packets that flow from the client to the server, these type of packets are used to open a certain key of the windows registry of the remote machine. It is used as follows:\n\n```python winregmitm.py --key \"S-1-5-21-3397293157-906935177-3907816343-1000\\Keyboard Layout\"```\n\nThis statement will replace the original key that the **openkey** packet contains by the key *S-1-5-21-3397293157-906935177-3907816343-1000\\Keyboard Layout*. In such a way that when the user thinks that he is opening a certain key, he is opening the key provided by the attacker.\n\nYou can also combine both options as follows:\n\n```python winregmitm.py --key \"S-1-5-21-3397293157-906935177-3907816343-1000\\Keyboard Layout\" --value \"attackervalue\"```\n\n## CreateKey operation\n\nThe ```--newkey``` or ```-nk``` option is used to intercept all **CreateKey** packets that flow from the client to the server, these type of packets are used to change the name a certain key that is been created on the windows registry of the remote machine. It is used as follows:\n\n```python winregmitm.py --newkey \"newattackername\"```\n\nYou can also force the key to be created in another path of the remote machine's registry by using the following command:\n\n```python winregmitm.py --newkeypath \"S-1-5-21-3397293157-906935177-3907816343-1000\\Keyboard Layout\" --newkey \"newattackername\"```\n\n## Forcing a session that is supposed to be encrypted to go unencrypted\n\nIf the user of the client and the server machines that communicate via the Windows Remote Registry Protocol have the same user and password, the authentication will be performed automatically, and in addition, the payload of the *winreg* packages will be encrypted. To prevent this from happening, we can force the authentication of a session that is supposed to be encrypted to go unencrypting. To do this, we use the following command:\n\n```python winregmitm.py --encrypted```\n\nThis command will force at the time of authentication that the session goes unencrypted. If the session has already started, we can use this option in combination with ```--break-connection``` or  ```-bk```, to break the current connection and force the user to re-authenticate.\n\n```python winregmitm.py --break-connection --encrypted```\n\nThis will break the currently established connection between the client and the server and the next time it is authenticated, it will force it to go unencrypted.\n\n# Contact\nshramos@protonmail.com\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshramos%2Fwinregmitm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fshramos%2Fwinregmitm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshramos%2Fwinregmitm/lists"}