{"id":25694585,"url":"https://github.com/yahoo/rdfp","last_synced_at":"2025-02-25T00:01:50.921Z","repository":{"id":71604116,"uuid":"242868677","full_name":"theparanoids/rdfp","owner":"theparanoids","description":"Remote Desktop Client Fingerprint script for Zeek. Based off of https://github.com/0x4D31/fatt","archived":false,"fork":false,"pushed_at":"2023-06-20T19:46:53.000Z","size":36,"stargazers_count":36,"open_issues_count":3,"forks_count":8,"subscribers_count":6,"default_branch":"master","last_synced_at":"2024-08-22T11:08:54.228Z","etag":null,"topics":["fingerprinting","monitoring","network","nsm","rdp","security","threat-hunting"],"latest_commit_sha":null,"homepage":"","language":"Zeek","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/theparanoids.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"Contributing.md","funding":null,"license":"LICENSE","code_of_conduct":"Code-of-Conduct.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2020-02-24T23:47:59.000Z","updated_at":"2024-07-16T02:23:03.000Z","dependencies_parsed_at":"2023-02-24T09:45:49.977Z","dependency_job_id":"7c4789a9-5d71-45fe-a397-6c80c405707a","html_url":"https://github.com/theparanoids/rdfp","commit_stats":null,"previous_names":["yahoo/rdfp"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theparanoids%2Frdfp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theparanoids%2Frdfp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theparanoids%2Frdfp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theparanoids%2Frdfp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/theparanoids","download_url":"https://codeload.github.com/theparanoids/rdfp/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240576456,"owners_count":19823293,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["fingerprinting","monitoring","network","nsm","rdp","security","threat-hunting"],"created_at":"2025-02-25T00:01:12.651Z","updated_at":"2025-02-25T00:01:50.900Z","avatar_url":"https://github.com/theparanoids.png","language":"Zeek","funding_links":[],"categories":["Threat Detection and Hunting"],"sub_categories":["Tools"],"readme":"# rdfp\nZeek Remote desktop fingerprinting script based on FATT (Fingerprint All The Things).\nhttps://github.com/0x4D31/fatt\n\n## Background\nThis is the result of a collaboration with Adel K. while he was working on FATT's remote desktop fingerpinting.  This is a Zeek package to be used to fingerprint the Remote Desktop clients.\n\nPlease reference Microsoft's RDP specification located below.\n\nhttps://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/5073f4ed-1e93-45e1-b039-6e30c385867c\n\n\n## Install\nzkg install https://github.com/yahoo/rdfp\nAdd \"**@load ./rdfp**\" to local.bro.\n\n## How It Works\n\nThe script will create a new log which will log the details which build the fingerprint and some additional information.  The fingerprint is created by concatenating extracted fields from different data packets.  \n\nFirst the Client Core Data packet is parsed and extracts the Major and Minor version of the client.  Next the Client Security Data is parsed and the Encryption Method and a list of the flags are added.  This is followed by the Client Cluster Data flags.  This is followed by the extEncryptionMethods value which is defined specifically for French locale clients.  The last group of data is the Channel Definition options for each channel defined which provide details about the data transport.\n\nHere is an example output based on the [rdp_proprietary-encryption.pcap](https://github.com/zeek/zeek/tree/master/testing/btest/Traces/rdp) provided by Zeek.org.\n\n```4,8,0000001b,0000000d,00000000,rdpdr:80800000-rdpsnd:c0000000-drdynvc:c0800000-cliprdr:c0a00000```\n\nAssociated MD5 hash\n\n```471a0d621e6184364949f1a62040e7f6```\n\nSample rdfp.log based on the same pcap file.\n\n```#separator \\x09\n#set_separator\t,\n#empty_field\t(empty)\n#unset_field\t-\n#path\trdfp\n#open\t2020-02-04-14-52-01\n#fields\tid.orig_h\tid.orig_p\tid.resp_h\tid.resp_p\tcookie\tverMajor\tverMinor\tclusterFlags\tencMethods\textEncMethods\tchannelDef\trdfp_string\trdfp_hash\n#types\taddr\tport\taddr\tport\tstring\tint\tint\tstring\tstring\tstring\tstring\tstring\tstring\n172.21.128.16\t1312\t10.226.24.52\t3389\tFTBCO\\\\A70\t4\t8\t0000000d\t0000001b\t00000000\trdpdr:80800000-rdpsnd:c0000000-drdynvc:c0800000-cliprdr:c0a00000\t4,8,0000001b,0000000d,00000000,rdpdr:80800000-rdpsnd:c0000000-drdynvc:c0800000-cliprdr:c0a00000\t471a0d621e6184364949f1a62040e7f6\n#close\t2020-02-04-14-52-01\n```\n\n## Disclaimer\n\nThis technique is specifically for non-TLS encrypted RDP sessions. For SSL/TLS encrypted RDP sessions refer to the JA3 fingerprint technique.  https://github.com/salesforce/ja3\n\n## Contribute\nPlease refer to the CONTRIBUTING.md file for information about how to get involved. We welcome issues, feature requests, pull requests, and documentation updates in GitHub.\n\n## License\n\nThis project is licensed under the terms of the Apache 2.0 open source license. Please refer to LICENSE for the full terms.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyahoo%2Frdfp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fyahoo%2Frdfp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyahoo%2Frdfp/lists"}