broken NLA/SSP for all windows server versions

[boredchilada]

Hello,

Is this project still supported? I notice the further we go the more issues appear and not much answer to people with issues. Barely any updates etc...

as of march 30th 2025, NLA/SSP is basically non functional for any servers, I've tested PYRDP to -> 2016, 2019, 2022, 2025 from multiple different environments and as of yesterday, NLA/SSP does not work on any version of windows.

I was using the 1.2.0 version and NLA/SSP was working fine and all of a sudden yesterday PYRDP stopped working with NLA/SSP Pretty much universally. 2.1.0 plain and simple did not work with nla/ssp at all didnt matter the version of windows.

Yes my certs were extracted properly, yes i have port forwarding, i tested this in cloud environments, local environments , every environment is giving me issues

2.1.0 gets stuck and doesn't go through and just times out at configuring remote session. I have not done much investigation on this version yet.

find the logs for 1.2.0 where literally 5 days ago everything was working fine in the first snippet. I added much more debug logging in the second sni to try and find what's going on. I tried to add something to handle the EARLY_USER_AUTHORIZATION_RESULT

THE LOGS ARE FOR A 2022 SERVER MACHINE

[2025-03-25 03:24:19,217] - INFO - Margaret917984 - pyrdp.mitm.connections.x224 - Cookie: mstshash=Administr
[2025-03-25 03:24:19,233] - INFO - Margaret917984 - pyrdp.mitm.connections.tcp - Server connected
[2025-03-25 03:24:19,234] - INFO - Emily888085 - pyrdp.mitm.connections.tcp - Server connected
[2025-03-25 03:24:19,239] - INFO - Robert238265 - pyrdp.mitm.connections.ntlmssp - [!] NTLMSSP Hash: Administrator:::d23523d136a11bba:57838decfdca51ca00ba968bacbe56dc:010100000000000069b6010000000000000000000000000000000000020014004b0041005500460041004e00570041004c00540001001800410052004200450049005400450052002d004e004300310004001a006b0061007500660061006e00770061006c0074002e006400650003003400610072006200650069007400650072002d006e00630031002e006b0061007500660061006e00770061006c0074002e006400650005001a006b0061007500660061006e00770061006c0074002e0064006500070008001ecc1465359ddb0100000000
[2025-03-25 03:24:19,425] - INFO - Brittany183519 - pyrdp.mitm.connections.ntlmssp - [!] NTLMSSP Hash: Administrator:::b6774909e3aa8b88:52150d806d6b612981942524ecfcc7bb:010100000000000069b6010000000000000000000000000000000000020014004b0041005500460041004e00570041004c00540001001800410052004200450049005400450052002d004e004300310004001a006b0061007500660061006e00770061006c0074002e006400650003003400610072006200650069007400650072002d006e00630031002e006b0061007500660061006e00770061006c0074002e006400650005001a006b0061007500660061006e00770061006c0074002e006400650007000800e5112765359ddb0100000000
[2025-03-25 03:24:19,570] - INFO - Ronald686928 - pyrdp.mitm.connections.ntlmssp - [!] NTLMSSP Hash: administrator::red.act.ed:98023567e5feefe1:71142e954c0381dd28ca5c600f7b1cf9:0101000000000000b48c3765359ddb016ca534463728f3fa00000000020014004b0041005500460041004e00570041004c00540001001800410052004200450049005400450052002d004e004300310004001a006b0061007500660061006e00770061006c0074002e006400650003003400610072006200650069007400650072002d006e00630031002e006b0061007500660061006e00770061006c0074002e006400650005001a006b0061007500660061006e00770061006c0074002e006400650007000800b48c3765359ddb010600040002000000080030003000000000000000010000000020000033331f324290a6738a51da2bcf9a91e1e995fe99ec2b0f8c0e19efde30a5c5830a00100000000000000000000000000000000000090028005400450052004d005300520056002f0039002e003100340031002e00340037002e003100310038000000000000000000
[2025-03-25 03:24:19,691] - INFO - Ronald686928 - pyrdp.mitm.connections.mcs - Client hostname red.act.ed
[2025-03-25 03:24:19,696] - INFO - Ronald686928 - pyrdp.mitm.connections.mcs - rdpdr <---> Channel #1004
[2025-03-25 03:24:19,696] - INFO - Ronald686928 - pyrdp.mitm.connections.mcs - rdpsnd <---> Channel #1005
[2025-03-25 03:24:19,696] - INFO - Ronald686928 - pyrdp.mitm.connections.mcs - cliprdr <---> Channel #1006
[2025-03-25 03:24:19,696] - INFO - Ronald686928 - pyrdp.mitm.connections.mcs - drdynvc <---> Channel #1007
[2025-03-25 03:24:20,244] - INFO - Robert238265 - pyrdp.mitm.connections.tcp - Server connection closed. [('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert access denied')]
[2025-03-25 03:24:21,006] - INFO - Ronald899967 - pyrdp.mitm.connections.tcp - New client connected from red:48564
[2025-03-25 03:24:21,016] - INFO - Ronald899967 - pyrdp.mitm.connections.x224 - Cookie: mstshash=red.act.ed
[2025-03-25 03:24:21,017] - INFO - Brittany183519 - pyrdp.mitm.connections.tcp - Server connection closed. [('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert access denied')]
[2025-03-25 03:24:21,033] - INFO - Ronald899967 - pyrdp.mitm.connections.tcp - Server connected
[2025-03-25 03:24:21,052] - INFO - Margaret917984 - pyrdp.mitm.connections.ntlmssp - [!] NTLMSSP Hash: Administrator:::e983b0093b00aa23:045ce084d9850b87744a430da0ba5448:010100000000000069b6010000000000000000000000000000000000020014004b0041005500460041004e00570041004c00540001001800410052004200450049005400450052002d004e004300310004001a006b0061007500660061006e00770061006c0074002e006400650003003400610072006200650069007400650072002d006e00630031002e006b0061007500660061006e00770061006c0074002e006400650005001a006b0061007500660061006e00770061006c0074002e006400650007000800323b2666359ddb0100000000
[2025-03-25 03:24:21,075] - INFO - Emily888085 - pyrdp.mitm.connections.ntlmssp - [!] NTLMSSP Hash: Administrator::red.act.ed:270a4fafc63cceac:ef5acba664a3e7cd9e5c31d904f72432:010100000000000069b6010000000000000000000000000000000000020014004b0041005500460041004e00570041004c00540001001800410052004200450049005400450052002d004e004300310004001a006b0061007500660061006e00770061006c0074002e006400650003003400610072006200650069007400650072002d006e00630031002e006b0061007500660061006e00770061006c0074002e006400650005001a006b0061007500660061006e00770061006c0074002e00640065000700080086902b66359ddb0100000000
[2025-03-25 03:24:22,792] - INFO - Sherry541158 - pyrdp.mitm.connections.tcp - New client connected from red.act.ed:30739
[2025-03-25 03:24:22,793] - INFO - Ronald686928 - pyrdp.mitm.connections.security - Client Info: username = 'administrator\x00', password = '\x00', domain = 'red.act.ed\x00', clientAddress = 'redact\x00'
[2025-03-25 03:24:22,802] - INFO - Sherry541158 - pyrdp.mitm.connections.x224 - Cookie: mstshash=red.act.ed
[2025-03-25 03:24:22,812] - INFO - Margaret917984 - pyrdp.mitm.connections.tcp - Server connection closed. [('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert access denied')]
[2025-03-25 03:24:22,813] - INFO - Emily888085 - pyrdp.mitm.connections.tcp - Server connection closed. [('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert access denied')]
[2025-03-25 03:24:22,822] - INFO - Sherry541158 - pyrdp.mitm.connections.tcp - Server connected
[2025-03-25 03:24:23,934] - INFO - Gail544880 - pyrdp.mitm.connections.tcp - New client connected from red.act.ed:22921
[2025-03-25 03:24:25,325] - INFO - Anibal870656 - pyrdp.mitm.connections.tcp - New client connected from red.act.ed:37349
[2025-03-25 03:24:25,326] - INFO - Gail544880 - pyrdp.mitm.connections.x224 - Cookie: mstshash=Administr
[2025-03-25 03:24:25,326] - INFO - Anibal870656 - pyrdp.mitm.connections.x224 - Cookie: mstshash=red.act.ed
[2025-03-25 03:24:25,336] - INFO - Gail544880 - pyrdp.mitm.connections.tcp - Server connected
[2025-03-25 03:24:25,336] - INFO - Anibal870656 - pyrdp.mitm.connections.tcp - Server connected
[2025-03-25 03:24:25,425] - INFO - Sherry541158 - pyrdp.mitm.connections.ntlmssp - [!] NTLMSSP Hash: Administrator::red.act.ed:02828c3ad49cae46:818c55a3f043cb4c46694462555708a4:010100000000000069b6010000000000000000000000000000000000020014004b0041005500460041004e00570041004c00540001001800410052004200450049005400450052002d004e004300310004001a006b0061007500660061006e00770061006c0074002e006400650003003400610072006200650069007400650072002d006e00630031002e006b0061007500660061006e00770061006c0074002e006400650005001a006b0061007500660061006e00770061006c0074002e0064006500070008002975c268359ddb0100000000
[2025-03-25 03:24:26,377] - INFO - Ronald899967 - pyrdp.mitm.connections.ntlmssp - [!] NTLMSSP Hash: Administrator::red.act.ed:78a4d4fe2c16e518:d187b53b230ea505a682efdadabac417:010100000000000069b6010000000000000000000000000000000000020014004b0041005500460041004e00570041004c00540001001800410052004200450049005400450052002d004e004300310004001a006b0061007500660061006e00770061006c0074002e006400650003003400610072006200650069007400650072002d006e00630031002e006b0061007500660061006e00770061006c0074002e006400650005001a006b0061007500660061006e00770061006c0074002e00640065000700080035734d69359ddb0100000000
[2025-03-25 03:24:26,488] - INFO - Sherry541158 - pyrdp.mitm.connections.tcp - Server connection closed. [('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert access denied')]
[2025-03-25 03:24:26,498] - INFO - Gail544880 - pyrdp.mitm.connections.ntlmssp - [!] NTLMSSP Hash: Administrator:::182451f1dc4554d3:e6142ff43bcf6e3234d92d07ef6ecefb:010100000000000069b6010000000000000000000000000000000000020014004b0041005500460041004e00570041004c00540001001800410052004200450049005400450052002d004e004300310004001a006b0061007500660061006e00770061006c0074002e006400650003003400610072006200650069007400650072002d006e00630031002e006b0061007500660061006e00770061006c0074002e006400650005001a006b0061007500660061006e00770061006c0074002e006400650007000800a0a06669359ddb0100000000
[2025-03-25 03:24:28,589] - INFO - Hollis201630 - pyrdp.mitm.connections.tcp - New client connected from red.act.ed:5793
[2025-03-25 03:24:28,589] - INFO - Ronald686928 - pyrdp.mitm.connections.cliprdr - Clipboard data: 'recent/pyrdp/\x00'
[2025-03-25 03:24:28,609] - INFO - Hollis201630 - pyrdp.mitm.connections.x224 - Cookie: mstshash=Administr
[2025-03-25 03:24:28,617] - INFO - Ronald899967 - pyrdp.mitm.connections.tcp - Server connection closed. [('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert access denied')]
[2025-03-25 03:24:28,618] - INFO - Gail544880 - pyrdp.mitm.connections.tcp - Server connection closed. [('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert access denied')]
[2025-03-25 03:24:28,630] - INFO - Hollis201630 - pyrdp.mitm.connections.tcp - Server connected

[2025-03-31 01:54:28,837] - INFO - GLOBAL - pyrdp.mitm - Target: red.act.ed:3389
[2025-03-31 01:54:28,837] - INFO - GLOBAL - pyrdp.mitm - Output directory: /home/redacted/pyrdp/pyrdp_output
[2025-03-31 01:54:30,076] - DEBUG - GLOBAL - pyrdp - Initializing ServerTLSContext - Private key: pyrdp_output/certs/red.act.ed.pem, Certificate: pyrdp_output/certs/red.act.ed.crt
[2025-03-31 01:54:30,076] - DEBUG - GLOBAL - pyrdp - Creating DefaultOpenSSLContextFactory with SSLv23_METHOD
[2025-03-31 01:54:30,076] - DEBUG - GLOBAL - pyrdp - Creating TPDUSSLContext with method: 3
[2025-03-31 01:54:30,076] - DEBUG - GLOBAL - pyrdp - Setting standard TLS options
[2025-03-31 01:54:30,076] - DEBUG - GLOBAL - pyrdp - Disabling TLS 1.3
[2025-03-31 01:54:30,076] - DEBUG - GLOBAL - pyrdp - Could not get cipher list: 'TPDUSSLContext' object has no attribute 'get_cipher_list'
[2025-03-31 01:54:30,077] - DEBUG - GLOBAL - pyrdp - ServerTLSContext created successfully
[2025-03-31 01:54:30,077] - INFO - GLOBAL - pyrdp.mitm - Target: red.act.ed:3389
[2025-03-31 01:54:30,077] - INFO - GLOBAL - pyrdp.mitm - Output directory: /home/redacted/pyrdp/pyrdp_output
[2025-03-31 01:54:30,078] - INFO - GLOBAL - pyrdp - MITM Server listening on 0.0.0.0:3389
[2025-03-31 01:54:32,979] - DEBUG - Winona413528 - pyrdp.mitm.connections - Initializing RDPMITM with config: <pyrdp.mitm.config.MITMConfig object at 0x7fe42217f250>
[2025-03-31 01:54:32,980] - DEBUG - Winona413528 - pyrdp.mitm.connections - Authentication methods allowed: 0xb
[2025-03-31 01:54:32,980] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Initializing TCPMITM - Client: TwistedTCPLayer, Attacker: TwistedTCPLayer
[2025-03-31 01:54:32,980] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Client observer created
[2025-03-31 01:54:32,980] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Attacker observer created
[2025-03-31 01:54:32,980] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Setting server in TCPMITM - Server: TwistedTCPLayer
[2025-03-31 01:54:32,980] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Server observer created
[2025-03-31 01:54:32,980] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - TCPMITM initialization complete
[2025-03-31 01:54:32,981] - DEBUG - Winona413528 - pyrdp.mitm.connections.x224 - X224MITM initialized
[2025-03-31 01:54:32,982] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - TCP connection established
[2025-03-31 01:54:32,982] - INFO - Winona413528 - pyrdp.mitm.connections.tcp - New client connected from red.act.ed:32626
[2025-03-31 01:54:32,982] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Client connection details - IP: red.act.ed, Port: 32626, Transport: Server
[2025-03-31 01:54:32,982] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - TCP data received - Length: 47
[2025-03-31 01:54:32,982] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - TCP data received: 0300002f2ae00000000000436f6f6b69653a206d737473686173683d41646d696e697374720d0a010008000b000000
[2025-03-31 01:54:32,982] - DEBUG - Winona413528 - pyrdp.mitm.connections.x224 - X224 Connection Request received - Credit: 0, Source: 0, Destination: 0, Options: 0, Payload length: 36
[2025-03-31 01:54:32,983] - DEBUG - Winona413528 - pyrdp.mitm.connections.x224 - X224 Connection Request payload: 436f6f6b69653a206d737473686173683d41646d696e697374720d0a010008000b000000
[2025-03-31 01:54:32,983] - DEBUG - Winona413528 - pyrdp.mitm.connections.x224 - Client IP set to: red.act.ed
[2025-03-31 01:54:32,983] - DEBUG - Winona413528 - pyrdp.mitm.connections.x224 - Client requested protocols: 0xb
[2025-03-31 01:54:32,983] - DEBUG - Winona413528 - pyrdp.mitm.connections.x224 - Client requested protocol: SSL
[2025-03-31 01:54:32,983] - DEBUG - Winona413528 - pyrdp.mitm.connections.x224 - Client requested protocol: CRED_SSP (NLA)
[2025-03-31 01:54:32,983] - DEBUG - Winona413528 - pyrdp.mitm.connections.x224 - Client requested protocol: EARLY_USER_AUTHORIZATION_RESULT
[2025-03-31 01:54:32,983] - DEBUG - Winona413528 - pyrdp.mitm.connections.x224 - Client negotiation flags: 0x0
[2025-03-31 01:54:32,983] - INFO - Winona413528 - pyrdp.mitm.connections.x224 - Cookie: mstshash=Administr
[2025-03-31 01:54:32,983] - DEBUG - Winona413528 - pyrdp.mitm.connections.x224 - Connection cookie details: Cookie: mstshash=Administr
[2025-03-31 01:54:32,983] - DEBUG - Winona413528 - pyrdp.mitm.connections.x224 - Sending modified X224 Connection Request to server - Chosen protocols: 0xb
[2025-03-31 01:54:32,984] - DEBUG - Winona413528 - pyrdp.mitm.connections.client.x224 - Received X224ConnectionRequestPDU{'payload': b'Cookie: mstshash=Administr\r\n\x01\x00\x08\x00\x0b\x00\x00\x00', 'header': <X224PDUType.X224_TPDU_CONNECTION_REQUEST: 14>, 'credit': 0, 'destination': 0, 'source': 0, 'options': 0}
[2025-03-31 01:54:32,984] - DEBUG - Winona413528 - pyrdp.mitm.connections.x224 - Connecting to server...
[2025-03-31 01:54:32,984] - DEBUG - Winona413528 - pyrdp.mitm.connections - Adding client IP red.act.ed to loggers
[2025-03-31 01:54:32,984] - DEBUG - Winona413528 - pyrdp.mitm.connections - Connecting to target server: red.act.ed:3389
[2025-03-31 01:54:32,984] - DEBUG - Winona413528 - pyrdp.mitm.connections - Using direct connection to red.act.ed:3389
[2025-03-31 01:54:32,990] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - TCP connection established
[2025-03-31 01:54:32,990] - INFO - Winona413528 - pyrdp.mitm.connections.tcp - Server connected
[2025-03-31 01:54:32,991] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Server connection details - Transport: Client
[2025-03-31 01:54:32,991] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Server peer: IPv4Address(type='TCP', host='red.act.ed', port=3389)
[2025-03-31 01:54:32,991] - DEBUG - Winona413528 - pyrdp.mitm.connections - Connected to target server successfully
[2025-03-31 01:54:32,991] - DEBUG - Winona413528 - pyrdp.mitm.connections.x224 - Connected to server, sending X224 Connection Request
[2025-03-31 01:54:32,991] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Sending TCP data - Length: 47
[2025-03-31 01:54:32,991] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - TCP data sent: 0300002f2ae00000000000436f6f6b69653a206d737473686173683d41646d696e697374720d0a010008000b000000
[2025-03-31 01:54:32,991] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - TCP data sent successfully
[2025-03-31 01:54:33,000] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - TCP data received - Length: 19
[2025-03-31 01:54:33,000] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - TCP data received: 030000130ed00000123400021f080008000000
[2025-03-31 01:54:33,000] - DEBUG - Winona413528 - pyrdp.mitm.connections.x224 - X224 Connection Confirm received - Credit: 0, Source: 0, Destination: 4660, Options: 0, Payload length: 8
[2025-03-31 01:54:33,000] - DEBUG - Winona413528 - pyrdp.mitm.connections.x224 - X224 Connection Confirm payload: 021f080008000000
[2025-03-31 01:54:33,000] - DEBUG - Winona413528 - pyrdp.mitm.connections.x224 - Negotiation Response PDU received - Type: 0x2, Selected protocols: 0x8
[2025-03-31 01:54:33,000] - DEBUG - Winona413528 - pyrdp.mitm.connections.x224 - Server selected protocol: EARLY_USER_AUTHORIZATION_RESULT
[2025-03-31 01:54:33,000] - DEBUG - Winona413528 - pyrdp.mitm.connections.x224 - Client supports TLS, establishing TLS tunnel
[2025-03-31 01:54:33,000] - DEBUG - Winona413528 - pyrdp.mitm.connections - Starting TLS negotiation
[2025-03-31 01:54:33,001] - DEBUG - Winona413528 - pyrdp.mitm.connections - Using permissive TLS options for EARLY_USER_AUTHORIZATION_RESULT
[2025-03-31 01:54:33,001] - DEBUG - Winona413528 - pyrdp.mitm.connections - Creating ClientTLSContext for server connection
[2025-03-31 01:54:33,001] - DEBUG - GLOBAL - pyrdp - Initializing ClientTLSContext
[2025-03-31 01:54:33,001] - DEBUG - Winona413528 - pyrdp.mitm.connections - Establishing TLS tunnel with server
[2025-03-31 01:54:33,001] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Starting TLS handshake with context: <pyrdp.core.ssl.ClientTLSContext object at 0x7fe42204a670>
[2025-03-31 01:54:33,001] - DEBUG - GLOBAL - pyrdp - Creating SSL context with SSLv23_METHOD (allows TLS 1.0, 1.1, 1.2)
[2025-03-31 01:54:33,001] - DEBUG - GLOBAL - pyrdp - Using permissive TLS options for EARLY_USER_AUTHORIZATION_RESULT
[2025-03-31 01:54:33,001] - DEBUG - GLOBAL - pyrdp - Disabling TLS 1.3
[2025-03-31 01:54:33,001] - DEBUG - GLOBAL - pyrdp - Could not get cipher list: 'Context' object has no attribute 'get_cipher_list'
[2025-03-31 01:54:33,001] - DEBUG - GLOBAL - pyrdp - ClientTLSContext created successfully
[2025-03-31 01:54:33,002] - DEBUG - GLOBAL - pyrdp - Creating SSL context with SSLv23_METHOD (allows TLS 1.0, 1.1, 1.2)
[2025-03-31 01:54:33,002] - DEBUG - GLOBAL - pyrdp - Using permissive TLS options for EARLY_USER_AUTHORIZATION_RESULT
[2025-03-31 01:54:33,002] - DEBUG - GLOBAL - pyrdp - Disabling TLS 1.3
[2025-03-31 01:54:33,002] - DEBUG - GLOBAL - pyrdp - Could not get cipher list: 'Context' object has no attribute 'get_cipher_list'
[2025-03-31 01:54:33,002] - DEBUG - GLOBAL - pyrdp - ClientTLSContext created successfully
[2025-03-31 01:54:33,003] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - TLS handshake initiated
[2025-03-31 01:54:33,003] - DEBUG - Winona413528 - pyrdp.mitm.connections - Scheduling client TLS setup in 2 second(s)
[2025-03-31 01:54:33,003] - DEBUG - Winona413528 - pyrdp.mitm.connections.x224 - TLS state enabled
[2025-03-31 01:54:33,003] - DEBUG - Winona413528 - pyrdp.mitm.connections.server.x224 - Received X224ConnectionConfirmPDU{'payload': b'\x02\x1f\x08\x00\x08\x00\x00\x00', 'header': <X224PDUType.X224_TPDU_CONNECTION_CONFIRM: 13>, 'credit': 0, 'destination': 4660, 'source': 0, 'options': 0}
[2025-03-31 01:54:35,006] - DEBUG - Winona413528 - pyrdp.mitm.connections - Setting up TLS for client connection
[2025-03-31 01:54:35,006] - DEBUG - Winona413528 - pyrdp.mitm.connections - Server certificate received - Subject: <X509Name object '/CN=red.act.ed'>, Issuer: <X509Name object '/CN=red.act.ed'>
[2025-03-31 01:54:35,007] - DEBUG - Winona413528 - pyrdp.mitm.connections - Using permissive TLS options for EARLY_USER_AUTHORIZATION_RESULT
[2025-03-31 01:54:35,007] - DEBUG - Winona413528 - pyrdp.mitm.connections - Server selected protocols: 0x8
[2025-03-31 01:54:35,007] - DEBUG - Winona413528 - pyrdp.mitm.connections - Server selected EARLY_USER_AUTHORIZATION_RESULT, using PassthroughNLAHandler
[2025-03-31 01:54:35,007] - DEBUG - Winona413528 - pyrdp.mitm.connections.ntlmssp - NLA Handler initialized [ID: 140617800003440] - ntlmCapture: False, challenge: None, sink type: TwistedTCPLayer
[2025-03-31 01:54:35,007] - DEBUG - Winona413528 - pyrdp.mitm.connections.ntlmssp - NLA Handler initialized [ID: 140617800130624] - ntlmCapture: False, challenge: None, sink type: TwistedTCPLayer
[2025-03-31 01:54:35,008] - DEBUG - Winona413528 - pyrdp.mitm.connections - Using specified certificate: pyrdp_output/certs/red.act.ed.crt, private key: pyrdp_output/certs/red.act.ed.pem
[2025-03-31 01:54:35,008] - DEBUG - GLOBAL - pyrdp - Initializing ServerTLSContext - Private key: pyrdp_output/certs/red.act.ed.pem, Certificate: pyrdp_output/certs/red.act.ed.crt
[2025-03-31 01:54:35,008] - DEBUG - GLOBAL - pyrdp - Creating DefaultOpenSSLContextFactory with SSLv23_METHOD
[2025-03-31 01:54:35,008] - DEBUG - GLOBAL - pyrdp - Creating TPDUSSLContext with method: 3
[2025-03-31 01:54:35,008] - DEBUG - GLOBAL - pyrdp - Using permissive TLS options for EARLY_USER_AUTHORIZATION_RESULT
[2025-03-31 01:54:35,008] - DEBUG - GLOBAL - pyrdp - Disabling TLS 1.3
[2025-03-31 01:54:35,009] - DEBUG - GLOBAL - pyrdp - Could not get cipher list: 'TPDUSSLContext' object has no attribute 'get_cipher_list'
[2025-03-31 01:54:35,009] - DEBUG - GLOBAL - pyrdp - ServerTLSContext created successfully
[2025-03-31 01:54:35,009] - DEBUG - Winona413528 - pyrdp.mitm.connections - Establishing TLS tunnel with client
[2025-03-31 01:54:35,009] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Sending TCP data - Length: 19
[2025-03-31 01:54:35,009] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - TCP data sent: 030000130ed000001234000200080008000000
[2025-03-31 01:54:35,009] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - TCP data sent successfully
[2025-03-31 01:54:35,010] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Starting TLS handshake with context: <pyrdp.core.ssl.ServerTLSContext object at 0x7fe42206a130>
[2025-03-31 01:54:35,010] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - TLS handshake initiated
[2025-03-31 01:54:42,392] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Logging SSL parameters as required
[2025-03-31 01:54:42,392] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Logging SSL parameters for connection
[2025-03-31 01:54:42,392] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - SSL client_random: c6c633a0ed5319381b88676ca92cd9b84263c88f930cb8d3f535df6a48ad8435
[2025-03-31 01:54:42,393] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - SSL master_key: da727a0eac9825f9a28914d4ee4170b698e469351c1fd64c3fe8d9cff3a8e428049116db358cc46105eb3a6c8bc7d79e
[2025-03-31 01:54:42,393] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - SSL parameters logged successfully
[2025-03-31 01:54:42,393] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - TCP data received - Length: 57
[2025-03-31 01:54:42,393] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - TCP data received: 3037a003020106a130302e302ca02a04284e544c4d5353500001000000b78208e2000000000000000000000000000000000a005d580000000f
[2025-03-31 01:54:42,393] - DEBUG - Winona413528 - pyrdp.mitm.connections.ntlmssp - Passthrough NLA Handler [ID: 140617800003440] forwarding message #1 - Length: 57
[2025-03-31 01:54:42,393] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Sending TCP data - Length: 57
[2025-03-31 01:54:42,394] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - TCP data sent: 3037a003020106a130302e302ca02a04284e544c4d5353500001000000b78208e2000000000000000000000000000000000a005d580000000f
[2025-03-31 01:54:42,394] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - TCP data sent successfully
[2025-03-31 01:54:42,394] - DEBUG - Winona413528 - pyrdp.mitm.connections.ntlmssp - Successfully forwarded NLA data
[2025-03-31 01:54:42,397] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Logging SSL parameters as required
[2025-03-31 01:54:42,397] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Logging SSL parameters for connection
[2025-03-31 01:54:42,397] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - SSL client_random: 63791f51e7894feebe6787782b3d5bd2b52532e7a2b1b689f3cbc369f80424b3
[2025-03-31 01:54:42,397] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - SSL master_key: f7f84c4bbc6787112980fcc7d03e04e70ad3d4a3ec0eb4b75746ef10d4133d85447cad5beebe3779e4bb4d17736aa96b
[2025-03-31 01:54:42,397] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - SSL parameters logged successfully
[2025-03-31 01:54:42,397] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - TCP data received - Length: 305
[2025-03-31 01:54:42,397] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - TCP data received (first 128 bytes): 3082012da003020106a1820124308201203082011ca0820118048201144e544c4d53535000020000001400140038000000358289e2deea152eae02df570000000000000000c800c8004c0000000a007c4f0000000f4b0041005500460041004e00570041004c005400020014004b0041005500460041004e00570041004c0054...
[2025-03-31 01:54:42,398] - DEBUG - Winona413528 - pyrdp.mitm.connections.ntlmssp - Passthrough NLA Handler [ID: 140617800130624] forwarding message #1 - Length: 305
[2025-03-31 01:54:42,398] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Sending TCP data - Length: 305
[2025-03-31 01:54:42,398] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - TCP data sent (first 128 bytes): 3082012da003020106a1820124308201203082011ca0820118048201144e544c4d53535000020000001400140038000000358289e2deea152eae02df570000000000000000c800c8004c0000000a007c4f0000000f4b0041005500460041004e00570041004c005400020014004b0041005500460041004e00570041004c0054...
[2025-03-31 01:54:42,398] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - TCP data sent successfully
[2025-03-31 01:54:42,398] - DEBUG - Winona413528 - pyrdp.mitm.connections.ntlmssp - Successfully forwarded NLA data
[2025-03-31 01:54:42,512] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - TCP data received - Length: 679
[2025-03-31 01:54:42,513] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - TCP data received (first 128 bytes): 308202a3a003020106a18202423082023e3082023aa0820236048202324e544c4d535350000300000018001800900000007a017a01a800000002000200580000001a001a005a0000001c001c00740000001000100022020000358288e20a005d580000000fec9ca60308ec2daaa987fd361ff8359d2e00410064006d0069006e...
[2025-03-31 01:54:42,513] - DEBUG - Winona413528 - pyrdp.mitm.connections.ntlmssp - Passthrough NLA Handler [ID: 140617800003440] forwarding message #2 - Length: 679
[2025-03-31 01:54:42,513] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Sending TCP data - Length: 679
[2025-03-31 01:54:42,513] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - TCP data sent (first 128 bytes): 308202a3a003020106a18202423082023e3082023aa0820236048202324e544c4d535350000300000018001800900000007a017a01a800000002000200580000001a001a005a0000001c001c00740000001000100022020000358288e20a005d580000000fec9ca60308ec2daaa987fd361ff8359d2e00410064006d0069006e...
[2025-03-31 01:54:42,514] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - TCP data sent successfully
[2025-03-31 01:54:42,514] - DEBUG - Winona413528 - pyrdp.mitm.connections.ntlmssp - Successfully forwarded NLA data
[2025-03-31 01:54:43,521] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - TCP connection lost - Reason: [Failure instance: Traceback: <class 'OpenSSL.SSL.Error'>: [('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert internal error')]
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/twisted/internet/asyncioreactor.py:138:_readOrWrite
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/twisted/internet/tcp.py:248:doRead
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/twisted/internet/tcp.py:253:_dataReceived
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/twisted/protocols/tls.py:329:dataReceived
--- <exception caught here> ---
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/twisted/protocols/tls.py:274:_flushReceiveBIO
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/OpenSSL/SSL.py:1768:recv
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/OpenSSL/SSL.py:1632:_raise_ssl_error
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/OpenSSL/_util.py:57:exception_from_error_queue
]
[2025-03-31 01:54:43,521] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Server disconnection detected - Reason: [Failure instance: Traceback: <class 'OpenSSL.SSL.Error'>: [('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert internal error')]
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/twisted/internet/asyncioreactor.py:138:_readOrWrite
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/twisted/internet/tcp.py:248:doRead
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/twisted/internet/tcp.py:253:_dataReceived
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/twisted/protocols/tls.py:329:dataReceived
--- <exception caught here> ---
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/twisted/protocols/tls.py:274:_flushReceiveBIO
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/OpenSSL/SSL.py:1768:recv
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/OpenSSL/SSL.py:1632:_raise_ssl_error
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/OpenSSL/_util.py:57:exception_from_error_queue
]
[2025-03-31 01:54:43,521] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Recording connection close
[2025-03-31 01:54:43,522] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Connection close recorded successfully
[2025-03-31 01:54:43,522] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Connection close recorded
[2025-03-31 01:54:43,522] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Recorder finalized
[2025-03-31 01:54:43,522] - INFO - Winona413528 - pyrdp.mitm.connections.tcp - Server connection closed. [('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert internal error')]
[2025-03-31 01:54:43,522] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Disconnecting client
[2025-03-31 01:54:43,522] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Aborting TCP connection
[2025-03-31 01:54:43,523] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Client disconnected successfully
[2025-03-31 01:54:43,523] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Disconnecting attacker
[2025-03-31 01:54:43,523] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Attacker disconnected successfully
[2025-03-31 01:54:43,523] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Detaching TCPMITM observers
[2025-03-31 01:54:43,523] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Client observer removed
[2025-03-31 01:54:43,523] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - Server observer removed
[2025-03-31 01:54:43,524] - DEBUG - Winona413528 - pyrdp.mitm.connections.tcp - TCP connection lost - Reason: [Failure instance: Traceback (failure with no frames): <class 'twisted.internet.error.ConnectionLost'>: Connection to the other side was lost in a non-clean fashion: Connection lost.
]
[2025-03-31 01:54:44,570] - DEBUG - Fanny849068 - pyrdp.mitm.connections - Initializing RDPMITM with config: <pyrdp.mitm.config.MITMConfig object at 0x7fe42217f250>
[2025-03-31 01:54:44,570] - DEBUG - Fanny849068 - pyrdp.mitm.connections - Authentication methods allowed: 0xb
[2025-03-31 01:54:44,570] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Initializing TCPMITM - Client: TwistedTCPLayer, Attacker: TwistedTCPLayer
[2025-03-31 01:54:44,570] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Client observer created
[2025-03-31 01:54:44,571] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Attacker observer created
[2025-03-31 01:54:44,571] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Setting server in TCPMITM - Server: TwistedTCPLayer
[2025-03-31 01:54:44,571] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Server observer created
[2025-03-31 01:54:44,571] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - TCPMITM initialization complete
[2025-03-31 01:54:44,571] - DEBUG - Fanny849068 - pyrdp.mitm.connections.x224 - X224MITM initialized
[2025-03-31 01:54:44,572] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - TCP connection established
[2025-03-31 01:54:44,572] - INFO - Fanny849068 - pyrdp.mitm.connections.tcp - New client connected from red.act.ed:44619
[2025-03-31 01:54:44,572] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Client connection details - IP: red.act.ed, Port: 44619, Transport: Server
[2025-03-31 01:54:44,572] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - TCP data received - Length: 47
[2025-03-31 01:54:44,572] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - TCP data received: 0300002f2ae00000000000436f6f6b69653a206d737473686173683d41646d696e697374720d0a010008000b000000
[2025-03-31 01:54:44,573] - DEBUG - Fanny849068 - pyrdp.mitm.connections.x224 - X224 Connection Request received - Credit: 0, Source: 0, Destination: 0, Options: 0, Payload length: 36
[2025-03-31 01:54:44,573] - DEBUG - Fanny849068 - pyrdp.mitm.connections.x224 - X224 Connection Request payload: 436f6f6b69653a206d737473686173683d41646d696e697374720d0a010008000b000000
[2025-03-31 01:54:44,573] - DEBUG - Fanny849068 - pyrdp.mitm.connections.x224 - Client IP set to: red.act.ed
[2025-03-31 01:54:44,573] - DEBUG - Fanny849068 - pyrdp.mitm.connections.x224 - Client requested protocols: 0xb
[2025-03-31 01:54:44,573] - DEBUG - Fanny849068 - pyrdp.mitm.connections.x224 - Client requested protocol: SSL
[2025-03-31 01:54:44,573] - DEBUG - Fanny849068 - pyrdp.mitm.connections.x224 - Client requested protocol: CRED_SSP (NLA)
[2025-03-31 01:54:44,573] - DEBUG - Fanny849068 - pyrdp.mitm.connections.x224 - Client requested protocol: EARLY_USER_AUTHORIZATION_RESULT
[2025-03-31 01:54:44,573] - DEBUG - Fanny849068 - pyrdp.mitm.connections.x224 - Client negotiation flags: 0x0
[2025-03-31 01:54:44,574] - INFO - Fanny849068 - pyrdp.mitm.connections.x224 - Cookie: mstshash=Administr
[2025-03-31 01:54:44,574] - DEBUG - Fanny849068 - pyrdp.mitm.connections.x224 - Connection cookie details: Cookie: mstshash=Administr
[2025-03-31 01:54:44,574] - DEBUG - Fanny849068 - pyrdp.mitm.connections.x224 - Sending modified X224 Connection Request to server - Chosen protocols: 0xb
[2025-03-31 01:54:44,574] - DEBUG - Fanny849068 - pyrdp.mitm.connections.client.x224 - Received X224ConnectionRequestPDU{'payload': b'Cookie: mstshash=Administr\r\n\x01\x00\x08\x00\x0b\x00\x00\x00', 'header': <X224PDUType.X224_TPDU_CONNECTION_REQUEST: 14>, 'credit': 0, 'destination': 0, 'source': 0, 'options': 0}
[2025-03-31 01:54:44,574] - DEBUG - Fanny849068 - pyrdp.mitm.connections.x224 - Connecting to server...
[2025-03-31 01:54:44,574] - DEBUG - Fanny849068 - pyrdp.mitm.connections - Adding client IP red.act.ed to loggers
[2025-03-31 01:54:44,574] - DEBUG - Fanny849068 - pyrdp.mitm.connections - Connecting to target server: red.act.ed:3389
[2025-03-31 01:54:44,575] - DEBUG - Fanny849068 - pyrdp.mitm.connections - Using direct connection to red.act.ed:3389
[2025-03-31 01:54:44,585] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - TCP connection established
[2025-03-31 01:54:44,586] - INFO - Fanny849068 - pyrdp.mitm.connections.tcp - Server connected
[2025-03-31 01:54:44,586] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Server connection details - Transport: Client
[2025-03-31 01:54:44,586] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Server peer: IPv4Address(type='TCP', host='red.act.ed', port=3389)
[2025-03-31 01:54:44,586] - DEBUG - Fanny849068 - pyrdp.mitm.connections - Connected to target server successfully
[2025-03-31 01:54:44,586] - DEBUG - Fanny849068 - pyrdp.mitm.connections.x224 - Connected to server, sending X224 Connection Request
[2025-03-31 01:54:44,586] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Sending TCP data - Length: 47
[2025-03-31 01:54:44,586] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - TCP data sent: 0300002f2ae00000000000436f6f6b69653a206d737473686173683d41646d696e697374720d0a010008000b000000
[2025-03-31 01:54:44,587] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - TCP data sent successfully
[2025-03-31 01:54:44,594] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - TCP data received - Length: 19
[2025-03-31 01:54:44,594] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - TCP data received: 030000130ed00000123400021f080008000000
[2025-03-31 01:54:44,594] - DEBUG - Fanny849068 - pyrdp.mitm.connections.x224 - X224 Connection Confirm received - Credit: 0, Source: 0, Destination: 4660, Options: 0, Payload length: 8
[2025-03-31 01:54:44,594] - DEBUG - Fanny849068 - pyrdp.mitm.connections.x224 - X224 Connection Confirm payload: 021f080008000000
[2025-03-31 01:54:44,594] - DEBUG - Fanny849068 - pyrdp.mitm.connections.x224 - Negotiation Response PDU received - Type: 0x2, Selected protocols: 0x8
[2025-03-31 01:54:44,594] - DEBUG - Fanny849068 - pyrdp.mitm.connections.x224 - Server selected protocol: EARLY_USER_AUTHORIZATION_RESULT
[2025-03-31 01:54:44,595] - DEBUG - Fanny849068 - pyrdp.mitm.connections.x224 - Client supports TLS, establishing TLS tunnel
[2025-03-31 01:54:44,595] - DEBUG - Fanny849068 - pyrdp.mitm.connections - Starting TLS negotiation
[2025-03-31 01:54:44,595] - DEBUG - Fanny849068 - pyrdp.mitm.connections - Using permissive TLS options for EARLY_USER_AUTHORIZATION_RESULT
[2025-03-31 01:54:44,595] - DEBUG - Fanny849068 - pyrdp.mitm.connections - Creating ClientTLSContext for server connection
[2025-03-31 01:54:44,595] - DEBUG - GLOBAL - pyrdp - Initializing ClientTLSContext
[2025-03-31 01:54:44,595] - DEBUG - Fanny849068 - pyrdp.mitm.connections - Establishing TLS tunnel with server
[2025-03-31 01:54:44,595] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Starting TLS handshake with context: <pyrdp.core.ssl.ClientTLSContext object at 0x7fe4220080d0>
[2025-03-31 01:54:44,595] - DEBUG - GLOBAL - pyrdp - Creating SSL context with SSLv23_METHOD (allows TLS 1.0, 1.1, 1.2)
[2025-03-31 01:54:44,596] - DEBUG - GLOBAL - pyrdp - Using permissive TLS options for EARLY_USER_AUTHORIZATION_RESULT
[2025-03-31 01:54:44,596] - DEBUG - GLOBAL - pyrdp - Disabling TLS 1.3
[2025-03-31 01:54:44,596] - DEBUG - GLOBAL - pyrdp - Could not get cipher list: 'Context' object has no attribute 'get_cipher_list'
[2025-03-31 01:54:44,596] - DEBUG - GLOBAL - pyrdp - ClientTLSContext created successfully
[2025-03-31 01:54:44,596] - DEBUG - GLOBAL - pyrdp - Creating SSL context with SSLv23_METHOD (allows TLS 1.0, 1.1, 1.2)
[2025-03-31 01:54:44,596] - DEBUG - GLOBAL - pyrdp - Using permissive TLS options for EARLY_USER_AUTHORIZATION_RESULT
[2025-03-31 01:54:44,596] - DEBUG - GLOBAL - pyrdp - Disabling TLS 1.3
[2025-03-31 01:54:44,596] - DEBUG - GLOBAL - pyrdp - Could not get cipher list: 'Context' object has no attribute 'get_cipher_list'
[2025-03-31 01:54:44,596] - DEBUG - GLOBAL - pyrdp - ClientTLSContext created successfully
[2025-03-31 01:54:44,597] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - TLS handshake initiated
[2025-03-31 01:54:44,597] - DEBUG - Fanny849068 - pyrdp.mitm.connections - Scheduling client TLS setup in 2 second(s)
[2025-03-31 01:54:44,597] - DEBUG - Fanny849068 - pyrdp.mitm.connections.x224 - TLS state enabled
[2025-03-31 01:54:44,598] - DEBUG - Fanny849068 - pyrdp.mitm.connections.server.x224 - Received X224ConnectionConfirmPDU{'payload': b'\x02\x1f\x08\x00\x08\x00\x00\x00', 'header': <X224PDUType.X224_TPDU_CONNECTION_CONFIRM: 13>, 'credit': 0, 'destination': 4660, 'source': 0, 'options': 0}
[2025-03-31 01:54:46,600] - DEBUG - Fanny849068 - pyrdp.mitm.connections - Setting up TLS for client connection
[2025-03-31 01:54:46,600] - DEBUG - Fanny849068 - pyrdp.mitm.connections - Server certificate received - Subject: <X509Name object '/CN=red.act.ed'>, Issuer: <X509Name object '/CN=red.act.ed'>
[2025-03-31 01:54:46,600] - DEBUG - Fanny849068 - pyrdp.mitm.connections - Using permissive TLS options for EARLY_USER_AUTHORIZATION_RESULT
[2025-03-31 01:54:46,600] - DEBUG - Fanny849068 - pyrdp.mitm.connections - Server selected protocols: 0x8
[2025-03-31 01:54:46,601] - DEBUG - Fanny849068 - pyrdp.mitm.connections - Server selected EARLY_USER_AUTHORIZATION_RESULT, using PassthroughNLAHandler
[2025-03-31 01:54:46,601] - DEBUG - Fanny849068 - pyrdp.mitm.connections.ntlmssp - NLA Handler initialized [ID: 140617799730896] - ntlmCapture: False, challenge: None, sink type: TwistedTCPLayer
[2025-03-31 01:54:46,601] - DEBUG - Fanny849068 - pyrdp.mitm.connections.ntlmssp - NLA Handler initialized [ID: 140617799731280] - ntlmCapture: False, challenge: None, sink type: TwistedTCPLayer
[2025-03-31 01:54:46,601] - DEBUG - Fanny849068 - pyrdp.mitm.connections - Using specified certificate: pyrdp_output/certs/red.act.ed.crt, private key: pyrdp_output/certs/red.act.ed.pem
[2025-03-31 01:54:46,601] - DEBUG - GLOBAL - pyrdp - Initializing ServerTLSContext - Private key: pyrdp_output/certs/red.act.ed.pem, Certificate: pyrdp_output/certs/red.act.ed.crt
[2025-03-31 01:54:46,601] - DEBUG - GLOBAL - pyrdp - Creating DefaultOpenSSLContextFactory with SSLv23_METHOD
[2025-03-31 01:54:46,601] - DEBUG - GLOBAL - pyrdp - Creating TPDUSSLContext with method: 3
[2025-03-31 01:54:46,602] - DEBUG - GLOBAL - pyrdp - Using permissive TLS options for EARLY_USER_AUTHORIZATION_RESULT
[2025-03-31 01:54:46,602] - DEBUG - GLOBAL - pyrdp - Disabling TLS 1.3
[2025-03-31 01:54:46,602] - DEBUG - GLOBAL - pyrdp - Could not get cipher list: 'TPDUSSLContext' object has no attribute 'get_cipher_list'
[2025-03-31 01:54:46,602] - DEBUG - GLOBAL - pyrdp - ServerTLSContext created successfully
[2025-03-31 01:54:46,602] - DEBUG - Fanny849068 - pyrdp.mitm.connections - Establishing TLS tunnel with client
[2025-03-31 01:54:46,602] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Sending TCP data - Length: 19
[2025-03-31 01:54:46,604] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - TCP data sent: 030000130ed000001234000200080008000000
[2025-03-31 01:54:46,604] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - TCP data sent successfully
[2025-03-31 01:54:46,604] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Starting TLS handshake with context: <pyrdp.core.ssl.ServerTLSContext object at 0x7fe4220084f0>
[2025-03-31 01:54:46,605] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - TLS handshake initiated
[2025-03-31 01:54:46,954] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Logging SSL parameters as required
[2025-03-31 01:54:46,954] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Logging SSL parameters for connection
[2025-03-31 01:54:46,954] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - SSL client_random: 67e9f5e2a12f7ea6694aaea015444adca16781ef61955117573df0cdbdfb6cf9
[2025-03-31 01:54:46,954] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - SSL master_key: cebc85dd5a6637ce62b73c6c6be08143187ae36bb7fcfdd8212f852da5dc0112aa8b8872b9f814ea895761b25e059e62
[2025-03-31 01:54:46,955] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - SSL parameters logged successfully
[2025-03-31 01:54:46,955] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - TCP data received - Length: 57
[2025-03-31 01:54:46,955] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - TCP data received: 3037a003020106a130302e302ca02a04284e544c4d5353500001000000b78208e2000000000000000000000000000000000a005d580000000f
[2025-03-31 01:54:46,955] - DEBUG - Fanny849068 - pyrdp.mitm.connections.ntlmssp - Passthrough NLA Handler [ID: 140617799730896] forwarding message #1 - Length: 57
[2025-03-31 01:54:46,955] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Sending TCP data - Length: 57
[2025-03-31 01:54:46,955] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - TCP data sent: 3037a003020106a130302e302ca02a04284e544c4d5353500001000000b78208e2000000000000000000000000000000000a005d580000000f
[2025-03-31 01:54:46,956] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - TCP data sent successfully
[2025-03-31 01:54:46,956] - DEBUG - Fanny849068 - pyrdp.mitm.connections.ntlmssp - Successfully forwarded NLA data
[2025-03-31 01:54:46,959] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Logging SSL parameters as required
[2025-03-31 01:54:46,959] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Logging SSL parameters for connection
[2025-03-31 01:54:46,959] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - SSL client_random: b87202cd46dbd9081678594f569f042157f5f50a26bf2140d462e2da720f2681
[2025-03-31 01:54:46,959] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - SSL master_key: afeaaeb52d8fb1e1a841f9b4da585df86aa12a2ecc897e9232b16df568f0bd4e144f1cc342a1398a0abf9e50102b733e
[2025-03-31 01:54:46,959] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - SSL parameters logged successfully
[2025-03-31 01:54:46,960] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - TCP data received - Length: 305
[2025-03-31 01:54:46,960] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - TCP data received (first 128 bytes): 3082012da003020106a1820124308201203082011ca0820118048201144e544c4d53535000020000001400140038000000358289e22a3233c80268c7d30000000000000000c800c8004c0000000a007c4f0000000f4b0041005500460041004e00570041004c005400020014004b0041005500460041004e00570041004c0054...
[2025-03-31 01:54:46,960] - DEBUG - Fanny849068 - pyrdp.mitm.connections.ntlmssp - Passthrough NLA Handler [ID: 140617799731280] forwarding message #1 - Length: 305
[2025-03-31 01:54:46,960] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Sending TCP data - Length: 305
[2025-03-31 01:54:46,960] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - TCP data sent (first 128 bytes): 3082012da003020106a1820124308201203082011ca0820118048201144e544c4d53535000020000001400140038000000358289e22a3233c80268c7d30000000000000000c800c8004c0000000a007c4f0000000f4b0041005500460041004e00570041004c005400020014004b0041005500460041004e00570041004c0054...
[2025-03-31 01:54:46,960] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - TCP data sent successfully
[2025-03-31 01:54:46,961] - DEBUG - Fanny849068 - pyrdp.mitm.connections.ntlmssp - Successfully forwarded NLA data
[2025-03-31 01:54:47,077] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - TCP data received - Length: 679
[2025-03-31 01:54:47,077] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - TCP data received (first 128 bytes): 308202a3a003020106a18202423082023e3082023aa0820236048202324e544c4d535350000300000018001800900000007a017a01a800000002000200580000001a001a005a0000001c001c00740000001000100022020000358288e20a005d580000000f4cfd46c1a716bde2aa74c4a427395e1c2e00410064006d0069006e...
[2025-03-31 01:54:47,077] - DEBUG - Fanny849068 - pyrdp.mitm.connections.ntlmssp - Passthrough NLA Handler [ID: 140617799730896] forwarding message #2 - Length: 679
[2025-03-31 01:54:47,078] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Sending TCP data - Length: 679
[2025-03-31 01:54:47,078] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - TCP data sent (first 128 bytes): 308202a3a003020106a18202423082023e3082023aa0820236048202324e544c4d535350000300000018001800900000007a017a01a800000002000200580000001a001a005a0000001c001c00740000001000100022020000358288e20a005d580000000f4cfd46c1a716bde2aa74c4a427395e1c2e00410064006d0069006e...
[2025-03-31 01:54:47,078] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - TCP data sent successfully
[2025-03-31 01:54:47,078] - DEBUG - Fanny849068 - pyrdp.mitm.connections.ntlmssp - Successfully forwarded NLA data
[2025-03-31 01:54:48,084] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - TCP connection lost - Reason: [Failure instance: Traceback: <class 'OpenSSL.SSL.Error'>: [('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert internal error')]
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/twisted/internet/asyncioreactor.py:138:_readOrWrite
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/twisted/internet/tcp.py:248:doRead
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/twisted/internet/tcp.py:253:_dataReceived
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/twisted/protocols/tls.py:329:dataReceived
--- <exception caught here> ---
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/twisted/protocols/tls.py:274:_flushReceiveBIO
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/OpenSSL/SSL.py:1768:recv
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/OpenSSL/SSL.py:1632:_raise_ssl_error
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/OpenSSL/_util.py:57:exception_from_error_queue
]
[2025-03-31 01:54:48,084] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Server disconnection detected - Reason: [Failure instance: Traceback: <class 'OpenSSL.SSL.Error'>: [('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert internal error')]
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/twisted/internet/asyncioreactor.py:138:_readOrWrite
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/twisted/internet/tcp.py:248:doRead
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/twisted/internet/tcp.py:253:_dataReceived
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/twisted/protocols/tls.py:329:dataReceived
--- <exception caught here> ---
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/twisted/protocols/tls.py:274:_flushReceiveBIO
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/OpenSSL/SSL.py:1768:recv
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/OpenSSL/SSL.py:1632:_raise_ssl_error
/home/redacted/pyrdp/venv/lib/python3.8/site-packages/OpenSSL/_util.py:57:exception_from_error_queue
]
[2025-03-31 01:54:48,085] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Recording connection close
[2025-03-31 01:54:48,085] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Connection close recorded successfully
[2025-03-31 01:54:48,085] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Connection close recorded
[2025-03-31 01:54:48,085] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Recorder finalized
[2025-03-31 01:54:48,085] - INFO - Fanny849068 - pyrdp.mitm.connections.tcp - Server connection closed. [('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert internal error')]
[2025-03-31 01:54:48,085] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Disconnecting client
[2025-03-31 01:54:48,085] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Aborting TCP connection
[2025-03-31 01:54:48,086] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Client disconnected successfully
[2025-03-31 01:54:48,086] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Disconnecting attacker
[2025-03-31 01:54:48,086] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Attacker disconnected successfully
[2025-03-31 01:54:48,086] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Detaching TCPMITM observers
[2025-03-31 01:54:48,086] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Client observer removed
[2025-03-31 01:54:48,086] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - Server observer removed
[2025-03-31 01:54:48,087] - DEBUG - Fanny849068 - pyrdp.mitm.connections.tcp - TCP connection lost - Reason: [Failure instance: Traceback (failure with no frames): <class 'twisted.internet.error.ConnectionLost'>: Connection to the other side was lost in a non-clean fashion: Connection lost.
]

[Res260]

Hi, the main maintainer has changed job but told me that he'd eventually come back to it, no ETA though. If you want to introduce changes to PyRDP, you can open a PR and ping me in the PR and I'll gladly take a look :)

[boredchilada]

Hi, the main maintainer has changed job but told me that he'd eventually come back to it, no ETA though. If you want to introduce changes to PyRDP, you can open a PR and ping me in the PR and I'll gladly take a look :)

Looks like a dependency issue, I just tested the dependency versions from 1.2.1 and twisted 22.4 and I was able to get it multiple times on 2.1.1.

Something is up with the version used by 2.1.1

[obilodeau]

Finding that regression is great work! I spent likely 10 hours on it in November and couldn't put my finger on it still. Thank you so much!

[boredchilada]

Finding that regression is great work! I spent likely 10 hours on it in November and couldn't put my finger on it still. Thank you so much!

To the twisted repo we go? 😂

[obilodeau]

I think we will need to provide more evidence than here's a version that works and a version that doesn't.