Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple errors when using rdpy-rdphoneypot.py #100

Open
bontchev opened this issue Oct 25, 2019 · 7 comments
Open

Multiple errors when using rdpy-rdphoneypot.py #100

bontchev opened this issue Oct 25, 2019 · 7 comments

Comments

@bontchev
Copy link

I tried setting up an RDP honeypot using rdpy-rdphoneypot.py but it was an utter failure because rdpy-rdphoneypot.py is broken in multiple ways, essentially making it unusable.

  1. When connecting to the honeypot manually with a Windows 7 RDP client, it sort of works, in the sense that I am shown the recorded session. However, I am never asked for a password and no password is recorded in the log. Somebody has asked how to fix this problem in issue How does rdpy-rdphoneypot make a client prompt for a username or password #93 but never got a reply.

  2. When actual attackers connect to the honeypot, it seems that the RDP protocol is not quite compatible with theirs. As a result, the honeypot logs only the connection but no username, password, etc.:

[*] INFO:	Connection from 185.156.177.153:53555
[*] INFO:	Connection from 185.156.177.153:56984
[*] INFO:	Connection from 14.23.163.250:53077
[*] INFO:	Connection from 185.156.177.176:4584
[*] INFO:	Connection from 185.156.177.176:4585
  1. Occasionally the honeypot crashes with the following error:
[*] ERROR:	Error during read <class 'rdpy.protocol.rdp.x224.X224DataHeader'>::messageType
Unhandled Error
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/log.py", line 103, in callWithLogger
    return callWithContext({"system": lp}, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/log.py", line 86, in callWithContext
    return context.call({ILogContext: newCtx}, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/context.py", line 122, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/context.py", line 85, in callWithContext
    return func(*args,**kw)
--- <exception caught here> ---
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 614, in _doReadOrWrite
    why = selectable.doRead()
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 243, in doRead
    return self._dataReceived(data)
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 249, in _dataReceived
    rval = self.protocol.dataReceived(data)
  File "/home/bontchev/rdphoneypot/rdpy/core/layer.py", line 209, in dataReceived
    self.recv(expectedData)
  File "/home/bontchev/rdphoneypot/rdpy/protocol/rdp/tpkt.py", line 195, in readData
    self._presentation.recv(data)
  File "/home/bontchev/rdphoneypot/rdpy/protocol/rdp/x224.py", line 147, in recvData
    data.readType(header)
  File "/home/bontchev/rdphoneypot/rdpy/core/type.py", line 897, in readType
    value.read(self)
  File "/home/bontchev/rdphoneypot/rdpy/core/type.py", line 97, in read
    self.__read__(s)
  File "/home/bontchev/rdphoneypot/rdpy/core/type.py", line 477, in __read__
    raise e
rdpy.core.error.InvalidExpectedDataException: <class 'rdpy.core.type.UInt8'> const value expected 240 != 128

Issue #25 suggests that this happens when the attacking tool Hydra is used because of some kind of protocol incompatibility. Any chance of this problem being solved?

  1. Occasionally the honeypot crashes with the following error:
Unhandled Error
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/log.py", line 103, in callWithLogger
    return callWithContext({"system": lp}, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/log.py", line 86, in callWithContext
    return context.call({ILogContext: newCtx}, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/context.py", line 122, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/context.py", line 85, in callWithContext
    return func(*args,**kw)
--- <exception caught here> ---
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 614, in _doReadOrWrite
    why = selectable.doRead()
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 243, in doRead
    return self._dataReceived(data)
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 249, in _dataReceived
    rval = self.protocol.dataReceived(data)
  File "/home/bontchev/rdphoneypot/rdpy/core/layer.py", line 209, in dataReceived
    self.recv(expectedData)
  File "/home/bontchev/rdphoneypot/rdpy/protocol/rdp/tpkt.py", line 186, in readFastPath
    self._fastPathListener.recvFastPath(self._secFlag, data)
  File "/home/bontchev/rdphoneypot/rdpy/protocol/rdp/sec.py", line 510, in recvFastPath
    self._fastPathPresentation.recvFastPath(secFlag, fastPathS)
exceptions.TypeError: recvFastPath() takes exactly 2 arguments (3 given)

Somebody has asked what it means in issue #66 but never got a reply.

  1. Occasionally the honeypot crashes with the following error:
Unhandled Error
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/log.py", line 103, in callWithLogger
    return callWithContext({"system": lp}, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/log.py", line 86, in callWithContext
    return context.call({ILogContext: newCtx}, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/context.py", line 122, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/context.py", line 85, in callWithContext
    return func(*args,**kw)
--- <exception caught here> ---
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 614, in _doReadOrWrite
    why = selectable.doRead()
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 243, in doRead
    return self._dataReceived(data)
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 249, in _dataReceived
    rval = self.protocol.dataReceived(data)
  File "/home/bontchev/rdphoneypot/rdpy/core/layer.py", line 209, in dataReceived
    self.recv(expectedData)
  File "/home/bontchev/rdphoneypot/rdpy/protocol/rdp/tpkt.py", line 195, in readData
    self._presentation.recv(data)
  File "/home/bontchev/rdphoneypot/rdpy/protocol/rdp/x224.py", line 148, in recvData
    self._presentation.recv(data)
  File "/home/bontchev/rdphoneypot/rdpy/protocol/rdp/t125/mcs.py", line 542, in recvErectDomainRequest
    raise InvalidExpectedDataException("Invalid MCS PDU : ERECT_DOMAIN_REQUEST expected")
rdpy.core.error.InvalidExpectedDataException: Invalid MCS PDU : ERECT_DOMAIN_REQUEST expected

I have no idea what that means but it's probably again some kind of protocol incompatibility with some attacking tool.

Is there any chance of these problems ever getting fixed or should I give up on the idea of using this tool as an RDP honeypot?
@chapinb
Copy link

chapinb commented Nov 20, 2019

I am also getting the error reported as item 5:

INFO:   Connection from <ip>:1885
Unhandled Error
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/log.py", line 103, in callWithLogger
    return callWithContext({"system": lp}, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/log.py", line 86, in callWithContext
    return context.call({ILogContext: newCtx}, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/context.py", line 122, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/context.py", line 85, in callWithContext
    return func(*args,**kw)
--- <exception caught here> ---
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 614, in _doReadOrWrite
    why = selectable.doRead()
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 243, in doRead
    return self._dataReceived(data)
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 249, in _dataReceived
    rval = self.protocol.dataReceived(data)
  File "/usr/local/lib/python2.7/dist-packages/rdpy/core/layer.py", line 209, in dataReceived
    self.recv(expectedData)
  File "/usr/local/lib/python2.7/dist-packages/rdpy/protocol/rdp/tpkt.py", line 195, in readData
    self._presentation.recv(data)
  File "/usr/local/lib/python2.7/dist-packages/rdpy/protocol/rdp/x224.py", line 148, in recvData
    self._presentation.recv(data)
  File "/usr/local/lib/python2.7/dist-packages/rdpy/protocol/rdp/t125/mcs.py", line 542, in recvErectDomainRequest
    raise InvalidExpectedDataException("Invalid MCS PDU : ERECT_DOMAIN_REQUEST expected")
rdpy.core.error.InvalidExpectedDataException: Invalid MCS PDU : ERECT_DOMAIN_REQUEST expected

I understand that some malformed traffic will be sent as a byproduct of port scanning/etc. but wanted to echo that this is in multiple environments. If anticipated, can we have a try/except that catches and prints that it is malformed (with detail?)

@hackdefendr
Copy link

Downgrade Twisted to 19.2.1, I was seeing these errors only in newer versions. Seems they changed something in newer versions and @citronneur does not appear to be active so upgrading probably won't be happening.

@citronneur
Copy link
Owner

OK i will check soon. I'm working on the python 3 version.

@bontchev
Copy link
Author

Oh, man, nice to hear back from you!

I've started making an RDP honeypot of my own, based on this library. I'd like it to be able to run in Python3 too, so I and another guy have started porting the library. Man what a pain in the butt... We're nowhere near ready yet, but if you would like to take a look (maybe it would save you some time?), give me some e-mail address (could be a throw-away one) to which to send the invite. The repo is on GitLab and it isn't public yet.

@lwtsao
Copy link

lwtsao commented Nov 5, 2020
edited
Loading

Hi,

I also get the same error when scanning RDPY honeypot with nmap script.

The nmap command:
nmap -sC rdp-enum-encryption.nse 127.0.0.1

The error message :

Unhandled Error
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/twisted/python/log.py", line 103, in callWithLogger
return callWithContext({"system": lp}, func, *args, **kw)
File "/usr/local/lib/python2.7/dist-packages/twisted/python/log.py", line 86, in callWithContext
return context.call({ILogContext: newCtx}, func, *args, **kw)
File "/usr/local/lib/python2.7/dist-packages/twisted/python/context.py", line 122, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args, **kw)
File "/usr/local/lib/python2.7/dist-packages/twisted/python/context.py", line 85, in callWithContext
return func(*args,**kw)
--- ---
File "/usr/local/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 597, in _doReadOrWrite
why = selectable.doRead()
File "/usr/local/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 208, in doRead
return self._dataReceived(data)
File "/usr/local/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 214, in _dataReceived
rval = self.protocol.dataReceived(data)
File "/usr/local/lib/python2.7/dist-packages/rdpy/core/layer.py", line 209, in dataReceived
self.recv(expectedData)
File "/usr/local/lib/python2.7/dist-packages/rdpy/protocol/rdp/tpkt.py", line 186, in readFastPath
self._fastPathListener.recvFastPath(self._secFlag, data)
File "/usr/local/lib/python2.7/dist-packages/rdpy/protocol/rdp/sec.py", line 510, in recvFastPath
self._fastPathPresentation.recvFastPath(secFlag, fastPathS)
exceptions.TypeError: recvFastPath() takes exactly 2 arguments (3 given)

I've tried to downgrade twisted to 19.2.1 , which @hackdefendr advised before. But it didn't works either.
I know you are working on Python 3 version, so I just wonder if you have time to fix this.

@d0nEgg1
Copy link

d0nEgg1 commented Oct 5, 2021

@citronneur are there any news regarding a "new" python 3 version?
I stumbled upon this project in search for a RDP honeypot for a school project, however I get the same error as some guys in here as soon as I start a RDP session to the honeypot.

[*] ERROR:      Error during read <class 'rdpy.core.rss.UpdateEvent'>::data
[*] ERROR:      Error during read <class 'rdpy.core.rss.Event'>::event
Unhandled Error
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/log.py", line 103, in callWithLogger
    return callWithContext({"system": lp}, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/log.py", line 86, in callWithContext
    return context.call({ILogContext: newCtx}, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/context.py", line 122, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/context.py", line 85, in callWithContext
    return func(*args,**kw)
--- <exception caught here> ---
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 614, in _doReadOrWrite
    why = selectable.doRead()
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 243, in doRead
    return self._dataReceived(data)
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 249, in _dataReceived
    rval = self.protocol.dataReceived(data)
  File "/usr/local/lib/python2.7/dist-packages/rdpy/core/layer.py", line 209, in dataReceived
    self.recv(expectedData)
  File "/usr/local/lib/python2.7/dist-packages/rdpy/protocol/rdp/tpkt.py", line 195, in readData
    self._presentation.recv(data)
  File "/usr/local/lib/python2.7/dist-packages/rdpy/protocol/rdp/x224.py", line 148, in recvData
    self._presentation.recv(data)
  File "/usr/local/lib/python2.7/dist-packages/rdpy/protocol/rdp/t125/mcs.py", line 243, in recvData
    self._channels[channelId].recv(data)
  File "/usr/local/lib/python2.7/dist-packages/rdpy/core/layer.py", line 102, in <lambda>
    callback = lambda x:self.__class__.recv(self, x)
  File "/usr/local/lib/python2.7/dist-packages/rdpy/protocol/rdp/sec.py", line 470, in recv
    self._presentation.recv(data)
  File "/usr/local/lib/python2.7/dist-packages/rdpy/protocol/rdp/pdu/layer.py", line 504, in recvClientFontListPDU
    self._listener.onReady()
  File "/usr/local/lib/python2.7/dist-packages/rdpy/protocol/rdp/rdp.py", line 480, in onReady
    observer.onReady()
  File "/usr/local/bin/rdpy-rdphoneypot.py", line 68, in onReady
    self.start()
  File "/usr/local/bin/rdpy-rdphoneypot.py", line 83, in start
    self.loopScenario(self._rssFile.nextEvent())
  File "/usr/local/bin/rdpy-rdphoneypot.py", line 106, in loopScenario
    e = self._rssFile.nextEvent()
  File "/usr/local/lib/python2.7/dist-packages/rdpy/core/rss.py", line 282, in nextEvent
    self._s.readType(e)
  File "/usr/local/lib/python2.7/dist-packages/rdpy/core/type.py", line 897, in readType
    value.read(self)
  File "/usr/local/lib/python2.7/dist-packages/rdpy/core/type.py", line 97, in read
    self.__read__(s)
  File "/usr/local/lib/python2.7/dist-packages/rdpy/core/type.py", line 477, in __read__
    raise e
rdpy.core.error.InvalidSize: Impossible to read type <class 'rdpy.core.rss.UpdateEvent'> : read length is too small

@ehmueller
Copy link

Hello, I am having same issue. Any news on a fix or python 3 port?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@bontchev @ehmueller @hackdefendr @citronneur @d0nEgg1 @chapinb @lwtsao