AARDWOLF - Asynchronous RDP/VNC client in Python (headless)
This project is aimed to play around the RDP and VNC protocols.
Project contains no GUI, for a GUI client please check out aardwolfgui
🚩 Sponsors
If you want to sponsors this project and have the latest updates on this project, latest issues fixed, latest features, please support us on https://porchetta.industries/
Official Discord Channel
Come hang out on Discord!
Important
This is a headless client, for GUI functionality use the aardwolfgui
package.
Features
- Supports credssp auth via NTLM/Kerberos.
- Built-in proxy client allows SOCKS/HTTP proxy tunneling without 3rd part software
- PtH via CredSSP+Restricted admin mode
- Scriptable Keyboard, Mouse input and Clipboard input/output
- Can run in headless mode, no GUI required (read: no need for Qt)
- Support for Duckyscript files to emulate keystrokes
Example scripts
aardpscreenshot
RDP ?screenshotter? scans the given target/s or network ranges for open RDP clients, tries to log in either with or without credentials and takes a screemshotaardpcapscan
RDP login capability scanner identifies the supported login protocols on a target or network ranges.aardploginscan
RDP login scanner.
URL format
As usual the scripts take the target/scredentials in URL format. Below some examples
rdp+kerberos-password://TEST\Administrator:Passw0rd!1@win2016ad.test.corp/?dc=10.10.10.2&proxytype=socks5&proxyhost=127.0.0.1&proxyport=1080
CredSSP (akaHYBRID
) auth using Kerberos auth + password viasocks5
towin2016ad.test.corp
, the domain controller (kerberos service) is at10.10.10.2
. The socks proxy is on127.0.0.1:1080
rdp+ntlm-password://TEST\Administrator:Passw0rd!1@10.10.10.103
CredSSP (akaHYBRID
) auth using NTLM auth + password connecting to RDP server10.10.10.103
rdp+ntlm-password://TEST\Administrator:<NThash>@10.10.10.103
CredSSP (akaHYBRID
) auth using Pass-the-Hash (NTLM) auth connecting to RDP server10.10.10.103
rdp+plain://Administrator:Passw0rd!1@10.10.10.103
Plain authentication (No SSL, encryption is RC4) using password connecting to RDP server10.10.10.103
vnc+plain://Passw0rd!1@10.10.10.103
VNC client with VNC authentication using password connecting to RDP server10.10.10.103
vnc+plain://Passw0rd!1@10.10.10.103
VNC client with VNC authentication using password connecting to RDP server10.10.10.103
vnc+plain://:admin:aaa@10.10.10.103
VNC client with VNC authentication using passwordadmin:aa
connecting to RDP server10.10.10.103
. Note that if the password contains:
char you will have to prepend the password with:
Kudos
- Sylvain Peyrefitte (@citronneur)
rdpy
. The decompression code and the QT image magic was really valuable. - Marc-André Moreau (@awakecoding) for providing suggestions on fixes