Skip to content

added New module rdpcache.py#1075

Open
durck wants to merge 1 commit intoPennyw0rth:mainfrom
durck:main
Open

added New module rdpcache.py#1075
durck wants to merge 1 commit intoPennyw0rth:mainfrom
durck:main

Conversation

@durck
Copy link

@durck durck commented Jan 19, 2026

Description

This PR adds a new module rdpcache for extracting and analyzing RDP Bitmap Cache files from remote Windows machines.

What it does:

  • Enumerates RDP settings from registry (client/server configuration, NLA, port)
  • Extracts RDP connection history (MRU servers) from all user profiles
  • Downloads and parses RDP Bitmap Cache files (Cache*.bin, bcache*.bmc)
  • Extracts 64x64 pixel tiles and creates collage images for quick analysis

Use case: Digital forensics and authorized penetration testing - RDP cache contains screen fragments that can reveal user activity, file names, command outputs, and other sensitive information.

Related: No existing issue, this is a new feature.

Dependencies: pillow (PIL) - optional, required only for image extraction

Type of Change

  • New feature (non-breaking change which adds functionality)

How Has This Been Tested?

Environment:

  • Python 3.13
  • Kali Linux latest
  • NetExec latest

Test targets:

  • Windows 11 workstation

Steps:

# Enumerate RDP settings and cache files
nxc smb 192.168.234.1 -u admin -p 'Password1234!' -M rdpcache

# Extract cache and create collage
nxc smb 192.168.234.1 -u admin -p 'Password1234!' -M rdpcache -o ACTION=dump

## Screenshots (if appropriate):
Enumeration (ACTION=enum)
<img width="1380" height="504" alt="enum" src="https://github.com/user-attachments/assets/d1eb8a9a-94d4-4d99-8470-b238069ea1bc" />

Extraction (ACTION=dump)
<img width="1370" height="129" alt="dump" src="https://github.com/user-attachments/assets/f37a9a3f-8425-449f-9be1-8d6f71507c3f" />

Output
<img width="1546" height="857" alt="image" src="https://github.com/user-attachments/assets/552c1b71-4084-419d-b950-84b435d52e7d" />

## Checklist:
Insert an "x" inside the brackets for completed and relevant items (do not delete options)

- [x] I have ran Ruff against my changes (via poetry: `poetry run python -m ruff check . --preview`, use `--fix` to automatically fix what it can)
- [ ] I have added or updated the `tests/e2e_commands.txt` file if necessary (new modules or features are _required_ to be added to the e2e tests)
- [ ] New and existing e2e tests pass locally with my changes
- [ ] If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
- [x] I have performed a self-review of my own code
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

@durck
Copy link
Author

durck commented Jan 19, 2026

What is this?

RDP Bitmap Cache contains 64x64 pixel tiles — screen fragments that are cached by the RDP client to optimize data transfer. These files may contain:

  • Fragments of the desktop and applications
  • File names, icons, UI elements
  • Command-line content
  • Evidence of user activity

Cache file location on Windows:

C:\Users\<username>\AppData\Local\Microsoft\Terminal Server Client\Cache\

Installation

Dependencies

pip install pillow

Installing the NetExec module

Copy rdpcache.py into the NetExec modules directory:

# Linux
cp rdpcache.py ~/.nxc/modules/

# Or locate the modules directory
nxc --help  # check the config path

Usage

NetExec module

# Basic usage
nxc smb <target> -u <user> -p <password> -M rdpcache

# With options
nxc smb 192.168.1.100 -u admin -p 'P@ssw0rd' -M rdpcache -o OUTPUT=/tmp/rdp_output

# Specify specific users
nxc smb 192.168.1.100 -u admin -p 'P@ssw0rd' -M rdpcache -o USERS=john,admin

# Without creating a collage
nxc smb 192.168.1.100 -u admin -p 'P@ssw0rd' -M rdpcache -o COLLAGE=False

# Multiple targets
nxc smb targets.txt -u admin -p 'P@ssw0rd' -M rdpcache

Module parameters:

Parameter Description Default
ACTION Action: enum or dump enum
OUTPUT Output directory ./rdpcache_output
USERS User list (comma-separated) or 'all' all
COLLAGE Create a collage True
COLLAGE_WIDTH Tiles per collage row 24
SMART Sort by brightness (True/False) False

Standalone parser

# Parse a single file
python rdpcache.py Cache0001.bin -o ./output

# With brightness sorting
python rdpcache.py Cache0001.bin --smart

# With custom collage width
python rdpcache.py Cache0001.bin --cols 30

# Tiles only, no collage
python rdpcache.py Cache0001.bin --no-collage

Parameters:

Parameter Description
-o, --output Output directory (default: ./rdpcache_extracted)
--smart Sort tiles by brightness
--cols Tiles per collage row (default: 24)
--no-collage Do not create a collage; extract tiles only

Output structure

rdpcache_output/
├── hostname_192.168.1.100/
│   ├── john/
│   │   ├── raw/                    # Original cache files
│   │   │   ├── Cache0001.bin
│   │   │   └── Cache0002.bin
│   │   ├── tiles/                  # Extracted tiles
│   │   │   ├── Cache0001_00001.bmp
│   │   │   ├── Cache0001_00002.bmp
│   │   │   └── ...
│   │   └── collage_john.png        # Collage
│   └── admin/
│       └── ...

Supported formats

Format Windows version Description
Cache*.bin Windows 7+ RDP8bmp format, 64x64 @ 32bpp
bcache24.bmc Windows XP 32-bit color
bcache22.bmc Windows XP 16-bit color
bcache2.bmc Windows XP 8-bit (256 colors)

Collage

The collage combines all extracted tiles into a single image for quick review.

Brightness sorting (Smart Collage)

The --smart option sorts tiles from dark to light, which helps visually group similar areas of the screen.

Security and legality

⚠️ This tool is intended for:

  • Authorized penetration testing
  • Forensics and incident response
  • CTF competitions
  • Educational purposes

Using it without authorization is illegal.

Links

@NeffIsBack
Copy link
Member

NeffIsBack commented Jan 23, 2026
edited
Loading

Thanks for the PR.

While the core of the idea is cool, it looks like large amount has been AI generated, especially considering the previous PR: #1074. While this is not necessarily bad, AI produces a ton of bloat so there is still quite a lot to do in this PR to get it ready for merging.

Please:

  • Remove the standalone execution part. This should be a module not a standalone script
  • Comment the code a little bit. There are large areas where decisions are made depending on seemingly random hex vars. Please add comments so this is better understandable without digging into the documentation
  • Replace command execution that queries registry keys with the winreg api of impacket

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zblurx zblurx Awaiting requested review from zblurx zblurx is a code owner

@Marshall-Hallenbeck Marshall-Hallenbeck Awaiting requested review from Marshall-Hallenbeck Marshall-Hallenbeck is a code owner

@NeffIsBack NeffIsBack Awaiting requested review from NeffIsBack NeffIsBack is a code owner

@mpgn mpgn Awaiting requested review from mpgn mpgn is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

new module

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@durck @NeffIsBack