init

.gitignore

@@ -1,3 +1,4 @@
+.idea
 # Byte-compiled / optimized / DLL files
 __pycache__/
 *.py[cod]

rdp.tac

@@ -0,0 +1,99 @@
+#!/usr/bin/env python
+
+import struct
+import thread
+import sys
+from twisted.internet.protocol import Protocol, Factory
+from twisted.application import internet, service
+from twisted.python import log
+from whiteface import observable
+from datetime import datetime
+import os
+
+LOG_FORMAT = '%(asctime)s - %(levelname)s - %(name)s[%(lineno)s] - %(message)s'
+
+import logging
+logger = logging.getLogger()
+handle = logging.StreamHandler()
+handle.setLevel(logging.DEBUG)
+fmt = logging.Formatter(LOG_FORMAT)
+handle.setFormatter(fmt)
+logger.addHandler(handle)
+logger.setLevel('INFO')
+
+if os.name == 'posix' and os.getuid() == 0:
+    print 'ERROR: You must not run kippo as root!'
+    sys.exit(1)
+
+# you MUST change these...
+interface = '0.0.0.0'
+USER = 'wes'
+FEED = 'scanners'
+TOKEN = '370cc52d744fbc2816da82f8af4b0230'
+
+lastTS = ''
+contexts = {}
+
+
+def log_it(peer):
+    whiteface_log(peer)
+
+
+def whiteface_log(peer):
+    today = str(datetime.now().date())
+    for c in contexts:
+        if c != today:
+            del contexts[c]
+
+    if not contexts.get(today):
+        contexts[today] = {}
+
+    if not contexts[today].get(peer.host):
+        contexts[today][peer.host] = []
+
+        log.msg('logging to whiteface...')
+        ret = observable.Observable(user=USER, feed=FEED, token=TOKEN, thing=peer.host,
+                                            portlist=3389, protocol='tcp', tags='scanner,rdp').new()
+
+        log.msg('logged to whiteface %s ' % ret['observable']['location'])
+
+
+class TerminalServices(Protocol):
+    def dataReceived(self, data):
+        global lastTS
+        global gi
+        global contexts
+        tpkt_data = data[:4]
+        x224_data = data[4:]
+        v, junk, total_len = struct.unpack('!BBH', tpkt_data)
+        log.msg("TPKT (v.%d and length %d) on port %d from: %s (%d/TCP):" % (
+        v, total_len, self.transport.getHost().port, self.transport.getPeer().host, self.transport.getPeer().port))
+        if (len(data) == total_len):
+            l, c = struct.unpack('BB', x224_data[:2])
+            if c == 0xe0:
+                x224 = struct.unpack('!HHBH', x224_data[2:9])
+                log.msg("\tX224 Connection Request. Responding...")
+                self.transport.write(struct.pack('!BBHBBHHB', v, 0, 11, 6, 0xd0, x224[1], 0x1234, x224[2]))
+                logger.info("\tLogin: %s" % x224_data[6:])
+                if (lastTS != self.transport.getPeer().host):
+                    lastTS = self.transport.getPeer().host
+                    thread.start_new_thread(log_it, (self.transport.getPeer().host))
+            else:
+                log.msg("\tX224 Unrecognized code:")
+                self.transport.loseConnection()
+                if (lastTS != self.transport.getPeer().host):
+                    lastTS = self.transport.getPeer().host
+                    thread.start_new_thread(log_it, (self.transport.getPeer().host))
+        else:
+            log.msg("Data inconsistent... dropping connection.")
+            self.transport.loseConnection()
+            if (lastTS != self.transport.getPeer().host):
+                lastTS = self.transport.getPeer().host
+                thread.start_new_thread(log_it, (self.transport.getPeer(),))
+
+fTS = Factory()
+fTS.protocol = TerminalServices
+
+application = service.Application('wf-rdp')
+service = internet.TCPServer(int(3389), fTS, interface=interface)
+service.setServiceParent(application)

start.sh

@@ -0,0 +1,30 @@
+#!/bin/sh
+
+set -e
+
+cd $(dirname $0)
+
+if [ "$1" != "" ]
+then
+    VENV="$1"
+
+    if [ ! -d "$VENV" ]
+    then
+        echo "The specified virtualenv \"$VENV\" was not found!"
+        exit 1
+    fi
+
+    if [ ! -f "$VENV/bin/activate" ]
+    then
+        echo "The specified virtualenv \"$VENV\" was not found!"
+        exit 2
+    fi
+
+    echo "Activating virtualenv \"$VENV\""
+    . $VENV/bin/activate
+fi
+
+twistd --version
+
+echo "Starting wf-rdp in the background..."
+twistd -y rdp.tac -l rdp.log --pidfile rdp.pid

stop.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+PIDFILE=rdp.pid
+
+cd $(dirname $0)
+
+PID=$(cat $PIDFILE 2>/dev/null)
+
+if [ -n "$PID" ]; then
+  echo "Stopping wf-rdp...\n"
+  kill -TERM $PID
+fi