Seth: RDP MiTM Attack Tool

Last Commit: 11/12/2021

Seth: RDP MiTM Attack Tool


Set, a MiTM attack tool written in Python with ability to extract clear text credentials from RDP connections, was developed by Adrian Vollmer, a member of the SySS Research Team. The tool was designed for the sole purpose of educating IT managers and other IT personnel about the potentials risks that self-signed certificates can impose on a security system. Seth is an open source software that is written in both Python and Bash.

RDP [Remote Desktop Protocol]

Secure Network Comunication protocol used for remote management of Windows machines / virtual machines / RDP terminal server, etc. It’s usually very useful to network and system admins.

This MiTM attack tool uses its downgrade feature to make RDP (Remote Desktop Protocol) less effective, and this gives it the ability to eavesdrop on its victims and steal credentials in the form of cleartext. It can also intercept the client from connecting to a domain controller.

Disclaimer: This tool was designed for the sole purpose of educating. Attempts to use without permission may potentially put you at risk.

Seth: Advanced RDP MiTM Downgrade Attack

It uses the downgrade technique to alter the functions of RDP, a protocol that is used to control Windows machines remotely. Any Microsoft Remote Desktop that is not properly secured can easily fall victim Seth’s MiTM attack.

  • Seth can initiate MiTM attack by either ARP poisoning (Address Resolution Protocol) or it can also redirect the network traffic to Python Security. This tool also has the ability to grant the hacker access to the victim’s keyboard events, but this can only be achieved if the victim used an RDP session.
  • It’s more effective if the one is familiar with the security protocols of the RDP being attacked, this may involve identification of a set of IP addresses through which commands can be executed.
  • Apart from the downgrade technique, Seth also has another trick for its victims. In the event that the victim uses NLA (Network Level Authentication), Seth can prevent the client from authenticating a secure connection, this makes the client fall back to RDP security. If this happens the victim’s credentials can still be accessed in cleartext despite NLA being active.

Supported OS

  • Linux


  • arpspoof (arpspoof is part of dsniff)
  • openssl
  • tcpdump
  • python3

Install Seth

Clone Seth:

$ git clone 

Install requirements using pip:

$ cd Seth 
$ pip install -r requirements.txt


To launch it, run:

Note: The last IP address must be that of the gateway, this can only change if the victim’s computer shares a subnet with the RDP host.

The last parameter is only useful when executing commands by injecting arbitrary keyboard events. Therefore it is not a must to include it, it’s optional. This can be done through the RDP host simulation of WIN+R. So far command injections have only been proven to work on English Layout keyboard.

  • powershell -enc <STRING>: When executing the keystroke injection special characters should not be used, this command line will do that;
  • STRING: represents your UTF-16le and Base64 encrypted command, but calc is much easier to use due to its universal nature.

Seth uses its shell script to poison the ARP cache after which it initiates a Man-in-the-Middle attack which further redirects all traffic to only run through RDP proxy. The proxy can then be called separately.

To list available options, run -h:

usage: [-h] [-d] [-f] [-p LISTEN_PORT] [-b BIND_IP] [-g {0,1,3,11}]
               [-j INJECT] -c CERTFILE -k KEYFILE
               target_host [target_port]

RDP credential sniffer -- Adrian Vollmer, SySS GmbH 2017

positional arguments:
  target_host           target host of the RDP service
  target_port           TCP port of the target RDP service (default 3389)

optional arguments:
  -h, --help            show this help message and exit
  -d, --debug           show debug information
  -f, --fake-server     perform a 'fake server' attack
  -p LISTEN_PORT, --listen-port LISTEN_PORT
                        TCP port to listen on (default 3389)
  -b BIND_IP, --bind-ip BIND_IP
                        IP address to bind the fake service to (default all)
  -g {0,1,3,11}, --downgrade {0,1,3,11}
                        downgrade the authentication protocol to this (default
  -j INJECT, --inject INJECT
                        command to execute via key press event injection
  -c CERTFILE, --certfile CERTFILE
                        path to the certificate file
  -k KEYFILE, --keyfile KEYFILE
                        path to the key file
Documentation Box
Download Box