RDP Honeypot Deployed: Credential Harvesting and Client Fingerprinting Across NLA and Legacy Connections
SikkerAPI's honeypot network now captures RDP attacks. Our sensors implement the full RDP negotiation stack — X.224, TLS, CredSSP with NTLM authentication — and accept credentials to extract client fingerprints from the MCS Connect Initial PDU. Every username, password, NTLM hash, client build, keyboard layout, and virtual channel request is recorded. 17 protocols, 44 sensors, all feeding into the same IP reputation engine.