解码RDP [英] Decoding RDP
问题描述
问候,
我正在尝试解析远程连接会话期间交换的远程桌面协议数据包的某些字段,特别是登录凭据,我正在使用解码程序很麻烦。作为参考,在 [MS-RDPBCGR] 文件的
v20151016 版本中(https://msdn.microsoft.com/en-us/library/ cc240445.aspx),加密数据包转储显示在
第4.1.10节"客户端信息PDU"(第331页)中。在下一页上,显示相同转储的解密版本,并解码内容并以ASCII格式显示。我基本上试图在自己的实验室中收集相同的输出。为了获得
人类可读的RDP数据包信息,必须对会话进行解压缩,解密和解码。以下是我到目前为止尝试做的事情。
当我在实验室中控制客户端和服务器时,我应该可以访问我需要的所有内容我想要的信息。减压相对容易处理。在服务器上,我通过编辑组策略禁用它:
本地计算机策略>管理模板> Windows组件>远程桌面服务>远程桌面会话主机> <远程会话环境>配置RemoteFX数据的压缩>已启用>不要使用
RDP压缩算法
在客户端上,我通过更改
来编辑.rdp配置文件压缩:i:1
到
压缩:i:0
这应该照顾压缩障碍。接下来,解决问题。同样,当我控制服务器时,我可以访问用于SSL / TLS加密的证书中的私钥。可以使用Microsoft Management
控制台(mmc.exe)找到此证书:
控制台Root\Certificates(本地计算机)\Remote Desktop \Certificates
虽然此证书中的私钥被标记为不可导出,但我能够绕过该障碍。简而言之,如果需要,我有.pfx文件,我可以在我的Linux机器上使用
openssl 来提取密钥。
<我想我能够按照Bryan S. Burgin的精彩博客(http://blogs.msdn.com/b/openspecification/archive)的指示使用网络监视器成功解密RDP会话/2012/05/24/hitchhiker-s-guide-to-debugging-rdp-protocols-part-2.aspx)。
我想我能够通过Message Analyzer获得与同一作者的指示类似的结果(http://docplayer.net/7643622-Decrypting-rdp-traffic-with-message-分析仪 - 布莱恩-S-布尔金-SR-升级工程师,开发人员的支持,开放式的规格,微软corporation.html)。
但是,解密的数据包转储仍然不是人类可读的。 Wireshark可以解密SSL会话,显然他们有一个RDP解析器或"解剖器"。曾经,但这不再是真的(https://labs.portcullis.co.uk/blog/retrospective-decryption-of-ssl-encrypted-rdp-sessions/)。
TPKT解剖器似乎也不适合这个账单。
最后,我决定上学,并且让Cain和Abel搞砸了一个男人。我的RDP客户端和服务器之间的中间攻击(http://www.irongeek.com/i.php?page=videos/cain-rdp-terminal-server-mitm-sniff)。 Cain能够解密会话,并且
虽然可以找出哪些数据包代表击键并解密这些数据包,但它们仍然以编码形式显示。
问题显然是虽然RDP会话可以被解密,但我似乎无法找到解码它们的方法,以使它们具有人类可读性。我一直在研究如何做这个超过一个星期,我想知道作者是否 b&b> [MS-RDPBCGR] 文件是否可以访问专业工具不适用于公众,因为RDP毕竟是Microsoft专有协议。
在同一文档中,密码字段列在第2.2节中.1.11.1.1 p上的信息包(TS_INFO_PACKET)
。 70.但是,我认为此字段仅记录已保存的凭据。如果您是第一次通过RDP登录计算机或必须重新输入凭据,则密码将通过单独的数据包作为击键发送。当然,在我能用
解码数据包之前,我不能以某种方式确认这个理论。
任何人都可以请你协助吗?
提前感谢您!
参考资料
- https://msdn.microsoft.com/en-us/library/cc240445.aspx
- http: //blogs.msdn.com/b/openspecification/archive/2012/05/24/hitchhiker-s-guide-to-debugging-rdp-protocols-part-2.aspx
- &NBSP; HTTP://docplayer.net/7643622-Decrypting-rdp-traffic-with-message-analyzer-bryan-s-burgin-sr-escalation-engineer-developer-support-open-specs-microsoft-corporation.html
- https://labs.portcullis.co.uk/blog/retrospective-decryption-of-ssl-encrypted-rdp-sessions/
- http://www.irongeek.com/i.php?page = videos / cain-rdp-terminal-server-mitm-sniff
您好joel.mcintyre25,
感谢您提出有关远程桌面日志的问题在凭证解码。其中一个开放规范团队成员将很快回复,开始与您合作。
最好的问候,
Tom Jebo
Sr Escalation Engineer
Microsoft Open Specifications
Greetings,
I am trying to parse for certain fields of the Remote Desktop Protocol packets exchanged during a remote connection session, specifically the login credentials, and I am having a lot of trouble with the decoding procedure. For reference, in the v20151016 edition of the [MS-RDPBCGR] document (https://msdn.microsoft.com/en-us/library/cc240445.aspx), an encrypted packet dump is displayed in Section 4.1.10 Client Info PDU (p. 331). On the next page, the decrypted version of the same dump is displayed, and the contents are decoded and shown in ASCII. I am basically trying to collect the same output in my own lab. In order to obtain human-readable RDP packet info, the session must be decompressed, decrypted and decoded. The following is what I have done thus far to try to do just that.
As I control both the client and the server in my lab, I should have access to everything I need to get the information I want. Decompression is relatively easy to handle. On the server, I disable it by editing group policy:
Local Computer Policy > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment > Configure compression for RemoteFX data > Enabled > Do not use an RDP compression algorithm
On the client, I edited the .rdp configuration file by changing
compression:i:1
to
compression:i:0
That should take care of the compression obstacle. Next, onto the decryption problem. Again, as I control the server, I have access to the private key in the certificate used for SSL/TLS encryption. This certificate can be found using Microsoft Management Console (mmc.exe):
Console Root\Certificates (Local Computer)\Remote Desktop\Certificates
Although the private key from this certificate is marked as non-exportable, I was able to bypass that obstacle. Long story short, I have the .pfx file if I need it, from which I can use openssl on my Linux box to extract the key.
I think I was able to successfully decrypt an RDP session using Network Monitor by following the instructions from Bryan S. Burgin's awesome blog (http://blogs.msdn.com/b/openspecification/archive/2012/05/24/hitchhiker-s-guide-to-debugging-rdp-protocols-part-2.aspx). I think I was able to obtain similar results with Message Analyzer with instructions by the same author (http://docplayer.net/7643622-Decrypting-rdp-traffic-with-message-analyzer-bryan-s-burgin-sr-escalation-engineer-developer-support-open-specs-microsoft-corporation.html). However, the decrypted packet dumps are still not human-readable. Wireshark can decrypt SSL sessions, and apparently they had an RDP parser or "dissector" at one time, but this is no longer true (https://labs.portcullis.co.uk/blog/retrospective-decryption-of-ssl-encrypted-rdp-sessions/). The TPKT dissector does not seem to fit the bill, either.
Lastly, I had decided to go old school and crack out Cain and Abel to run a man-in-the-middle attack between my RDP client and server (http://www.irongeek.com/i.php?page=videos/cain-rdp-terminal-server-mitm-sniff). Cain was able to decrypt the session, and although it can figure out which packets represent keystrokes and decrypt those packets, they are still displayed in encoded form.
The issue apparently is that, although RDP sessions can be decrypted, I don't seem to be able to find a way to decode them in order to render them human-readable. I've been researching on how to do this for over a week, and I'm wondering whether the authors of the [MS-RDPBCGR] document had access to specialized tools not available to the public, as RDP is after all a Microsoft proprietary protocol.
In the same document, a Password field is listed in Section 2.2.1.11.1.1 Info Packet (TS_INFO_PACKET) on p. 70. However, I believe this field only records saved credentials. If you are logging into a machine via RDP for the first time or have to re-enter your credentials, the password is sent via separate packets as keystrokes. Of course, until I can decode the packets, I cannot confirm this theory one way or the other.
Can anyone please assist?
Thank you in advance!
References
- https://msdn.microsoft.com/en-us/library/cc240445.aspx
- http://blogs.msdn.com/b/openspecification/archive/2012/05/24/hitchhiker-s-guide-to-debugging-rdp-protocols-part-2.aspx
- http://docplayer.net/7643622-Decrypting-rdp-traffic-with-message-analyzer-bryan-s-burgin-sr-escalation-engineer-developer-support-open-specs-microsoft-corporation.html
- https://labs.portcullis.co.uk/blog/retrospective-decryption-of-ssl-encrypted-rdp-sessions/
- http://www.irongeek.com/i.php?page=videos/cain-rdp-terminal-server-mitm-sniff
Hi joel.mcintyre25,
Thank you for your question about remote desktop login credentials decoding. One of the Open Specifications team members will respond shortly to begin working with you.
Best regards,
Tom Jebo
Sr Escalation Engineer
Microsoft Open Specifications
这篇关于解码RDP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
