Decrypting RDP Traffic with Message...
Transcript of Decrypting RDP Traffic with Message...
Bryan S. Burgin
Sr. Escalation Engineer, Developer Support, Open Specs
Microsoft Corporation
Decrypting RDP Traffic with Message Analyzer
Sr. EE, Developer Support, Protocols/Open Specifications/Interop13 years at Microsoft:
Primary duties:
www.microsoft.com/protocolswww.microsoft.com/openspecifications
May 2012 (Taipei): Whiteboard discussion:
May/July 2012: “Hitchhiker’s Guide to Debugging RDP protocols” blog posts:
April 2013 (Taipei):
March 2014 (Taipei):
Viewing unencrypted, uncompressed RDP traffic Windows-to-Windows in both directions is difficult.
Viewing unencrypted traffic:
To share a technique to observe Windows-to-Windows RDP traffic using Message Analyzer
Network Monitor/NmDecrypt advantages
Network Monitor/NmDecrypt disadvantages
Message Analyzer advantages
Message Analyzer disadvantages
Make and export a certificate
Server-side preparation
Client-side preparation
Installing Message Analyzer
Capturing and analyzing traffic
What’s next
Close
Make and export a certificate
Server-side preparation
Client-side preparation
Installing Message Analyzer
Capturing and analyzing traffic
What’s next
CloseDemo
References
Getting help
Only needs to be done once in a lifetime.
Can be made on any machine.
Make a certificate using MAKECERT.
Export the cert to a Personal Informational Exchange (.PFX) file
Import/copy the certificate (via PFX) wherever it will be used:
Make and export a certificate
Server-side preparation
Client-side preparation
Installing Message Analyzer
Capturing and analyzing traffic
What’s next
CloseDemo
References
Getting help
Note: Do NOT check Network Level Authentication
Import certificate via Microsoft Management Console (MMC):
Double-click .PFX file
Run MMC, use Certificate plug-in for Local Computer
Find certificate in the local store
Right-click, All-Tasks, Manage Private Keys
Add NETWORK SERVICE
To use the certificate, RDP needs to know the certificate’s SSL SHA1 HASH (a.k.a. Thumbprint):
For any given certificate, the HASH is always the same
Identify certificate’s SHA1 HASH to RDP
The RDP server will now use this certificate for encryption
Windows 7 ONLY; Windows 8 defaults are okay
Set HKLM\System\CCS\Control\Terminal Server\Winstations\RDP-Tcp:
Disable server-side compression (server-to-client packets):
Run GPEDIT, find:»Local Computer Policy»Computer Configuration»Administrative Templates»Windows Components»Remote Desktop Services»Remote Desktop Session Host»Remote Session Environment»Configure compression for RemoteFX data
Enable the policySet to “Do not use a compression algorithm”
RDP8 will send/receive ~3000 frames to detect network conditions (bandwidth) at initial connect (RTT, Kb/sec):
Disabling bandwidth detection reduces overhead, yields smaller and faster traces
Solution: disable network bandwidth detection; via GPEdit»Local Computer Policy»Computer Configuration»Administrative Templates»Windows Components»Remote Desktop Services»Remote Desktop Session Host» Connections» Select network detection on the server
“Turn off Connect Time & Continuous NW Detect”
Make and export a certificate
Server-side preparation
Client-side preparation
Installing Message Analyzer
Capturing and analyzing traffic
What’s next
CloseDemo
References
Getting help
If you want the client to use a specific compression algorithm:
Windows 8 uses TLS 1.2 by default
Message Analyzer does not decrypt TLS 1.2 frames (yet?)
Solution: downgrade to TLS 1.1 or 1.0
Consequence: Windows Update will stop working
RDP 8 uses both TCP and UDP
Message Analyzer does not decrypt UDP/DTLS frames (yet)
Solution: Disable UDP; force TCP only
Make and export a certificate
Server-side preparation
Client-side preparation
Installing Message Analyzer
Capturing and analyzing traffic
What’s next
CloseDemo
References
Getting help
Make and export a certificate
Server-side preparation
Client-side preparation
Installing Message Analyzer
Capturing and analyzing traffic
What’s next
CloseDemo
References
Getting help
Make and export a certificate
Server-side preparation
Client-side preparation
Installing Message Analyzer
Capturing and analyzing traffic
What’s next
CloseDemo
References
Getting help
Work on improving the parsers:
Add support to decrypt TLS 1.2
Add support to decrypt DTLS and RDP over UDP Traffic
Escalation Engineer
Developer Support
Protocols/Open Specifications/Interoperability
8 years at Microsoft:
• MS-RDPEUDP is a new protocol in RDP8 which use UDP as a transport and operates in 2 modes:
• Reliable (RDP-UDP-R)
• Best Effort/Lossy (RDP-UDP-L).
• RDP-UDP-R use TLS and RDP-UDP-L DTLS.
• Unique sockets for each instance.
• MS-RDPBCGR\MS-RDPEMT\MS-RDPEUDP
• FEC PDUs
• Optional.
• Safe to ignore and not generate.
• No capability to turn on/ off.
• !FEC - Recovery from packet loss will be compromised .
• RDPEUDP is preferred by default if both endpoints are RDP8 capable. This can be turned-off through Group policy
• Server : Computer Configuration, Administrative Templates, Windows Components, Remote Desktop Services, Remote Desktop Session Host: Select RDP
Transport Protocols to “Use both UDP and TCP”, “Use only TCP” and “Use Either TCP or UDP”
• Client : Computer Configuration, Administrative Templates, Windows Components, Remote Desktop Services, Remote Desktop Connection Client: Turn off
UDP On Client
• Minencryption level (http://technet.microsoft.com/en-us/library/cc785662(v=ws.10).aspx ) MUST be set to 3 (TS_ENCRYPTION_LEVEL_HIGH) and Securitylayer to
2 (TS_SECURITY_LAYER_SSL) for RDPEUDP.
• Key differentiator from TLS over TCP
• TLS\DTLS packets over UDP are enveloped by RDPEUDP header.
• Apply filter as TLS – Unencrypted handshake and encrypted data PDUs.
• NMDecrypt decrypts encrypted data PDUs.
• Apply filter as TLS, profile windows – No data.
• Apply filter as RDPEUDP – Enveloped handshake and encrypted data PDUs.
• NMDecrypt can’t decrypt RDPEUDP data.
• ‘’16 03 01” or “16 03 02” as starting bytes then it’s a packet.
• ‘’16 FE FF” as starting bytes then it’s a packet.
Make and export a certificate
Server-side preparation
Client-side preparation
Installing Message Analyzer
Capturing and analyzing traffic
What’s next
CloseDemo
References
Getting help
www.microsoft.com/protocols
Raising protocol specification [email protected]
Open Specifications Team Bloghttp://blogs.msdn.com/b/openspecification
Channel9.MSDN.com
How to get Message Analyzer
http://www.microsoft.com/en-us/download/details.aspx?id=40308
E-mail [email protected]
1:1, private
Monitored by support 24x7
Issues acknowledged with in 24 hours
Post to a Microsoft Open Specifications Forum
1:many, public
Community of industry implementers
Moderated by Microsoft
Issues become support cases for tracking
Open Specifications Support is free
Clear problem description
Document short name (e.g. [MS-RDPEUSB])
Section (e.g. 2.2.4.1 Add Virtual Channel)
Doc version (e.g. v20110609)
Impact to your project (Blocking? Just feedback?)
Multiple issues: Provide priorities
Include sample files, traces, notes
Problems NOT related to the Open Specifications documentation:
If in doubt, ask.
Blog:http://blogs.technet.com/b/messageanalyzer/
Operating Guidehttp://blogs.technet.com/b/messageanalyzer/
Technet Forum:
Message Analyzer is NOT supported via Dochelp