Decrypt RDP Traffic with Wireshark and Frida [Step-by-Step]


Wireshark

Author: Celal Dogan
Reviewer: Deepak Prasad

What is RDP?

Remote Desktop Protocol (RDP) is a protocol developed by Microsoft and used to manage a computer remotely. A client can connect to another computer through a network connection and manage it as if he/she is sitting at in front of his/her computer. The protocol uses TCP port 3389 and UDP port 3389 in default.

 

RDP Security Layer

RDP Security Layer falls in two categories:

 

1. Standard RDP Security

Communication between the server and the client is protected by native RDP encryption. It uses RSA Security's RC4 cipher to secure all data being transferred to and from the Windows system. This cipher encrypts data of varying size with a 56-bit or a 128-bit key. I will start an RDP connection and show you a few packets how it selects an RDP Security Layer. Following screenshot shows an "RDP Negotiation Request" packet from the client to the server.

Decrypt RDP Traffic with Wireshark and Frida [Step-by-Step]

 

The client desires to use "Enhanced RDP Security" with specifying one of the methods below. It asks the server to pick one of them.

  • "TLS security supported"
  • "CredSSP supported"
  • "Early user Authorization Request PDU supported"

Following screenshot shows "RDP Negotiation Failure" packet coming from the server.

Decrypt RDP Traffic with Wireshark and Frida [Step-by-Step]

Since the server does not support TLS which is used by "Enhanced RDP Security", it returns a failure code and specifies that TLS is not allowed. The client changes its decision and negotiates for "Standard RDP Security" with the packet below.

Decrypt RDP Traffic with Wireshark and Frida [Step-by-Step]

 

As you can see, all the flags in the "requestProtocols" are set to 0 (zero), which tells the server "lets use native RDP protocol". The server accepts the offer and responses accordingly. Following packet belongs to the server.

Decrypt RDP Traffic with Wireshark and Frida [Step-by-Step]

 

2. Enhanced RDP Security

RDP uses an external security protocol for "Enhanced RDP Security". All the security protocols involve TLS. The list of them are below:

TLS: In this method, RDP is encapsulated by TLS. When we decrypt the TLS external security protocol, we can see the client credentials (username and password) in clear text. Following figure shows that the RDP client is offering TLS security.

Decrypt RDP Traffic with Wireshark and Frida [Step-by-Step]

 

Credential Security Support Provider protocol (CredSSP): CredSSP is an authentication provider which processes authentication requests for other applications. CredSSP provides an encrypted Transport Layer Security Protocol channel. The client is authenticated over the encrypted channel by using the Simple and Protected Negotiate (SPNEGO) protocol with either Microsoft Kerberos or Microsoft NTLM. Although it uses TLS, when it is decrypted, you can not see the user credentials in clear text. Following screenshot shows an NTLM authentication provided by CredSSP inside a decrypted TLS tunnel.

Decrypt RDP Traffic with Wireshark and Frida [Step-by-Step]

 

When CredSSP is used as the external security protocol , it enables the use of Network Level Authentication (NLA).

RDSTLS: It is a variation of Enhanced RDP Security that is primarily used in the context of server redirection scenarios. Server authentication, encryption, decryption, and data integrity checks are implemented by leveraging the TLS security protocol, while user authentication is accomplished by exchanging RDSTLS PDUs directly following the TLS handshake. In short, it uses NTLM inside TLS.

 

Installing Frida and capturing TLS Premaster keys

Frida is a tool that can be used to obtain TLS session keys used by RDP.

Step-1: Install Python. I will download and install it on a Windows. You can download it here (https://www.python.org/downloads/release/python-380/).

 

Step-2: Go to python home and use ".\Scripts\pip.exe install frida-tools frida" to install it. My home folder is:

"C:\Users\administrator.MYDOMAIN\AppData\Local\Programs\Python\Python38>"

Following screenshot shows the installation.

Decrypt RDP Traffic with Wireshark and Frida [Step-by-Step]

 

Step-3: Download keylog.js from here:

https://github.com/ngo/win-frida-scripts/blob/master/lsasslkeylog-easy/keylog.js and save it to a directory. We will use that path in the next step.

 

Step-4: Launch Windows PowerShell as administrator. Then go to python home and run the command below. Do not forget to modify it for yourself.

PS C:\Users\administrator.MYDOMAIN\AppData\Local\Programs\Python\Python38\Scripts> frida.exe --no-pause lsass.exe -l C:\keylog.js

You should see an output like below.

Decrypt RDP Traffic with Wireshark and Frida [Step-by-Step]

When you connect to an RDP server, Frida will collect the keys in the C:\keylog.log file.

 

Wireshark RDP Decryption

If you feed Wireshark with session keys or a private key of PKI, it can decrypt TLS/SSL traffic.

Step-1: Launch Wireshark and navigate to EditPreferences.

Decrypt RDP Traffic with Wireshark and Frida [Step-by-Step]

 

Step-2: A window appears and expand the "protocols" tree.

Decrypt RDP Traffic with Wireshark and Frida [Step-by-Step]

 

Step-3: Find TLS and click on it. From left pane, click on "Browse" button to select "keylog.log". Remember that the file path is "C:\keylog.log" in default. Click "OK" to finish. Then restart Wireshark.

Decrypt RDP Traffic with Wireshark and Frida [Step-by-Step]

 

Step-4: Capture the packets while starting an RDP session.

Step-5: Wireshark automatically decrypt the TLS traffic. Next, find "ClientInfo" packet and expand the tree. You should see the RDP username and password fields in clear text. My output is below.

Decrypt RDP Traffic with Wireshark and Frida [Step-by-Step]

 

Changing RDP Security Layer Protocols

Windows lets you set specific security layer for RDP through Group Policy.

Step-1: Open "Local Group Policy Editor" and expand "Administrative Templates". Then click on "Windows Components".

Decrypt RDP Traffic with Wireshark and Frida [Step-by-Step]

 

Step-2: Find "Remote Desktop Services" and click on "Security".

Decrypt RDP Traffic with Wireshark and Frida [Step-by-Step]

 

Step-3: At the right pane, you will see "Require use of specific security layer for remote (RDP) connections". Double click on it and the configuration window will open. Select "Enable" option and then, select the "Security Layer" you want from the dropdown list.

Decrypt RDP Traffic with Wireshark and Frida [Step-by-Step]

 

According to Microsoft:

This policy setting specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections.

If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the security method specified in this setting. The following security methods are available:

  • Negotiate: The Negotiate method enforces the most secure method that is supported by the client. If Transport Layer Security (TLS) version 1.0 is supported, it is used to authenticate the RD Session Host server. If TLS is not supported, native Remote Desktop Protocol (RDP) encryption is used to secure communications, but the RD Session Host server is not authenticated. Native RDP encryption (as opposed to SSL encryption) is not recommended.
  • RDP: The RDP method uses native RDP encryption to secure communications between the client and RD Session Host server. If you select this setting, the RD Session Host server is not authenticated. Native RDP encryption (as opposed to SSL encryption) is not recommended.
  • SSL (TLS 1.0): The SSL method requires the use of TLS 1.0 to authenticate the RD Session Host server. If TLS is not supported, the connection fails. This is the recommended setting for this policy.

If you disable or do not configure this policy setting, the security method to be used for remote connections to RD Session Host servers is not specified at the Group Policy level.

 

Discovering RDP Security Layer with Nmap Scanning

Nmap provides a Nmap Scripting Engine (NSE) script called "rdp-enum-encryption" that determines which Security Layer and Encryption Level is supported by the RDP service. I ran the script and the result is below.

celal@kali:~$ nmap -p 3389 192.168.1.21 -script rdp-enum-encryption
Starting Nmap 7.80 ( https://nmap.org ) at 2022-03-04 17:34 EST
Nmap scan report for 192.168.1.21
Host is up (0.00051s latency).

PORT     STATE SERVICE
3389/tcp open  ms-wbt-server
| rdp-enum-encryption:
|   Security layer
|     CredSSP (NLA): SUCCESS
|     CredSSP with Early User Auth: SUCCESS
|     Native RDP: SUCCESS
|     RDSTLS: SUCCESS
|     SSL: SUCCESS
|   RDP Encryption level: Client Compatible
|     40-bit RC4: SUCCESS
|     56-bit RC4: SUCCESS
|     128-bit RC4: SUCCESS
|     FIPS 140-1: SUCCESS
|_  RDP Protocol Version:  RDP 5.x, 6.x, 7.x, or 8.x server

 

Final thoughts

RDP can be vulnerable especially when Native RDP is used, which is protected by Standard RDP Security layer. CredSSP with NLA is the best option to go with. It is more secure and robust. Since all Enhanced RDP Security methods use TLS, it is possible to decrypt RDP protocol.

 

References

https://www.cyberark.com/resources/threat-research-blog/explain-like-i-m-5-remote-desktop-protocol-rdp
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/592a0337-dc91-4de3-a901-e1829665291d
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770833(v=ws.11)?redirectedfrom=MSDN
https://docs.oracle.com/cd/E35310_01/E35309/html/Windows-Network-Security.html
https://www.netwoven.com/2018/05/15/solved-credssp-encryption-oracle-remediation/
https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-security-support-provider
https://b.poc.fun/decrypting-schannel-tls-part-1/

 

Celal Dogan

Celal Dogan

He is proficient in System Administration, Python, Computer Network, Network Engineering, PHP, Web Testing, Penetration Testing, Wireshark, RADIUS, Cisco Router, TCP/IP, Kali Linux, OSPF, NPS, and Multiprotocol BGP. You can connect with him on his LinkedIn Profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment