Professional Documents
Culture Documents
2013 RDP Plugfest On The Wire UPDATED - 2016 - 10
2013 RDP Plugfest On The Wire UPDATED - 2016 - 10
2013 RDP Plugfest On The Wire UPDATED - 2016 - 10
Bryan S. Burgin
Sr. Escalation Engineer
Developer Support, Open Specification Team
(2013 July 10)
• Definitions:
• “Server-side” is the target of the RDP connection, the machine being remoted into.
• “Client-side” is the machine running MSTSC
Setting the Goal
• To share a technique to observe Windows-to-Windows RDP traffic.
• Close
• Protocol List
• Protocol Map
• Examples (Specifications and Traces)
• References
• Getting Help/Resources
Details: Agenda
• Make and export a certificate
• Server-side preparation
• Client-side preparation
• Netmon preparation
• Capturing and decrypting traffic
• Close
• Protocol List
• Protocol Map
• Examples (Specifications and Traces)
• References
• Getting Help/Resources
Make and Export the Certificate…
• Only needs to be done once in a lifetime.
• (or, until the certificate expires)
• Can be made on any machine.
• Make a certificate using MAKECERT.
• Bing “makecert.exe”:
• (available via Windows Driver Kit)
• (available via SDK)
• (available via other toolkits)
• Export the cert to a Personal Informational Exchange (.PFX) file
• Import/copy the certificate (via PFX) wherever it will be used:
• On the server-side system
• On the machine you’re running Network Monitor and NmDecrypt
…Make and Export the Certificate
Details: Agenda
• Make and export a certificate
• Server-side preparation
• Client-side preparation
• Netmon preparation
• Capturing and decrypting traffic
• Close
• Protocol List
• Protocol Map
• Examples (Specifications and Traces)
• References
• Getting Help/Resources
Server Side…
• Enable RDP on Remote System
• Do NOT check Network Level Authentication
Server Side: Import Cert (W7)
• Import certificate via Microsoft Management Console (MMC):
• Add certificate snap-in for Computer Account
• Go to Personal, Certificates, right-click All Tasks and select Import
• Browse to .PFX file
• “Place all certificates…”, specify “Personal”
Server Side: Import Cert (W8)
• Double-click .PFX file
• Import to Local Machine
• To the Personal Store
Server Side: Give Cert Permissions
• Run MMC, use Certificate plug-in for Local Computer
• Find certificate in the local store
• Right-click, All-Tasks, Manage Private Keys
• Add NETWORK SERVICE
Server Side: Get Cert’s Thumbprint
• To use the certificate, RDP needs to know the certificate’s SSL SHA1 HASH
(a.k.a. Thumbprint):
• Run MMC, go to Local Machine/Personal Certificates
• Find certificate, Double-click, Details Tab, find Thumbprint
• Record this value
• For any given certificate, the HASH is always the same
• So record it once and use it forever
Server Side: Make RDP Use Cert
• Identify certificate’s SHA1 HASH to RDP
• Enter as HKLM\System\CCS\Control\Terminal Server\Winstations\RDP-Tcp (Binary)
SSLCertificateSHA1Hash
• The RDP server will now use this certificate for encryption
Server Side: Set RDP Security (W7 )
• Set RDP Security…Windows 7 ONLY
• (Windows 8 defaults are good)
• Close
• Protocol List
• Protocol Map
• Examples (Specifications and Traces)
• References
• Getting Help/Resources
Client Side: Disable Bulk Compression
• Disable client-side compression (client-to-server packets):
• Run MSTSC
• Enter remote system’s address/name
• Press “Show Options”, select “Save As”
• Save configuration (.RDP file)
• Open .RDP file (using Notepad), set compression to zero
• compression:i:0
Client Side: (Optional) Set Specific Compression
• If you want the client to use a specific compression algorithm:
• HKLM\Software\Microsoft\Terminal Server Client\MaxRdpCompressionLevel
• 0 = “RDP 4” (8K)
• 1 = “RDP 5” (64K)
• 2 = “RDP 6” (64K NCRUSH)
• 3 = “RDP 6.1” (XCRUSH)
• 4 = “RDP 8” (RDP8)
• Sets [MS-RDPBCGR] ClientInfoPDU flag CompressionTypeMask
Cipher Suites: Elliptical Curves
• Windows 10 uses elliptical curve cipher suites by default:
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA {0xc0, 0x14}
• (in list of client-supported packages in TLS handshake)
• I use “TLS_RSA_WITH_AES_128_CBC_SHA”
Client Side: Disable TLS 1.2 (W8)
• Disable TLS 1.2: Windows 8 ONLY
• Windows 8 uses TLS 1.2 by default
• Netmon’s decryption expert (NmDecrypt) does not decrypt TLS 1.2 frames
• Solution: downgrade to TLS 1.1 or 1.0
• Make HKLM\System\CCS\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
(there’s a space between “TLS” and “1.2”)
HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel:
DisableClientExtendedMasterSecret (DWORD) = 1
Client Side: Disable UDP (W8)
• Disable RDP over UDP … Windows 8 ONLY
• RDP 8 uses both TCP and UDP
• Network Monitor and NmDecrypt is “Conversation” bases
• It will consider each conversation as separate
• Solution: Disable UDP; force TCP only
• Run REGEDIT
• Create HKLM\Software\Microsoft\Terminal Server Client\DisableUDPTransport
(DWORD) = 1
Details: Agenda
• Make and export a certificate
• Server-side preparation
• Client-side preparation
• Netmon preparation
• Capturing and decrypting traffic
• Close
• Protocol List
• Protocol Map
• Examples (Specifications and Traces)
• References
• Getting Help/Resources
Netmon: Install Network Monitor
• Download “Microsoft Network Monitor 3.4”
• (http://www.microsoft.com/en-us/download/details.aspx?id=4865)
• Installs Netmon + 2010 parser package
• It can be installed on either the client or server side
• (but the certificate’s PFX file must be copied to this machine)
• Run Netmon as an Administrator
• First time for Windows 7 (installs driver)
• Every time for Windows 8
• Change parser profile to “Windows”
Netmon: Install Current Parsers
• Install latest parser package
• Updated specifically for RDP:
• Oct 2011 or newer for Windows 7
• Sept 2012 or newer for Windows 8
• Were available via nmparsers.codeplex.com
• Now available via Download Center
• (https://www.microsoft.com/en-us/download/details.aspx?id=53671)
• Package will replace original (2010) parsers
Netmon: Install NmDecrypt
• Install Decryption Expert
• Available via Codeplex: (http://nmdecrypt.codeplex.com)
• Copy certificate’s .PFX file to this machine
• Close
• Protocol List
• Protocol Map
• Examples (Specifications and Traces)
• References
• Getting Help/Resources
Capturing & Decrypting: Capturing
• Start Network Monitor
• Select “New Capture”
• Press “Start”
• You MUST begin capture before RDP connection (trace MUST include TLS handshake)
• Wait until “Waiting for network traffic”
Capturing & Decrypting: Stopping
• Stop the trace as soon as possible.
• Longer traces take longer to decrypt!
• NmDecrypt has a 2G trace limit
• Close
• Protocol List
• Protocol Map
• Examples (Specifications and Traces)
• References
• Getting Help/Resources
Close: Protocol List (1 of 3)
• [MS-RDSOD] Remote Desktop Services Protocols Overview
• [MS-RDPBCGR] Basic Connectivity and Graphics Remoting
• [MS-RDPADRV] Audio Level and Drive Letter Persistence Virtual Channel Extension
• [MS-RDPCR2] Composited Remoting V2
• [MS-RDPEA] Audio Output Virtual Channel Extension
• [MS-RDPEAI] Audio Input Redirection Virtual Channel Extension
• [MS-RDPECLIP] Clipboard Virtual Channel Extension
• [MS-RDPEDC] Desktop Composition Virtual Channel Extension
• [MS-RDPEDYC] Dynamic Channel Virtual Channel Extension
• [MS-RDPEECO] Virtual Channel Echo Extension
• [MS-RDPEFS] File System Virtual Channel Extension
• [MS-RDPEGDI] Graphics Device Interface (GDI) Acceleration Extensions
• [MS-RDPEGFX] Graphics Pipeline Extension
• [MS-RDPEGT] Geometry Tracking Virtual Channel Protocol Extension
• [MS-RDPEI] Input Virtual Channel Extension
• [MS-RDPELE] Licensing Extension
Close: Protocol List (2 of 3)
• [MS-RDPEMC] Multiparty Virtual Channel Extension
• [MS-RDPEMT] Multitransport Extension
• [MS-RDPEPC] Print Virtual Channel Extension
• [MS-RDPEPNP] Plug and Play Devices Virtual Channel Extension
• [MS-RDPEPS] Session Selection Extension
• [MS-RDPERP] Remote Programs Virtual Channel Extension
• [MS-RDPESC] Smart Card Virtual Channel Extension
• [MS-RDPESP] Serial and Parallel Port Virtual Channel Extension
• [MS-RDPEUDP] UDP Transport Extension
• [MS-RDPEUSB] USB Devices Virtual Channel Extension
• [MS-RDPEV] Video Redirection Virtual Channel Extension
• [MS-RDPEVOR] Video Optimized Remoting Virtual Channel Extension
• [MS-RDPEXPS] XML Paper Specification (XPS) Print Virtual Channel Extension
• [MS-RDPNSC] NSCodec Extension
• [MS-RDPRFX] RemoteFX Codec Extension
• [MS-RDWR] Remote Desktop Workspace Runtime Protocol
Close: Protocol List (3 of 3)
• [MS-TSSO] Terminal Services System Overview
• [MS-TSGU] Terminal Services Gateway Server Protocol
• (RPC based protocol, this technique to decrypt traffic will not work)
• Close
• Protocol List
• Protocol Map
• Examples (Specifications and Traces)
• References
• Getting Help/Resources
How to get Help
• E-mail dochelp@microsoft.com
1:1, private
Monitored by support 24x7
Issues acknowledged with in 24 hours
Technical Specifications
Licensing Programs
Open Specifications
Support Avenues
• MSDN.com
• Channel9.MSDN.com
…Resources
• Specifications (protocol technical documents)
• http://msdn.microsoft.com/en-us/library/cc216517(v=prot.10).aspx
http://www.microsoft.com/protocols
dochelp@microsoft.com
bburgin@microsoft.com