RDP on the Wire

(Capturing, Decrypting and Parsing RDP Traffic)

Bryan S. Burgin
Sr. Escalation Engineer
Developer Support, Open Specification Team
(2013 July 10)

Microsoft NDA Confidential

 Introduction: Bryan S. Burgin
• Sr. EE, Developer Support, Protocols/Open Specifications/Interop
• 13 years at Microsoft:
• 10 year supporting WDK (Network/USB drivers); three years Protocols
• Primary duties:
• Support Microsoft’s open specification library
• www.microsoft.com/protocols
• www.microsoft.com/openspecifications
• 500+ on-the-wire protocols:
• Remote Desktop Protocols
• File Sharing (SMB, SMB2, etc.)
• Authentication (Kerberos, NTLM, etc.)
• Work primarily with third-party protocol implementers through:
• Dochelp alias (dochelp@microsoft.com)
• Forums (MSDN Open Specifications forums)
• Plugfests, Interop Labs and other direct partner engagements
 Defining the Problem
• Viewing unencrypted, uncompressed RDP traffic Windows-to-Windows in
both directions is difficult.

• Viewing unencrypted traffic:

• Server to Client (any client) is easy
• Just tweak the registry (MinEncryptionLevel/SecurityLayer)
• Non-Microsoft Client to Server is easy
• Most third-party RDP clients offer switches to disable client-to-server encryption.
• Microsoft Client (MSTSC) to Server is HARD
• Thus: at least half the RDP traffic with MSTSC is always encrypted

• Definitions:
• “Server-side” is the target of the RDP connection, the machine being remoted into.
• “Client-side” is the machine running MSTSC
 Setting the Goal
• To share a technique to observe Windows-to-Windows RDP traffic.

• See Microsoft Open Specifications Support Team blog posts “Hitchhiker’s

Guide to RDP Protocols”:

• Part 1: [MS-RDPEUSB] (USB Device Redirection)

• Includes building the driver for OSR’s USB FX2 test board

• Part 2: Generic (removed all USB content)

 Solution: Quick Walk Through
• Make and use your own certificate (MAKECERT)
• The certificate created by Terminal Services is not exportable.
• Disable server-side compression
• Disable client-side compression
• Special platform-specific steps (TLS, etc.)
• Capture traffic using Netmon (Network Monitor)
• Be sure to always start capture from the start before TLS handshake
• Decrypt traffic post-capture using NmDecrypt Expert
 Details: Agenda
• Make and export a certificate
• Server-side preparation
• Client-side preparation
• Netmon preparation
• Capturing and decrypting traffic

• Close
• Protocol List
• Protocol Map
• Examples (Specifications and Traces)
• References

• Getting Help/Resources
 Details: Agenda
• Make and export a certificate
• Server-side preparation
• Client-side preparation
• Netmon preparation
• Capturing and decrypting traffic

• Close
• Protocol List
• Protocol Map
• Examples (Specifications and Traces)
• References

• Getting Help/Resources
 Make and Export the Certificate…
• Only needs to be done once in a lifetime.
• (or, until the certificate expires)
• Can be made on any machine.
• Make a certificate using MAKECERT.
• Bing “makecert.exe”:
• (available via Windows Driver Kit)
• (available via SDK)
• (available via other toolkits)
• Export the cert to a Personal Informational Exchange (.PFX) file
• Import/copy the certificate (via PFX) wherever it will be used:
• On the server-side system
• On the machine you’re running Network Monitor and NmDecrypt
…Make and Export the Certificate
 Details: Agenda
• Make and export a certificate
• Server-side preparation
• Client-side preparation
• Netmon preparation
• Capturing and decrypting traffic

• Close
• Protocol List
• Protocol Map
• Examples (Specifications and Traces)
• References

• Getting Help/Resources
 Server Side…
• Enable RDP on Remote System
• Do NOT check Network Level Authentication
 Server Side: Import Cert (W7)
• Import certificate via Microsoft Management Console (MMC):
• Add certificate snap-in for Computer Account
• Go to Personal, Certificates, right-click All Tasks and select Import
• Browse to .PFX file
• “Place all certificates…”, specify “Personal”
 Server Side: Import Cert (W8)
• Double-click .PFX file
• Import to Local Machine
• To the Personal Store
 Server Side: Give Cert Permissions
• Run MMC, use Certificate plug-in for Local Computer
• Find certificate in the local store
• Right-click, All-Tasks, Manage Private Keys
• Add NETWORK SERVICE
 Server Side: Get Cert’s Thumbprint
• To use the certificate, RDP needs to know the certificate’s SSL SHA1 HASH
(a.k.a. Thumbprint):
• Run MMC, go to Local Machine/Personal Certificates
• Find certificate, Double-click, Details Tab, find Thumbprint
• Record this value
• For any given certificate, the HASH is always the same
• So record it once and use it forever
 Server Side: Make RDP Use Cert
• Identify certificate’s SHA1 HASH to RDP
• Enter as HKLM\System\CCS\Control\Terminal Server\Winstations\RDP-Tcp (Binary)
SSLCertificateSHA1Hash
• The RDP server will now use this certificate for encryption
 Server Side: Set RDP Security (W7 )
• Set RDP Security…Windows 7 ONLY
• (Windows 8 defaults are good)

• Set HKLM\System\CCS\Control\Terminal Server\Winstations\RDP-Tcp:

• MinEncryptionLevel = 3 (TS_ENCRYPTION_LEVEL_HIGH)
• SecurityLayer = 2 (TS_SECURITY_LAYER_SSL)
 Server Side: Disable Compression
• Disable server-side compression (server-to-client packets):

• Run GPEDIT, find:

»Local Computer Policy
»Computer Configuration
»Administrative Templates
»Windows Components
»Remote Desktop Services
»Remote Desktop Session Host
»Remote Session Environment
»Configure compression for RemoteFX data
• Enable the policy
• Set to “Do not use a compression algorithm”
Server Side: Disable Bandwidth Detection (W8)
• Disable network characteristics (bandwidth) detection
• RDP8 will send/receive ~3000 frames to detect network conditions (bandwidth) at initial connect
(RTT, Kb/sec):
• Decrypting these frames increases decryption time
• Solution: disable network bandwidth detection; via GPEdit
»Local Computer Policy
»Computer Configuration
»Administrative Templates
»Windows Components
»Remote Desktop Services
»Remote Desktop Session Host
» Connections
» Select network detection on the server
“Turn off Connect Time & Continuous NW Detect”
 Details: Agenda
• Make and export a certificate
• Server-side preparation
• Client-side preparation
• Netmon preparation
• Capturing and decrypting traffic

• Close
• Protocol List
• Protocol Map
• Examples (Specifications and Traces)
• References

• Getting Help/Resources
 Client Side: Disable Bulk Compression
• Disable client-side compression (client-to-server packets):
• Run MSTSC
• Enter remote system’s address/name
• Press “Show Options”, select “Save As”
• Save configuration (.RDP file)
• Open .RDP file (using Notepad), set compression to zero
• compression:i:0
Client Side: (Optional) Set Specific Compression
• If you want the client to use a specific compression algorithm:
• HKLM\Software\Microsoft\Terminal Server Client\MaxRdpCompressionLevel
• 0 = “RDP 4” (8K)
• 1 = “RDP 5” (64K)
• 2 = “RDP 6” (64K NCRUSH)
• 3 = “RDP 6.1” (XCRUSH)
• 4 = “RDP 8” (RDP8)
• Sets [MS-RDPBCGR] ClientInfoPDU flag CompressionTypeMask
 Cipher Suites: Elliptical Curves
• Windows 10 uses elliptical curve cipher suites by default:
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA {0xc0, 0x14}
• (in list of client-supported packages in TLS handshake)

• Neither NetMon/NmDecrypt nor Message Analyizer handles

• Edit GPEDIT, Computer Configuration, Administrative Templates, Network,

SSL Configuration Settings “SSL Cipher Suite Order” to only list a known-
supported suite.

• I use “TLS_RSA_WITH_AES_128_CBC_SHA”
 Client Side: Disable TLS 1.2 (W8)
• Disable TLS 1.2: Windows 8 ONLY
• Windows 8 uses TLS 1.2 by default
• Netmon’s decryption expert (NmDecrypt) does not decrypt TLS 1.2 frames
• Solution: downgrade to TLS 1.1 or 1.0
• Make HKLM\System\CCS\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
(there’s a space between “TLS” and “1.2”)

• And HKLM\System\CCS\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client

(there’s a space between “TLS” and “1.1”)

• Add (to both):

• Enabled = (DWORD) 0
• DisabledByDefault = (DWORD) 1

• Consequence: Windows Update will stop working (reported)

• Requires TLS 1.2
 Disable Extended Master Secret RFC7627
• Windows added to the TLS Client Hello the extension “Extended Master
Secret” RFC 7627.
• NmDecrypt halts decryption if it encounters it
• Shows up as “unknown extension type” 0x0017
• To disable, set:

HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel:
DisableClientExtendedMasterSecret (DWORD) = 1
 Client Side: Disable UDP (W8)
• Disable RDP over UDP … Windows 8 ONLY
• RDP 8 uses both TCP and UDP
• Network Monitor and NmDecrypt is “Conversation” bases
• It will consider each conversation as separate
• Solution: Disable UDP; force TCP only
• Run REGEDIT
• Create HKLM\Software\Microsoft\Terminal Server Client\DisableUDPTransport
(DWORD) = 1
 Details: Agenda
• Make and export a certificate
• Server-side preparation
• Client-side preparation
• Netmon preparation
• Capturing and decrypting traffic

• Close
• Protocol List
• Protocol Map
• Examples (Specifications and Traces)
• References

• Getting Help/Resources
 Netmon: Install Network Monitor
• Download “Microsoft Network Monitor 3.4”
• (http://www.microsoft.com/en-us/download/details.aspx?id=4865)
• Installs Netmon + 2010 parser package
• It can be installed on either the client or server side
• (but the certificate’s PFX file must be copied to this machine)
• Run Netmon as an Administrator
• First time for Windows 7 (installs driver)
• Every time for Windows 8
• Change parser profile to “Windows”
 Netmon: Install Current Parsers
• Install latest parser package
• Updated specifically for RDP:
• Oct 2011 or newer for Windows 7
• Sept 2012 or newer for Windows 8
• Were available via nmparsers.codeplex.com
• Now available via Download Center
• (https://www.microsoft.com/en-us/download/details.aspx?id=53671)
• Package will replace original (2010) parsers
 Netmon: Install NmDecrypt
• Install Decryption Expert
• Available via Codeplex: (http://nmdecrypt.codeplex.com)
• Copy certificate’s .PFX file to this machine

• Windows 8: MUST install .Net Framework 3.5:

• Connected to the Internet:
» Control Panel
» Programs
» Turn Windows Features On or Off
“.NET Framework 3.5 (includes .NET 2.0 and 3.0)”
• Not connected to the Internet:
Insert Windows 8 installation media (DVD), run:
“dism /online /enable-feature:NetFx3 /all /source:d:\sources\sxs”
 Details: Agenda
• Make and export a certificate
• Server-side preparation
• Client-side preparation
• Netmon preparation
• Capturing and decrypting traffic

• Close
• Protocol List
• Protocol Map
• Examples (Specifications and Traces)
• References

• Getting Help/Resources
 Capturing & Decrypting: Capturing
• Start Network Monitor
• Select “New Capture”
• Press “Start”
• You MUST begin capture before RDP connection (trace MUST include TLS handshake)
• Wait until “Waiting for network traffic”
 Capturing & Decrypting: Stopping
• Stop the trace as soon as possible.
• Longer traces take longer to decrypt!
• NmDecrypt has a 2G trace limit

• Save the trace, close Netmon and re-open the trace

• NmDecrypt only decrypts from a saved file
 Capturing & Decrypting: Find the Conversation
• NmDecrypt operates on a “conversation” bases
• Find the “conversation” that applies to this session:
• Trace from the client: mstsc.exe (port 3389)
• Trace from the server: svchost.exe (port 3389)
• Select the TCP conversation that has the most frames
• Often, there are two TCP conversations: one small, one large
• Be sure to find the TCP conversation, not the higher IPv4 or IPv6
• Select Experts, NmDecrypt, Run Expert
 Capturing & Decrypting: NmDecrypt
• Input parameters
• Encrypted input is pre-set
• Specify the certificate’s .PFX file
• Supply the certificate’s password
• (the password was specified when the certificate was exported)
• Add an output filename (.CAP), press START
• Specify a log path only if there is a problem
• (emits a detailed log file of the decryption process)
 Capturing & Decrypting: View Trace
• When done, Netmon will open the resulting capture file
• Contains both encrypted and decrypted frames
• Encrypted frames: has Ethernet header
• Decrypted frames: has “Decrypted Payload Header”
• Use “DecryptedPayloadFilter” in Display Filter
 Details: Agenda
• Make and export a certificate
• Server-side preparation
• Client-side preparation
• Netmon preparation
• Capturing and decrypting traffic

• Close
• Protocol List
• Protocol Map
• Examples (Specifications and Traces)
• References

• Getting Help/Resources
 Close: Protocol List (1 of 3)
• [MS-RDSOD] Remote Desktop Services Protocols Overview
• [MS-RDPBCGR] Basic Connectivity and Graphics Remoting

• [MS-RDPADRV] Audio Level and Drive Letter Persistence Virtual Channel Extension
• [MS-RDPCR2] Composited Remoting V2
• [MS-RDPEA] Audio Output Virtual Channel Extension
• [MS-RDPEAI] Audio Input Redirection Virtual Channel Extension
• [MS-RDPECLIP] Clipboard Virtual Channel Extension
• [MS-RDPEDC] Desktop Composition Virtual Channel Extension
• [MS-RDPEDYC] Dynamic Channel Virtual Channel Extension
• [MS-RDPEECO] Virtual Channel Echo Extension
• [MS-RDPEFS] File System Virtual Channel Extension
• [MS-RDPEGDI] Graphics Device Interface (GDI) Acceleration Extensions
• [MS-RDPEGFX] Graphics Pipeline Extension
• [MS-RDPEGT] Geometry Tracking Virtual Channel Protocol Extension
• [MS-RDPEI] Input Virtual Channel Extension
• [MS-RDPELE] Licensing Extension
 Close: Protocol List (2 of 3)
• [MS-RDPEMC] Multiparty Virtual Channel Extension
• [MS-RDPEMT] Multitransport Extension
• [MS-RDPEPC] Print Virtual Channel Extension
• [MS-RDPEPNP] Plug and Play Devices Virtual Channel Extension
• [MS-RDPEPS] Session Selection Extension
• [MS-RDPERP] Remote Programs Virtual Channel Extension
• [MS-RDPESC] Smart Card Virtual Channel Extension
• [MS-RDPESP] Serial and Parallel Port Virtual Channel Extension
• [MS-RDPEUDP] UDP Transport Extension
• [MS-RDPEUSB] USB Devices Virtual Channel Extension
• [MS-RDPEV] Video Redirection Virtual Channel Extension
• [MS-RDPEVOR] Video Optimized Remoting Virtual Channel Extension
• [MS-RDPEXPS] XML Paper Specification (XPS) Print Virtual Channel Extension
• [MS-RDPNSC] NSCodec Extension
• [MS-RDPRFX] RemoteFX Codec Extension
• [MS-RDWR] Remote Desktop Workspace Runtime Protocol
 Close: Protocol List (3 of 3)
• [MS-TSSO] Terminal Services System Overview
• [MS-TSGU] Terminal Services Gateway Server Protocol
• (RPC based protocol, this technique to decrypt traffic will not work)

• [MS-TSTS] Terminal Services Terminal Server Runtime Interface Protocol

• [MS-TSWP] Terminal Services Workspace Provisioning Protocol
Close: [MS-RDSOD] 2.2.1 Overview
Sample RDP Connection: [MS-RDPBCGR]
1.3.1.1
 Close: What About Message Analyzer
• MA does not presently have the ability to decrypt RDP traffic
• Plans to enable capturing raw RDP traffic being discussed

• To download Message Analyzer:

• Go to http://connect.Microsoft.com
• Join the Netmon group
• MA download will then become visible
 Details: Agenda
• Make and export a certificate
• Server-side preparation
• Client-side preparation
• Netmon preparation
• Capturing and decrypting traffic

• Close
• Protocol List
• Protocol Map
• Examples (Specifications and Traces)
• References

• Getting Help/Resources
 How to get Help
• E-mail dochelp@microsoft.com
1:1, private
Monitored by support 24x7
Issues acknowledged with in 24 hours

• Post to a Microsoft Open Specifications Forum

1:many, public
Community of industry implementers
Moderated by Microsoft

• Issues become support cases for tracking

• Open Specifications Support is free
 Open Specifications Community Forums
http://social.msdn.microsoft.com/Forums/en-US/category/openspecifications

• Windows Protocols Recommended for RDP issues

• Using the Open Specifications
• Using the SharePoint Products and Technologies Protocols
• File Services
• Using the Exchange Server Protocols
• Using the Office Protocols
• Office File Formats
• Using the Microsoft SQL Server Protocols
• Documentation on Standards
• Office Open XML File Format Implementation
• Interoperability Scenarios: Technical Questions
• Office Open Document Format Implementation
• Open Packaging Conventions (OPC)
 Help us help you: Asking good questions
• Clear problem description
• Document short name (e.g. [MS-RDPEUSB])
• Section (e.g. 2.2.4.1 Add Virtual Channel)
• Doc version (e.g. v20110609)
• Impact to your project (Blocking? Just feedback?)
• Multiple issues: Provide priorities
• Include sample files, traces, notes
 Out-of-Scope Questions
• Problems NOT related to the Open Specifications documentation
• Requests related to implementing your product
• Product behavior problems (non-Open Specifications related)
• Legal questions (You will be forwarded to our legal team:
protocol@microsoft.com)
• Licensing questions (You will be forwarded to our licensing team:
protocol@microsoft.com)
 Resources…
• www.microsoft.com/protocols

Technical Specifications
Licensing Programs
Open Specifications
Support Avenues

• MSDN.com
• Channel9.MSDN.com
 …Resources
• Specifications (protocol technical documents)
• http://msdn.microsoft.com/en-us/library/cc216517(v=prot.10).aspx

• MSDN Windows protocols forum

• http://social.msdn.microsoft.com/Forums/en-US/os_windowsprotocols/threads
• Please, DO NOT MOVE THREADS to this forum (start new threads)
• Open Specifications Team Blog
• http://blogs.msdn.com/b/openspecification
• Raising protocol specification questions
• E-Mail dochelp@microsoft.com
• ONLY for protocol questions, not product support
• Download Network Monitor 3.4, latest parsers and NmDecrypt
• http://www.microsoft.com/en-us/download/details.aspx?id=4865
• https://connect.microsoft.com/site216/Downloads
• http://nmdecrypt.codeplex.com/
 Q&A

http://www.microsoft.com/protocols
dochelp@microsoft.com
bburgin@microsoft.com

Microsoft NDA Confidential