decrypting rdp traffic with message...
TRANSCRIPT
Bryan S. Burgin
Sr. Escalation Engineer, Developer Support, Open Specs
Microsoft Corporation
Decrypting RDP Traffic with Message Analyzer
Sr. EE, Developer Support, Protocols/Open Specifications/Interop13 years at Microsoft:
Primary duties:
www.microsoft.com/protocolswww.microsoft.com/openspecifications
May 2012 (Taipei): Whiteboard discussion:
May/July 2012: “Hitchhiker’s Guide to Debugging RDP protocols” blog posts:
April 2013 (Taipei):
March 2014 (Taipei):
Viewing unencrypted, uncompressed RDP traffic Windows-to-Windows in both directions is difficult.
Viewing unencrypted traffic:
To share a technique to observe Windows-to-Windows RDP traffic using Message Analyzer
Network Monitor/NmDecrypt advantages
Network Monitor/NmDecrypt disadvantages
Message Analyzer advantages
Message Analyzer disadvantages
Make and export a certificate
Server-side preparation
Client-side preparation
Installing Message Analyzer
Capturing and analyzing traffic
What’s next
Close
Make and export a certificate
Server-side preparation
Client-side preparation
Installing Message Analyzer
Capturing and analyzing traffic
What’s next
CloseDemo
References
Getting help
Only needs to be done once in a lifetime.
Can be made on any machine.
Make a certificate using MAKECERT.
Export the cert to a Personal Informational Exchange (.PFX) file
Import/copy the certificate (via PFX) wherever it will be used:
Make and export a certificate
Server-side preparation
Client-side preparation
Installing Message Analyzer
Capturing and analyzing traffic
What’s next
CloseDemo
References
Getting help
Note: Do NOT check Network Level Authentication
Import certificate via Microsoft Management Console (MMC):
Double-click .PFX file
Run MMC, use Certificate plug-in for Local Computer
Find certificate in the local store
Right-click, All-Tasks, Manage Private Keys
Add NETWORK SERVICE
To use the certificate, RDP needs to know the certificate’s SSL SHA1 HASH (a.k.a. Thumbprint):
For any given certificate, the HASH is always the same
Identify certificate’s SHA1 HASH to RDP
The RDP server will now use this certificate for encryption
Windows 7 ONLY; Windows 8 defaults are okay
Set HKLM\System\CCS\Control\Terminal Server\Winstations\RDP-Tcp:
Disable server-side compression (server-to-client packets):
Run GPEDIT, find:»Local Computer Policy»Computer Configuration»Administrative Templates»Windows Components»Remote Desktop Services»Remote Desktop Session Host»Remote Session Environment»Configure compression for RemoteFX data
Enable the policySet to “Do not use a compression algorithm”
RDP8 will send/receive ~3000 frames to detect network conditions (bandwidth) at initial connect (RTT, Kb/sec):
Disabling bandwidth detection reduces overhead, yields smaller and faster traces
Solution: disable network bandwidth detection; via GPEdit»Local Computer Policy»Computer Configuration»Administrative Templates»Windows Components»Remote Desktop Services»Remote Desktop Session Host» Connections» Select network detection on the server
“Turn off Connect Time & Continuous NW Detect”
Make and export a certificate
Server-side preparation
Client-side preparation
Installing Message Analyzer
Capturing and analyzing traffic
What’s next
CloseDemo
References
Getting help
If you want the client to use a specific compression algorithm:
Windows 8 uses TLS 1.2 by default
Message Analyzer does not decrypt TLS 1.2 frames (yet?)
Solution: downgrade to TLS 1.1 or 1.0
Consequence: Windows Update will stop working
RDP 8 uses both TCP and UDP
Message Analyzer does not decrypt UDP/DTLS frames (yet)
Solution: Disable UDP; force TCP only
Make and export a certificate
Server-side preparation
Client-side preparation
Installing Message Analyzer
Capturing and analyzing traffic
What’s next
CloseDemo
References
Getting help
Make and export a certificate
Server-side preparation
Client-side preparation
Installing Message Analyzer
Capturing and analyzing traffic
What’s next
CloseDemo
References
Getting help
Make and export a certificate
Server-side preparation
Client-side preparation
Installing Message Analyzer
Capturing and analyzing traffic
What’s next
CloseDemo
References
Getting help
Work on improving the parsers:
Add support to decrypt TLS 1.2
Add support to decrypt DTLS and RDP over UDP Traffic
Escalation Engineer
Developer Support
Protocols/Open Specifications/Interoperability
8 years at Microsoft:
• MS-RDPEUDP is a new protocol in RDP8 which use UDP as a transport and operates in 2 modes:
• Reliable (RDP-UDP-R)
• Best Effort/Lossy (RDP-UDP-L).
• RDP-UDP-R use TLS and RDP-UDP-L DTLS.
• Unique sockets for each instance.
• MS-RDPBCGR\MS-RDPEMT\MS-RDPEUDP
• FEC PDUs
• Optional.
• Safe to ignore and not generate.
• No capability to turn on/ off.
• !FEC - Recovery from packet loss will be compromised .
• RDPEUDP is preferred by default if both endpoints are RDP8 capable. This can be turned-off through Group policy
• Server : Computer Configuration, Administrative Templates, Windows Components, Remote Desktop Services, Remote Desktop Session Host: Select RDP
Transport Protocols to “Use both UDP and TCP”, “Use only TCP” and “Use Either TCP or UDP”
• Client : Computer Configuration, Administrative Templates, Windows Components, Remote Desktop Services, Remote Desktop Connection Client: Turn off
UDP On Client
• Minencryption level (http://technet.microsoft.com/en-us/library/cc785662(v=ws.10).aspx ) MUST be set to 3 (TS_ENCRYPTION_LEVEL_HIGH) and Securitylayer to
2 (TS_SECURITY_LAYER_SSL) for RDPEUDP.
• Key differentiator from TLS over TCP
• TLS\DTLS packets over UDP are enveloped by RDPEUDP header.
• Apply filter as TLS – Unencrypted handshake and encrypted data PDUs.
• NMDecrypt decrypts encrypted data PDUs.
• Apply filter as TLS, profile windows – No data.
• Apply filter as RDPEUDP – Enveloped handshake and encrypted data PDUs.
• NMDecrypt can’t decrypt RDPEUDP data.
• ‘’16 03 01” or “16 03 02” as starting bytes then it’s a packet.
• ‘’16 FE FF” as starting bytes then it’s a packet.
Make and export a certificate
Server-side preparation
Client-side preparation
Installing Message Analyzer
Capturing and analyzing traffic
What’s next
CloseDemo
References
Getting help
www.microsoft.com/protocols
Raising protocol specification [email protected]
Open Specifications Team Bloghttp://blogs.msdn.com/b/openspecification
Channel9.MSDN.com
How to get Message Analyzer
http://www.microsoft.com/en-us/download/details.aspx?id=40308
E-mail [email protected]
1:1, private
Monitored by support 24x7
Issues acknowledged with in 24 hours
Post to a Microsoft Open Specifications Forum
1:many, public
Community of industry implementers
Moderated by Microsoft
Issues become support cases for tracking
Open Specifications Support is free
Clear problem description
Document short name (e.g. [MS-RDPEUSB])
Section (e.g. 2.2.4.1 Add Virtual Channel)
Doc version (e.g. v20110609)
Impact to your project (Blocking? Just feedback?)
Multiple issues: Provide priorities
Include sample files, traces, notes
Problems NOT related to the Open Specifications documentation:
If in doubt, ask.
Blog:http://blogs.technet.com/b/messageanalyzer/
Operating Guidehttp://blogs.technet.com/b/messageanalyzer/
Technet Forum:
Message Analyzer is NOT supported via Dochelp