Bryan S. Burgin

Sr. Escalation Engineer, Developer Support, Open Specs

Microsoft Corporation

Decrypting RDP Traffic with Message Analyzer

Sr. EE, Developer Support, Protocols/Open Specifications/Interop13 years at Microsoft:

Primary duties:

www.microsoft.com/protocolswww.microsoft.com/openspecifications

May 2012 (Taipei): Whiteboard discussion:

May/July 2012: “Hitchhiker’s Guide to Debugging RDP protocols” blog posts:

April 2013 (Taipei):

March 2014 (Taipei):

Viewing unencrypted, uncompressed RDP traffic Windows-to-Windows in both directions is difficult.

Viewing unencrypted traffic:

To share a technique to observe Windows-to-Windows RDP traffic using Message Analyzer

Network Monitor/NmDecrypt advantages

Network Monitor/NmDecrypt disadvantages

Message Analyzer advantages

Message Analyzer disadvantages

Make and export a certificate

Server-side preparation

Client-side preparation

Installing Message Analyzer

Capturing and analyzing traffic

What’s next

Close

Make and export a certificate

Server-side preparation

Client-side preparation

Installing Message Analyzer

Capturing and analyzing traffic

What’s next

CloseDemo

References

Getting help

Only needs to be done once in a lifetime.

Can be made on any machine.

Make a certificate using MAKECERT.

Export the cert to a Personal Informational Exchange (.PFX) file

Import/copy the certificate (via PFX) wherever it will be used:

Make and export a certificate

Server-side preparation

Client-side preparation

Installing Message Analyzer

Capturing and analyzing traffic

What’s next

CloseDemo

References

Getting help

Note: Do NOT check Network Level Authentication

Import certificate via Microsoft Management Console (MMC):

Double-click .PFX file

Run MMC, use Certificate plug-in for Local Computer

Find certificate in the local store

Right-click, All-Tasks, Manage Private Keys

Add NETWORK SERVICE

To use the certificate, RDP needs to know the certificate’s SSL SHA1 HASH (a.k.a. Thumbprint):

For any given certificate, the HASH is always the same

Identify certificate’s SHA1 HASH to RDP

The RDP server will now use this certificate for encryption

Windows 7 ONLY; Windows 8 defaults are okay

Set HKLM\System\CCS\Control\Terminal Server\Winstations\RDP-Tcp:

Disable server-side compression (server-to-client packets):

Run GPEDIT, find:»Local Computer Policy»Computer Configuration»Administrative Templates»Windows Components»Remote Desktop Services»Remote Desktop Session Host»Remote Session Environment»Configure compression for RemoteFX data

Enable the policySet to “Do not use a compression algorithm”

RDP8 will send/receive ~3000 frames to detect network conditions (bandwidth) at initial connect (RTT, Kb/sec):

Disabling bandwidth detection reduces overhead, yields smaller and faster traces

Solution: disable network bandwidth detection; via GPEdit»Local Computer Policy»Computer Configuration»Administrative Templates»Windows Components»Remote Desktop Services»Remote Desktop Session Host» Connections» Select network detection on the server

“Turn off Connect Time & Continuous NW Detect”

Make and export a certificate

Server-side preparation

Client-side preparation

Installing Message Analyzer

Capturing and analyzing traffic

What’s next

CloseDemo

References

Getting help

If you want the client to use a specific compression algorithm:

Windows 8 uses TLS 1.2 by default

Message Analyzer does not decrypt TLS 1.2 frames (yet?)

Solution: downgrade to TLS 1.1 or 1.0

Consequence: Windows Update will stop working

RDP 8 uses both TCP and UDP

Message Analyzer does not decrypt UDP/DTLS frames (yet)

Solution: Disable UDP; force TCP only

Make and export a certificate

Server-side preparation

Client-side preparation

Installing Message Analyzer

Capturing and analyzing traffic

What’s next

CloseDemo

References

Getting help

Make and export a certificate

Server-side preparation

Client-side preparation

Installing Message Analyzer

Capturing and analyzing traffic

What’s next

CloseDemo

References

Getting help

Make and export a certificate

Server-side preparation

Client-side preparation

Installing Message Analyzer

Capturing and analyzing traffic

What’s next

CloseDemo

References

Getting help

Work on improving the parsers:

Add support to decrypt TLS 1.2

Add support to decrypt DTLS and RDP over UDP Traffic

Escalation Engineer

Developer Support

Protocols/Open Specifications/Interoperability

8 years at Microsoft:

• MS-RDPEUDP is a new protocol in RDP8 which use UDP as a transport and operates in 2 modes:

• Reliable (RDP-UDP-R)

• Best Effort/Lossy (RDP-UDP-L).

• RDP-UDP-R use TLS and RDP-UDP-L DTLS.

• Unique sockets for each instance.

• MS-RDPBCGR\MS-RDPEMT\MS-RDPEUDP

• FEC PDUs

• Optional.

• Safe to ignore and not generate.

• No capability to turn on/ off.

• !FEC - Recovery from packet loss will be compromised .

• RDPEUDP is preferred by default if both endpoints are RDP8 capable. This can be turned-off through Group policy

• Server : Computer Configuration, Administrative Templates, Windows Components, Remote Desktop Services, Remote Desktop Session Host: Select RDP

Transport Protocols to “Use both UDP and TCP”, “Use only TCP” and “Use Either TCP or UDP”

• Client : Computer Configuration, Administrative Templates, Windows Components, Remote Desktop Services, Remote Desktop Connection Client: Turn off

UDP On Client

• Minencryption level (http://technet.microsoft.com/en-us/library/cc785662(v=ws.10).aspx ) MUST be set to 3 (TS_ENCRYPTION_LEVEL_HIGH) and Securitylayer to

2 (TS_SECURITY_LAYER_SSL) for RDPEUDP.

• Key differentiator from TLS over TCP

• TLS\DTLS packets over UDP are enveloped by RDPEUDP header.

• Apply filter as TLS – Unencrypted handshake and encrypted data PDUs.

• NMDecrypt decrypts encrypted data PDUs.

• Apply filter as TLS, profile windows – No data.

• Apply filter as RDPEUDP – Enveloped handshake and encrypted data PDUs.

• NMDecrypt can’t decrypt RDPEUDP data.

• ‘’16 03 01” or “16 03 02” as starting bytes then it’s a packet.

• ‘’16 FE FF” as starting bytes then it’s a packet.

Make and export a certificate

Server-side preparation

Client-side preparation

Installing Message Analyzer

Capturing and analyzing traffic

What’s next

CloseDemo

References

Getting help

www.microsoft.com/protocols

Raising protocol specification questionsdochelp@microsoft.com

Open Specifications Team Bloghttp://blogs.msdn.com/b/openspecification

Channel9.MSDN.com

How to get Message Analyzer

http://www.microsoft.com/en-us/download/details.aspx?id=40308

E-mail dochelp@microsoft.com

1:1, private

Monitored by support 24x7

Issues acknowledged with in 24 hours

Post to a Microsoft Open Specifications Forum

1:many, public

Community of industry implementers

Moderated by Microsoft

Issues become support cases for tracking

Open Specifications Support is free

Clear problem description

Document short name (e.g. [MS-RDPEUSB])

Section (e.g. 2.2.4.1 Add Virtual Channel)

Doc version (e.g. v20110609)

Impact to your project (Blocking? Just feedback?)

Multiple issues: Provide priorities

Include sample files, traces, notes

Problems NOT related to the Open Specifications documentation:

If in doubt, ask.

Blog:http://blogs.technet.com/b/messageanalyzer/

Operating Guidehttp://blogs.technet.com/b/messageanalyzer/

Technet Forum:

Message Analyzer is NOT supported via Dochelp

Q&A

http://www.microsoft.com/protocols

dochelp@microsoft.com