Decrypting RDP Traffic with Message Analyzer Bryan S. Burgin Sr. Escalation Engineer, Developer Support, Open Specs Microsoft Corporation

Transcription

1 Decrypting RDP Traffic with Message Analyzer Bryan S. Burgin Sr. Escalation Engineer, Developer Support, Open Specs Microsoft Corporation

2 Sr. EE, Developer Support, Protocols/Open Specifications/Interop 13 years at Microsoft: Primary duties:

3 May 2012 (Taipei): Whiteboard discussion: May/July 2012: Hitchhiker s Guide to Debugging RDP protocols blog posts: April 2013 (Taipei): March 2014 (Taipei):

4 Viewing unencrypted, uncompressed RDP traffic Windows-to-Windows in both directions is difficult. Viewing unencrypted traffic:

5 To share a technique to observe Windows-to-Windows RDP traffic using Message Analyzer

6 Network Monitor/NmDecrypt advantages Network Monitor/NmDecrypt disadvantages Message Analyzer advantages Message Analyzer disadvantages

7 Make and export a certificate Server-side preparation Client-side preparation Installing Message Analyzer Capturing and analyzing traffic What s next Close

8 Make and export a certificate Server-side preparation Client-side preparation Installing Message Analyzer Capturing and analyzing traffic What s next Close Demo References Getting help

9 Only needs to be done once in a lifetime. Can be made on any machine. Make a certificate using MAKECERT. Export the cert to a Personal Informational Exchange (.PFX) file Import/copy the certificate (via PFX) wherever it will be used:

10

11 Make and export a certificate Server-side preparation Client-side preparation Installing Message Analyzer Capturing and analyzing traffic What s next Close Demo References Getting help

12 Note: Do NOT check Network Level Authentication

13 Import certificate via Microsoft Management Console (MMC):

14 Double-click.PFX file

15 Run MMC, use Certificate plug-in for Local Computer Find certificate in the local store Right-click, All-Tasks, Manage Private Keys Add NETWORK SERVICE

16 To use the certificate, RDP needs to know the certificate s SSL SHA1 HASH (a.k.a. Thumbprint): For any given certificate, the HASH is always the same

17 Identify certificate s SHA1 HASH to RDP The RDP server will now use this certificate for encryption

18 Windows 7 ONLY; Windows 8 defaults are okay Set HKLM\System\CCS\Control\Terminal Server\Winstations\RDP-Tcp:

19 Disable server-side compression (server-to-client packets): Run GPEDIT, find:»local Computer Policy»Computer Configuration»Administrative Templates»Windows Components»Remote Desktop Services»Remote Desktop Session Host»Remote Session Environment»Configure compression for RemoteFX data Enable the policy Set to Do not use a compression algorithm

20 RDP8 will send/receive ~3000 frames to detect network conditions (bandwidth) at initial connect (RTT, Kb/sec): Disabling bandwidth detection reduces overhead, yields smaller and faster traces Solution: disable network bandwidth detection; via GPEdit»Local Computer Policy»Computer Configuration»Administrative Templates»Windows Components»Remote Desktop Services»Remote Desktop Session Host» Connections» Select network detection on the server Turn off Connect Time & Continuous NW Detect

21 Make and export a certificate Server-side preparation Client-side preparation Installing Message Analyzer Capturing and analyzing traffic What s next Close Demo References Getting help

22

23 If you want the client to use a specific compression algorithm:

24 Windows 8 uses TLS 1.2 by default Message Analyzer does not decrypt TLS 1.2 frames (yet?) Solution: downgrade to TLS 1.1 or 1.0 Consequence: Windows Update will stop working

25 RDP 8 uses both TCP and UDP Message Analyzer does not decrypt UDP/DTLS frames (yet) Solution: Disable UDP; force TCP only

26 Make and export a certificate Server-side preparation Client-side preparation Installing Message Analyzer Capturing and analyzing traffic What s next Close Demo References Getting help

27

28

29

30 Make and export a certificate Server-side preparation Client-side preparation Installing Message Analyzer Capturing and analyzing traffic What s next Close Demo References Getting help

31

32

33

34

35

36

37

38

39 Make and export a certificate Server-side preparation Client-side preparation Installing Message Analyzer Capturing and analyzing traffic What s next Close Demo References Getting help

40 Work on improving the parsers: Add support to decrypt TLS 1.2 Add support to decrypt DTLS and RDP over UDP Traffic

41 Escalation Engineer Developer Support Protocols/Open Specifications/Interoperability 8 years at Microsoft:

42 MS-RDPEUDP is a new protocol in RDP8 which use UDP as a transport and operates in 2 modes: Reliable (RDP-UDP-R) Best Effort/Lossy (RDP-UDP-L). RDP-UDP-R use TLS and RDP-UDP-L DTLS. Unique sockets for each instance. MS-RDPBCGR\MS-RDPEMT\MS-RDPEUDP FEC PDUs Optional. Safe to ignore and not generate. No capability to turn on/ off.!fec - Recovery from packet loss will be compromised. RDPEUDP is preferred by default if both endpoints are RDP8 capable. This can be turned-off through Group policy Server : Computer Configuration, Administrative Templates, Windows Components, Remote Desktop Services, Remote Desktop Session Host: Select RDP Transport Protocols to Use both UDP and TCP, Use only TCP and Use Either TCP or UDP Client : Computer Configuration, Administrative Templates, Windows Components, Remote Desktop Services, Remote Desktop Connection Client: Turn off UDP On Client Minencryption level ( ) MUST be set to 3 (TS_ENCRYPTION_LEVEL_HIGH) and Securitylayer to 2 (TS_SECURITY_LAYER_SSL) for RDPEUDP. Key differentiator from TLS over TCP TLS\DTLS packets over UDP are enveloped by RDPEUDP header.

43 Apply filter as TLS Unencrypted handshake and encrypted data PDUs. NMDecrypt decrypts encrypted data PDUs.

44 Apply filter as TLS, profile windows No data. Apply filter as RDPEUDP Enveloped handshake and encrypted data PDUs. NMDecrypt can t decrypt RDPEUDP data.

45 or as starting bytes then it s a packet. 16 FE FF as starting bytes then it s a packet.

46

47

48 Make and export a certificate Server-side preparation Client-side preparation Installing Message Analyzer Capturing and analyzing traffic What s next Close Demo References Getting help

49

50 Raising protocol specification questions Open Specifications Team Blog Channel9.MSDN.com

51 How to get Message Analyzer

52 1:1, private Monitored by support 24x7 Issues acknowledged with in 24 hours Post to a Microsoft Open Specifications Forum 1:many, public Community of industry implementers Moderated by Microsoft Issues become support cases for tracking Open Specifications Support is free

53 Clear problem description Document short name (e.g. [MS-RDPEUSB]) Section (e.g Add Virtual Channel) Doc version (e.g. v ) Impact to your project (Blocking? Just feedback?) Multiple issues: Provide priorities Include sample files, traces, notes

54 Problems NOT related to the Open Specifications documentation: If in doubt, ask.

55 Blog: Operating Guide Technet Forum: Message Analyzer is NOT supported via Dochelp

56 Q&A