Decrypting RDP Traffic with Message Analyzer Bryan S. Burgin Sr. Escalation Engineer, Developer Support, Open Specs Microsoft Corporation
Sr. EE, Developer Support, Protocols/Open Specifications/Interop 13 years at Microsoft: Primary duties: www.microsoft.com/protocols www.microsoft.com/openspecifications
May 2012 (Taipei): Whiteboard discussion: May/July 2012: Hitchhiker s Guide to Debugging RDP protocols blog posts: April 2013 (Taipei): March 2014 (Taipei):
Viewing unencrypted, uncompressed RDP traffic Windows-to-Windows in both directions is difficult. Viewing unencrypted traffic:
To share a technique to observe Windows-to-Windows RDP traffic using Message Analyzer
Network Monitor/NmDecrypt advantages Network Monitor/NmDecrypt disadvantages Message Analyzer advantages Message Analyzer disadvantages
Make and export a certificate Server-side preparation Client-side preparation Installing Message Analyzer Capturing and analyzing traffic What s next Close
Make and export a certificate Server-side preparation Client-side preparation Installing Message Analyzer Capturing and analyzing traffic What s next Close Demo References Getting help
Only needs to be done once in a lifetime. Can be made on any machine. Make a certificate using MAKECERT. Export the cert to a Personal Informational Exchange (.PFX) file Import/copy the certificate (via PFX) wherever it will be used:
Make and export a certificate Server-side preparation Client-side preparation Installing Message Analyzer Capturing and analyzing traffic What s next Close Demo References Getting help
Note: Do NOT check Network Level Authentication
Import certificate via Microsoft Management Console (MMC):
Double-click.PFX file
Run MMC, use Certificate plug-in for Local Computer Find certificate in the local store Right-click, All-Tasks, Manage Private Keys Add NETWORK SERVICE
To use the certificate, RDP needs to know the certificate s SSL SHA1 HASH (a.k.a. Thumbprint): For any given certificate, the HASH is always the same
Identify certificate s SHA1 HASH to RDP The RDP server will now use this certificate for encryption
Windows 7 ONLY; Windows 8 defaults are okay Set HKLM\System\CCS\Control\Terminal Server\Winstations\RDP-Tcp:
Disable server-side compression (server-to-client packets): Run GPEDIT, find:»local Computer Policy»Computer Configuration»Administrative Templates»Windows Components»Remote Desktop Services»Remote Desktop Session Host»Remote Session Environment»Configure compression for RemoteFX data Enable the policy Set to Do not use a compression algorithm
RDP8 will send/receive ~3000 frames to detect network conditions (bandwidth) at initial connect (RTT, Kb/sec): Disabling bandwidth detection reduces overhead, yields smaller and faster traces Solution: disable network bandwidth detection; via GPEdit»Local Computer Policy»Computer Configuration»Administrative Templates»Windows Components»Remote Desktop Services»Remote Desktop Session Host» Connections» Select network detection on the server Turn off Connect Time & Continuous NW Detect
Make and export a certificate Server-side preparation Client-side preparation Installing Message Analyzer Capturing and analyzing traffic What s next Close Demo References Getting help
If you want the client to use a specific compression algorithm:
Windows 8 uses TLS 1.2 by default Message Analyzer does not decrypt TLS 1.2 frames (yet?) Solution: downgrade to TLS 1.1 or 1.0 Consequence: Windows Update will stop working
RDP 8 uses both TCP and UDP Message Analyzer does not decrypt UDP/DTLS frames (yet) Solution: Disable UDP; force TCP only
Make and export a certificate Server-side preparation Client-side preparation Installing Message Analyzer Capturing and analyzing traffic What s next Close Demo References Getting help
Make and export a certificate Server-side preparation Client-side preparation Installing Message Analyzer Capturing and analyzing traffic What s next Close Demo References Getting help
Make and export a certificate Server-side preparation Client-side preparation Installing Message Analyzer Capturing and analyzing traffic What s next Close Demo References Getting help
Work on improving the parsers: Add support to decrypt TLS 1.2 Add support to decrypt DTLS and RDP over UDP Traffic
Escalation Engineer Developer Support Protocols/Open Specifications/Interoperability 8 years at Microsoft:
MS-RDPEUDP is a new protocol in RDP8 which use UDP as a transport and operates in 2 modes: Reliable (RDP-UDP-R) Best Effort/Lossy (RDP-UDP-L). RDP-UDP-R use TLS and RDP-UDP-L DTLS. Unique sockets for each instance. MS-RDPBCGR\MS-RDPEMT\MS-RDPEUDP FEC PDUs Optional. Safe to ignore and not generate. No capability to turn on/ off.!fec - Recovery from packet loss will be compromised. RDPEUDP is preferred by default if both endpoints are RDP8 capable. This can be turned-off through Group policy Server : Computer Configuration, Administrative Templates, Windows Components, Remote Desktop Services, Remote Desktop Session Host: Select RDP Transport Protocols to Use both UDP and TCP, Use only TCP and Use Either TCP or UDP Client : Computer Configuration, Administrative Templates, Windows Components, Remote Desktop Services, Remote Desktop Connection Client: Turn off UDP On Client Minencryption level (http://technet.microsoft.com/en-us/library/cc785662(v=ws.10).aspx ) MUST be set to 3 (TS_ENCRYPTION_LEVEL_HIGH) and Securitylayer to 2 (TS_SECURITY_LAYER_SSL) for RDPEUDP. Key differentiator from TLS over TCP TLS\DTLS packets over UDP are enveloped by RDPEUDP header.
Apply filter as TLS Unencrypted handshake and encrypted data PDUs. NMDecrypt decrypts encrypted data PDUs.
Apply filter as TLS, profile windows No data. Apply filter as RDPEUDP Enveloped handshake and encrypted data PDUs. NMDecrypt can t decrypt RDPEUDP data.
16 03 01 or 16 03 02 as starting bytes then it s a packet. 16 FE FF as starting bytes then it s a packet.
Make and export a certificate Server-side preparation Client-side preparation Installing Message Analyzer Capturing and analyzing traffic What s next Close Demo References Getting help
www.microsoft.com/protocols Raising protocol specification questions dochelp@microsoft.com Open Specifications Team Blog http://blogs.msdn.com/b/openspecification Channel9.MSDN.com
How to get Message Analyzer http://www.microsoft.com/en-us/download/details.aspx?id=40308
E-mail dochelp@microsoft.com 1:1, private Monitored by support 24x7 Issues acknowledged with in 24 hours Post to a Microsoft Open Specifications Forum 1:many, public Community of industry implementers Moderated by Microsoft Issues become support cases for tracking Open Specifications Support is free
Clear problem description Document short name (e.g. [MS-RDPEUSB]) Section (e.g. 2.2.4.1 Add Virtual Channel) Doc version (e.g. v20110609) Impact to your project (Blocking? Just feedback?) Multiple issues: Provide priorities Include sample files, traces, notes
Problems NOT related to the Open Specifications documentation: If in doubt, ask.
Blog: http://blogs.technet.com/b/messageanalyzer/ Operating Guide http://blogs.technet.com/b/messageanalyzer/ Technet Forum: Message Analyzer is NOT supported via Dochelp
Q&A dochelp@microsoft.com http://www.microsoft.com/protocols