We recorded network traffic from an RDP session between these two hosts from the virtual LAN. One of the hosts acted as an RDP client, and the other acted as an RDP server. Our lab environment contained two Windows 10 hosts. The basic structure of our lab used for this tutorial is shown below in Figure 1. This tutorial does not cover setting up virtual machines (VMs) in a virtual environment. VirtualBox is free, while VMware is a commercial product. The two most common virtual environments for this type of analysis are VirtualBox or VMware Workstation for Windows and Linux. Step 4: Capture RDP traffic between the RDP server and Windows client. Step 3: Obtain the RDP server's private encryption key. Step 2: Remove forward secrecy ciphers from the RDP client. Step 1: Set up a virtual environment with two hosts, one acting as an RDP client and one acting as an RDP server. The overall process follows seven general steps:
A basic knowledge of network traffic fundamentals.This is most easily done within a virtual environment. A way to record the network traffic between these two hosts.This can be another Windows host with RDP enabled, or it can be a non-Windows host running FreeRDP. We use a host running Windows 10 Professional for this tutorial. An understanding of how to set up and use RDP.
:max_bytes(150000):strip_icc()/002_wireshark-tutorial-4143298-5e50ba7b4a8942078317aa55370bfcd0.jpg "run wireshark pcap")
A virtual environment to run two Windows hosts like VirtualBox or VMware.
The following are necessary to get the most value from this tutorial: This blog demonstrates how to prepare the environment, obtain a decryption key and use it to decrypt RDP traffic. Unfortunately, this encryption makes writing RDP signatures difficult because RDP content is hidden.įortunately, we can establish a test environment that provides a key file, and we can use that key to decrypt a packet capture (pcap) of the RDP traffic in Wireshark. Security professionals have increasingly focused their attention on this protocol by writing signatures to detect RDP vulnerabilities and prevent attacks.Īs a proprietary protocol from Microsoft, RDP supports several operating modes that encrypt network traffic. Since 2017, RDP has become a significant vector in malware attacks using ransomware. In recent years, Remote Desktop Protocol (RDP) has been exploited by attackers to access unsecured servers and enterprise networks.
0 kommentar(er)
