Best Telegram Programming Groups For Coders &Developers   It Wasn’t Me - Secure Your Account   Mr.Robot All Seasons 1,2,3 Full | Free Torrent Download   Mr.Robot All Seasons 1,2,3,4 Full | Watch Online [FREE]   5 Tips Will Keep You Safe During Christmas Holiday’s Online Shopping   You Can Get All Adobe Apps For $30 a Month Right Now   How To Wipe An iPhone Clean (ERASE) Before Selling?   Programming Languages To Learn To Be An Expert Hacker!   Cybercriminals exchange tips on underground forums about avoiding arrests   A comprehensive look into emerging Signal encrypted messaging application   A Detailed Comparison of WhatsApp, Telegram & Signal   How Telegram End-to-end Encryption Works To Provide Security ?   Flubot Malware is Spreading Quickly Through Android Devices   WhatsApp End-to-End Encryption and its Privacy Importance - Alternatives,Signal & Telegram   What is Credit Card Skimming And How To Protect Yourself From it ?   Where to hire react programmer and 3 essential skills to look for   Top 8 Basic Google Search Dorks [Live Examples]   [Penetration Testing] Top 70 Most Interview Questions   Why VPN Is Necessary ? [Detailed Guide]   Top 10 Dangerous Viruses Of All Times   List Of Common HTTP Error Status Codes   “Hello World!” Program In Different Programming Languages   100 Basic Computer Related G.K. Questions   Email Security - Tips And Tricks   Fonts Hub Collection (Free Design Resources)   Top 8 Softwares Free Download - No Credit Card Needed [2022 Update]   Shortcomings That Leads An Entrepreneur Towards Failure   5 Basic Steps To Protect Your Personal Data Online   What is Intel SGX and What are the Benefits ?   15 Things You Need to Know About Maintaining The Logs   How to think like a programmer - lessons in problem solving   How To Get Voice Like Anonymous Voice   Life Story of Microsoft Founder Bill Gates - Documentary   Own Private Search Engine in Linux Will Save Our Privacy   Best Etcher alternatives to Create Bootable USB   Music For Programming - Coding Music / Hacking Music   School Management Software v3.1 Premium + Crack   JavaFX Chat Client/Server + Source Code   Top 25 Keyword Research Tools [Search Engine Optimization]   A Quick SEO Checklist - 2023 Update   Online Domain Authority (DA) Rank Checker Websites   33 Things In SEO For Which Google Will Give Your Student Blog High Positions   How to Close the Site from indexing using robots.txt   10 SEO Tools all Small Businesses Need in 2023   Earth Rise Application + Code   Animation along a path + Code   Zen Pong Game in Java Language + Code   Simple Flying Bird Game + Code Files   Game Snake Simple + Code Files   The Space 'Sun & Earth' | HTML,CSS,JavaScript   File System in Web (Explorer in Windows and Finder in OSX)   Admin Dashboard Template built using Bootstrap + Code   Website Template For Admin Dashboard + Code   Youtube Playlist Downloader Script   How To Create A Stopwatch In Python   Python TicTacToe with Tk and minimax AI   Deskreen turns any device with a web browser into a secondary screen for your computer   Download Algorithms Book | Dummies Store   OSI Model And TCP/IP Model   How to Fix SSH Failed Permission Denied (publickey,gssapi-keyex,gssapi-with-mic)   What Is Load Balancing? Definition and How It Works   How to Setup FTP Server on Your Raspberry Pi   Download Windows 10 Lite Edition x64 | Direct Link   How To Recover Permanently Deleted Files In Windows 10 ?   How to make Fake Error Message Script in Windows   20 Essential Windows keyboard Shortcuts that will make you forget your mouse   How To Fix The DLL Missing Error In Windows 7 ?   Create Hotspot on Windows 10 in 6 steps   Download Microsoft Office Professional Plus 2016   Download DriverPack Solution Offline | Full   How To Create Simple And Password Protected ZIP File in Linux   2 Ways To Save Terminal Output of a Command in Linux   6 Best Tools to Monitor Disk IO Performance in Linux   Top 15 Best Websites (Blogs) to Learn Linux Online   How to Delete files older than 30 Days in Linux   What is the difference between apt and apt-get command   Fail2Ban Installation & Setup: Ubuntu, CentOS, Fedora & Debian   How to List Running Processes in Linux   How to Use the who Command in Linux with Examples   FOREMOST - Recover Permanently Deleted Files Easily in Kali Linux   Funny Linux Commands to Try   Command line interface guidelines, to help you write better command-line programs ...   How to Install Google Chrome Web Browser on Ubuntu 20.04   Learn Adobe Photoshop | 33 Episode Course   Window Privilege Escalation: Automated Script   Linux Privilege Escalation: Automated Script   How To Retrieve & Decrypt Stored Passwords in Firefox & Chrome Remotely   ACLight: An Advanced Privileged Account Discovery Tool   How to change Lock Screen Background on Kali Linux XFCE   Best 20 Kali Linux Tools For Hacking And Penetration Testing   How to Run Windows Application and Games on Kali Linux   How to run C and C++ programs in Kali Linux   Control Kali Linux PC From any Mobile or Tablet   How to Enable root User Account in Kali Linux   How to Configure Static IP address in Kali Linux   Bash vs ZSH in Kali Linux   [Solved] E: Unable to locate package in Kali Linux   Hosting a Local Website with Domain Name on Kali Linux over WiFi   Install Docker in Kali Linux and Run Other OS   How to Install Kali Linux | A Total Guide to Install Kali Linux   NetHunter Rootless - Official Kali NetHunter for non rooted phones   How to set up own VPN server in 10 minutes on Kali Linux using OpenVPN   Configuring The ProxyChains   Install Python3 in Kali Linux   TempoMail - Command Line Temporary Email in Linux   NIPE - Fully Anonymize Total Kali Linux System   How to Install Google Chrome & Chromium on Kali Linux [Official Method]   15 Best Laptops For Kali Linux & Cyber Security - Check This Before Buy   Volatolity - Digial Forensic Testing of RAM on Kali Linux   Limit the Internet Speed of LAN Users [Evil Limiter]   Find Virtual Machine IP Through Kali Linux - 3 Methods   Privilege Escalation with PowerShell Empire and SETOOLKIT [Kali Linux]   How to use kill, pkill and killall Commands to Kill any Linux Process   20 Useful Tar Commands For Extraction and Compression   Create a Fake AP with DNSMASQ and HOSTAPD [Kali Linux]   How to Fully Anonymize Your Linux System with Tor using Nipe   Hack Windows/Linux using ARCANUS Framework – 100% FUD   Simple and Target Mac Flooding - Kali Linux   Get Free Kali Linux on AWS with Public IP - Real Time Penetration Testing   What’s the difference Between Tails and Tor browser?   Does Tor Hide you From Your ISP? Should I surf internet using Tor ?   Wireshark for Pentester: Decrypting RDP Traffic   Exploit Wi-Fi Vulnerabilities with Routersploit on Termux and Linux   Man in The Middle Attack & How To Prevent it   Masscan - 1000 Times Faster Than NMAP   Wireshark - Shark in Wires | Network Protocol Analyzer in Kali Linux   Wifite - Easy Automated Wireless Attack   WiFi-Pumpkin 3 - Dangerous Access Point   Evil Twin Attack with DNSMASQ - Wireless WPA2-PSK Cracking   Sniffing with Rogue Access Point [DNSMASQ and TCPFLOW]   Hack Wi-Fi Settings of Windows Machine Remotely [After Meterpreter]   Wi-Fi deauthentication attack against 802.11 protocol   Bypass Hidden SSID in a Wireless Network [Full Proof Method]   Crack WPA/WPA2-PSK using Aircrack-ng and Hashcat   Crack WPA2-PSK Wi-Fi with automated python script - FLUXION PART 1   Set Default Version of Python : [SOLVED] update-alternatives: error: no alternatives for p   Python Scripting: Information Gathering and Automating Ethical Hacking   15 Essential Meterpreter Commands Everyone Should Know   Find Vulnerable Webcams with Shodan [Metasploit Framework]   TCP & SYN Scanning with Metasploit Framework without NMAP   Meterpreter Useful Top 60 Commands List   The Web Application Hacker's Handbook 2   Hacking GPS Book   MadCam - Termux Hack Front camera by Sending link   How to Download Files In Termux   IPdrone Termux - Find Location of Person it IP in Termux   ReconDog Termux - Best Reconnaissance Tool For Termux   Termux SSH: Use Termux in Windows Using SSH Server   How to Install and Use Fsociety-Tool In Termux   Termux-YTD : Download Youtube Videos with Termux   Use CMatrix Package Like a Pro   L3MON - Access Android Devices Remotely   Hack Android using Metasploit over LAN/WAN   Ghost Framework - Control Android Devices Remotely   Top 10 Vulnerable Android Applications [Penetration Testing]   Find Hidden Subdomains on Any Website with Subfinder   Blind Sql Injection with Regular Expressions Attack   Useful Google Dorks For Bug Bounty Hunters   HTML5 Security CheatSheet - What your browser does when you look away...   30,000 Sites Is In RISK, The Plus Addons For Elementor WordPress Plugin Hacked   WPScan - Find Vulnerabilities in WordPress Websites on Kali Linux   Wapiti - Automated Vulnerability Scanner   Generate 100% FUD Backdoor with TheFatRat - Windows 10 Exploitation   TheFatRat hacking tool to create undetectable backdoors   How to Make a Keylogger in Python + Code   How to create a keylogger in PowerShell ?   Backdoor Program using Python (Remote Access Explain)   Man in the Middle Attack with Websploit Framework   Hack Windows 10 Remotely over WAN with Metasploit [No Port Forwarding]   15 Powerful Gadgets For Ethical Hackers | Hardware Tools for Hackers   Find Vulnerabilities using NMAP Scripts (NSE)   Free Vulnerability Database And Resources   Firefox Browser Vulnerable to (MITM) Man-in-the-Middle Attack   Find Vulnerabilities in Military Networks By Participating Hack The Army Bug Bounty Progr. 

x32x01

ADMINISTRATOR
Over the last few years, attackers used the Remote Desktop Protocol (RDP) for accessing unsecured servers and company networks. In ransomware malware attacks since 2017, RDP has become a major vector. Security professionals have focused their attention increasingly on this protocol by writing signatures to detect and prevent attacks of RDP vulnerabilities.

RDP supports several operating modes to encrypt network traffic, as a proprietary protocol from Microsoft. This encryption, unfortunately, makes it hard to write RDP signatures because the content of RDP is hidden.

We can, fortunately, develop a test environment that provides the key file to decrypt the packet capture (pcap) of Wireshark’s RDP traffic.

This article shows how the environment is prepared, a decryption key is obtained, and how RDP traffic can be deciphered.

Table of Contents

  • Prerequisites
  • Trace File
  • Virtual Environments Setup
  • Remove Encrypted Ciphers from RDP Client
  • Generate and Download RDP Server’s Private Key
  • Capture RDP Traffic
  • Analyzing and Decrypting Wireshark Traffic
  • Forensics with Captured RDP Data
  • The RDP Data Protocol
  • Security Protocols Used by RDP Server
  • Analyze Connectivity between Client & Host
  • Analyzing Credentials
  • Conclusion
Prerequisites
  • A good understanding of RDP Setup and Usage.
  • A virtual environment to run Two Windows host.
  • First windows host act as an RDP Client.
  • Second windows host act as an RDP Server.
  • A Linux OS for Decryption of pfx file
  • Wireshark Running in another host
Trace file
You can download the trace file from here

Virtual Environments Setup

VirtualBox or VMware Workstation for Windows and Linux are the two most common virtual environments for this sort of testing. For macOS, VMWare Fusion is used.

0.png

Two Windows 10 hosts were included in our test lab setup. One of the hosts was an RDP server, while the other was an RDP server. We have recorded RDP traffic with Wireshark as a man in the middle between these two hosts.

Remove Encrypted Ciphers from RDP Client
Machine 1

In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets are used in the session key exchange are compromised. For HTTPS, the long-term secret is typically the Private signing key of the server. Forward secrecy protects past sessions against future compromises of keys or passwords. By generating a unique session key for every session a user initiates, the compromise of a single session key will not affect any data other than that exchanged in the specific session protected by that particular key.

1.png

The value of forwarding secrecy is limited not only by the assumption that an adversary will attack a server by only stealing keys and not modifying the random number generator used by the server but it is also limited by the assumption that the adversary will only passively collect traffic on the communications link and not be activated using a Man-in-the-Middle (MITM) attack. Forward secrecy typically uses an ephemeral Diffie-Hellman key exchange to prevent reading past traffic. The ephemeral Diffie-Hellman key exchange is often signed by the server using a static signing key.

More can be ridden at – Wikipedia.org

2.a.png

This whole scenario looks like a Perfect Forward Secrecy. Isn’t it…?

These types of ciphers create multiple SSL/TLS connection session keys. We can’t decrypt SSL/TLS traffic with the forward secrecy using RDP server private key. Therefore, we have to delete settings that support the Forward Secrecy on the RDP client.

For this, we are using a Windows 10 host as an RDP Client.

To do this, open Group Policy Management console gpedit.msc as an administrator

2.png

After opening the console navigate to the following menu path:

Administrative Templates > Network > SSL Configuration Settings

And then Double-click to the entry of the SSL Cipher Suite Order

3.png

After that select the “Enable” option to Enable the SSL Cipher Suite Order.

Double-click the list of Ciphers and then select and copy the entire list.

4.png

Paste the copied ciphers into a notepad and remove all the ciphers that support Elliptic Curve Cryptography using Diffie-Hellman Ephemeral (ECDHE) or Digital Signature Algorithm (ECDSA) encryption. Remove all the ciphers that contain the word ECDSA and ECHDE. All of these ciphers are managed sequentially, so they were easy to delete from the text.

5.png

Now, an updated list of ciphers is shown below

6.png

Copy the updated ciphers list and paste it back into the SSL Cipher Suites field but make sure you have overwritten the original list and then click on the Apply button to save the configuration and hit OK to close the window.

7.png

Generate and Download RDP Server’s Private Key

Machine 2
We have used another Running Windows 10 Host as an RDP server.

Now our main task is to extract the private key from the host’s operating system. First of all, we have to be ensured that our host is acting like an RDP Server or not, if not go to the “Settings > System > Remote Desktop” and then “Enable Remote Desktop”.

8.png

After that, we have to Extract Private Key from its Operating system. Windows don’t allow to export of any kind of certificate so we are going to use tools like Mimikatz or Jailbreak.

Mimikatz or Jailbreak is a tool that can dump or export any kind of Certificate easily.

So, I’m going to show you how this is done from both methods. You can stick with the method which feels you like easy.

Method 1: – Mimikatz

Mimikatz is a shell for various modules. Run the following commands to export RDP keys or Certificates with private Keys. Run Mimikatz as an administrator.

# Enable “debug” privilege to be able to patch CNG service
Code:
privilege::debug

# Patch CNG service lasts until the next reboot
Code:
crypto::cng

# Patch CAPI library in memory of this process
Code:
crypto::capi

# Export Remote Desktop certificate(s) with private keys, password is “mimikatz”
Code:
crypto::certificates -systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE -store:"Remote Desktop" /export

9.png

As you can see Mimikatz successfully dumped the certificate. You can find it in the Directory of Mimikatz.

10.a.png

Method 2: – Jailbreak
A jailbreak is an iSECPartners tool that can export the RDP certificate of a server. We could extract the private key from the exported certificate. On our newly developed RDP server, we downloaded the following Jailbreak binaries from this GitHub repository to use Jailbreak.

10.png

After downloading the Jailbreak utility navigate to the directory of Jailbreak-master > binaries and copy the location of the binary folder

11.png

open a Command prompt with administrator privileges and went to the directory of downloaded jailbreak binaries and execute the following command.
Code:
jailbreak64.exe %WINDIR%\system32\mmc.exe %WINDIR%\system32\certlm.msc -64

if you are running the 32-bit version of windows then execute the following command

12.png

Code:
jailbreak32.exe %WINDIR%\system32\mmc.exe %WINDIR%\system32\certlm.msc -32

These commands will open up a certificate manager for the local machine. From the left column expand the section of Remote Desktop and navigate to the certificate folder this will show you a certificate with the most expiration date. Do the right click on the certificate, select All Tasks, and then Export.

13.png

This will open up a Certificate Export Wizard… to export the Certificate just hit the “Next” button.

14.png

Make sure to select the option to export the private key when exporting the certificate.

15.png


16.png

We could only export the certificate as a PKCS #12 (.PFX) file for our host.

The certificate needed to have a password in the next step. We didn’t have any difficulty criteria, so we went with a simple password.

17.png

After that provide a directory where you want to save the certificate.

18.png


19.png

Finally, we have successfully Exported the Certificate with the Private key.

Since our certificate was obtained through Mimikatz or Jailbreak, we transferred it to a Linux host and extracted the key using OpenSSL. To extract the key in PEM format, we first used the OpenSSL command

You can download the certificate from here

Code:
openssl pkcs12 -in rdp.pfx -nocerts -out rdp_key.pem -nodes
Password: 123

Then after we have to remove the passphrase from the key, to do this run the following command

20.png

openssl rsa -in rdp_key.pem -out rdp.key

21.png

This will provide us with the RDP Server’s key

As you can see, we have successfully extracted the RDP Server’s private key. Don’t forget to export this public key to the windows system for the use of later purposes.

Capture RDP Traffic
We may use a tool like Wireshark to record network traffic in the VLAN using promiscuous mode with our two Windows hosts in the same virtual network. once the recording starts Our Windows

22.png

client uses RDP to log in to the other Windows host that was operating as an RDP server. The server’s host IP was 192.168.0.111.

We logged into 192.168.0.111 and performed some simple tasks including web surfing and trying to connect to an FTP server while the pcap is recording the traffic.

23.png

After of few minutes we logged out from the RDP Server and stopped recording Network traffic from Wireshark

24.png

Analyzing and Decrypting Wireshark Traffic

You can download the trace file from here

Open the pcap of RDP Session in Wireshark. We did not see any results when filtering RDP on our Wireshark display filter, as RDP traffic has been encrypted. We saw a blank column display during

25.png

filtering the RDP in our pcap as shown below.

Let’s Decrypt the Traffic
However, the results were quite different when we used our private server key for decrypting RDP Traffic in Wireshark.

The RDP server DESKTOP-CDE7HJC was at IP address 192.168.0.111 in the pcaps we captured, and RDP traffic was carried out over TCP port 3389. This information was required in order for Wireshark to properly decrypt RDP traffic.

To do this navigate to Edit > Preferences, Expand the Protocols section and select TLS

After selecting TLS navigate to the Edit section and provide the following details such as IP address of the RDP server, port no., and the path of the private key

Ip address: – 192.168.0.111
Port no.: – 3389
Protocol: – tpkt

Rsa key:- the path of the saved public key.

26.png

We had much better results when reviewing the pcap after Wireshark was configured to decrypt RDP traffic.

Forensics with RDP Data
When we loaded our key, our column display was no longer blank when we filtered for RDP. As shown in the image below, we had a variety of outcomes.

27.png

Let’s do some Forensics with this data like what we can find with this data.

Hmm!!! Exited….

As we can see that we have now successfully decrypted the RDP data… but now have more question about what to do with this kind of data ….

The answer is quite simple… we can gather some pieces of information like User ID, Password, Time of login, country of origin, etc… by arranging the binaries.

The RDP Protocol
Understanding all of the underlying protocols used in RDP was one of the most difficult aspects of creating this library. It was difficult for some of them just to figure out what they were here for. The connection sequence alone employs four protocols: TPKT, X224, MCS (T.125), and GCC (T.124), as well as TLS at times and RC4 at others. This implies that we must be able to initiate TLS after the first few packets of the connection if necessary so we must keep an eye out for that.

Are you confused? We were, too. As a result, we created this simple diagram to explain the connection sequence.

28.png

Security Protocols used by RDP Server
Let’s first understand which type of Security used by the RDP server

29.png

As shown in the figure of RDP protocol now we’re much clear that the RDP server uses this type of protocol to secure the connection.

Analyze connectivity Duration between Client & Host
Using the packet capture file, we were able to determine the time of the incident. We used a very cool Wireshark feature that’s hidden in Statistics -> Conversations -> TCP: Conversations between two endpoints.

30.png

As we can see there is something that happened In the highlighted fields. I managed to understand they are using RDP protocol (port no.3389) but won’t able to able find out the actual duration of the connectivity between the client and the host so, I applied “Limit to the Display filter”

31.png

Now, the scenario is pretty much clear and we managed to see the actual duration of connectivity and we got two IP addresses of the client and host that is 192.168.0.108 and 192.168.0.111. but still, we were not able to identify which one is the host and which one is the client.

Analyzing Credentials
So, have got the two specific IP address and port number. Without wasting I applied a quick filter on behalf of this information
Code:
Ip.addr == 192.168.0.111 && tcp.port==3389

32.png

And look what we have, a whole communication between the client and host. But I can’t able to understand which type of information has been shared. So, I managed to apply some more filters to make it more understandable. For example, now we have the client and host IP address so applied a display filter to find data shared by the client….

Let’s see what happen
Code:
rdp.client.address=192.168.0.108

33.png

Wooh!!! As you can see we are managed to find user credentials used by clients on the RDP server just like user id, password, working directory, Time zone, weekday… etc…

As an attacker, we can use these credentials to completely take over the system.

But one more thing, still we don’t know the actual user name that the client used to log in to the RDP Server. Let’s find that

To find the client user name I quickly apply a display filter that shows us the client user name is entered by the client….
Code:
rdp.client.name

34.png

Whoa!!!… As you can see we have successfully got the client user name and the keyboard used by the RDP server.

By applying these kinds of filters you can easily drill down the traffic to gather the information.

Conclusion
This article discussed how to set up an environment for decrypting RDP traffic. This is best accomplished in a virtual environment with two hosts running Windows 10 Professional. We extracted the private key from our Windows host acting as the RDP server after ensuring the client did not use any forward secrecy ciphers. Then we quickly captured a pcap of network traffic. We were able to decrypt RDP traffic after the session ended by using the server’s private key.

When creating signatures to detect RDP vulnerabilities and attacks, this type of environment can be useful to security professionals.
 
Top