Step 4: Capture RDP traffic between the RDP server and Windows client. Step 3: Obtain the RDP server's private encryption key. Step 2: Remove forward secrecy ciphers from the RDP client. Step 1: Set up a virtual environment with two hosts, one acting as an RDP client and one acting as an RDP server. The overall process follows seven general steps: A basic knowledge of network traffic fundamentals.This is most easily done within a virtual environment. A way to record the network traffic between these two hosts.This can be another Windows host with RDP enabled, or it can be a non-Windows host running FreeRDP. We use a host running Windows 10 Professional for this tutorial. An understanding of how to set up and use RDP.
A virtual environment to run two Windows hosts like VirtualBox or VMware.The following are necessary to get the most value from this tutorial: This blog demonstrates how to prepare the environment, obtain a decryption key and use it to decrypt RDP traffic. Unfortunately, this encryption makes writing RDP signatures difficult because RDP content is hidden.įortunately, we can establish a test environment that provides a key file, and we can use that key to decrypt a packet capture (pcap) of the RDP traffic in Wireshark. Security professionals have increasingly focused their attention on this protocol by writing signatures to detect RDP vulnerabilities and prevent attacks.Īs a proprietary protocol from Microsoft, RDP supports several operating modes that encrypt network traffic. Since 2017, RDP has become a significant vector in malware attacks using ransomware. In recent years, Remote Desktop Protocol (RDP) has been exploited by attackers to access unsecured servers and enterprise networks.
0 kommentar(er)
