First
. GENERAL statement
This article is to analyze the RDP protocol to restore the Protocol, in the general described in this chapter describes the feasibility of the RDP protocol restore, in the second to third chapter describes the RDP protocol interaction of the specific process, in the fourth chapter describes the use of man-in-the-middle attack method to decrypt the feasibility of testing In the fifth chapter, the relevant information in this analysis is listed.
1. Purpose of analysis
Analysis enables you to restore the operations of remote control tools that use the RDP protocol, such as transferring files to remote desktops during remote procedures.
2. Analysis methods
In this paper, two methods are used to analyze: 1) The data generated in the Remote Desktop process analysis, in the analysis process found that the RDP protocol in the establishment of the connection using encryption technology, the encrypted message is not visible, so the second method; 2) using the method of the middle man attack, Attempts to decrypt the encrypted message and then use the first method for analysis;
3. Choice of Middleman tools
Two tools were selected when using a man-in-the-middle attack: Rdpy and Rdpproxy.
The reason for selecting these two tools is that they are all source code, RDPY uses the Python language, and Rdpproxy uses the C language.
4. Analysis Conclusion
4.1 rdpproxy test Conclusion
The tool is no longer a man-in-the-middle attack, and in a man-in-the-middle attack the error message: "Data encryption Error".
4.2 Rdpy Test Conclusion
A man-in-the-middle attack can be performed successfully, and the tool can replay the operations used in the remote process, meaning that the tool is used to decrypt RDP. However, there are sometimes error prompts like Rdpproxy: "Data encryption Error", which causes the remote server to fail.
4.3 Analysis conclusion
With the above approach we can conclude that the encryption layer of the RDP protocol can be decrypted using the Rdpy tool (not every time it succeeds). The main problem is that Rdpy is written in the Python language, and we want to write it in C, so we need to translate the Python language into C to decrypt it, which is great, requires a lot of work, and the tool is not always able to attack successfully, Therefore, it is necessary to further discuss the possibility of using this tool for the next work.
Second. Overview of Protocol interactions
Special Note: RDP is always a stream from the beginning to the end, and during the entire connection phase, the RDP protocol encapsulates and transmits data using the TPKT protocol.
According to our current packet capture analysis, this is the case:
1. First TCP three handshake connection, after success to enter the next step.
2. The client sends the ISO Layer connection request first (the ISO layer is connected above the TPKT protocol)
3. Send the ISO connection confirmation after the server receives
4. The data portion of the confirmed TPKT is SSL-encrypted, and the subsequent protocol interaction process cannot be seen
Resources collected online about the RDP interaction process are as follows (from the CSDN blog):
1. Client Connection Server
2.ISO data layer to establish a connection
3. Send the initial protocol related information, receive encryption, decryption key ( This part should be the SSL encryption part of our self analysis )
4. Virtual Channel Application
5. Send client system information in encrypted form while verifying encryption protocol
6. Platform Software Certificate Verification
7. Each function establishes the connection, each function data transmission, the function realizes
Third, the agreement to establish a specificprocess
1. Current Message overall interaction process
2. iso-layer connection request after three-time handshake
TPKT below are versions, reserved fields, and lengths
ISO request connection The first 2 are length and TPDU type, 0X0E representative request, 0XD0 representative request confirmation, is confirmed message:
3. The TPKT data section uses SSL encryption and is judged as SSL based on the 16 binary features
4. The following method can be used to solve this part of the data into the SSL protocol
1) Right click on decode as
2) on the right to find the SSL protocol, click OK
3) The software can directly see the data part has been solved by the SSL protocol
Fourth. RDP Man-in-the-middle attack method
Currently, two tools are available for man-in-the-middle attacks on RDP, namely, Rdpproxy and Rdpy, by looking up data. These two tools are open source, but the development language is different, Rdpproxy is written in C language, and Rdpy is written in Python. Here's how to use the two tools separately company:
1. Use Rdpproxy for man-in-the-middle attacks
This tool is very difficult to find online, Rdpproxy has two versions, Windows version and Linux (currently only available in Ubuntu system). The version of Windows is no longer available, this is the Ubuntu version of the use of the method. But it must be explained that this tool is not a man-in-the-middle attack.
1.1 Rdpproxy Tools Download
At present, this tool on the Internet is to download points, and points are to be filled with money, so it does not provide a URL, self-search it.
1.2 Rdesktop tool Use
Compiling the Rdesktop tool
For example, after decompression there will be a rdesktop directory, which is an open source Remote Desktop tool, its main role is remote Windows system desktop, Rdesktop directory code is required to compile, compile method:./configure, make, make install
How to use Rdesktop
./rdesktop remote IP address, for example:./rdesktop 192.168.1.100 Enter, then directly lose the user name and password to remote operation.
1.3 Rdpproxy use of the environment
1 Ubuntu system hosts, the machine used for man-in-the-middle attacks, and the host needs to install Python, my Python version is 2.7.3
2 Windows system hosts, 1 as clients, and 1 as servers, networking
1.4 Man-in-the-middle attack using rdpproxy (attack failure)
1. Navigate to the Rdpproxy directory
2. Make Rdpplayer Directory
3. Execute Python script (rpp.py), listening server: pythonrpp.py target server IP, such as: Python rpp.py 192.168.1.200
4. At this point the client thinks that Ubuntu is the server, using the remote tool of Windows comes with remote Ubuntu IP, remote after discovery cannot remote target server, and error such as:
5. Man-in-the-middle attack failed
2. Use rdpy for man-in-the-middle attacks
Rdpy a Microsoft Remote Desktop protocol that is purely python-implemented. Rdpy is driven by the network engine twisted, the rdpy is the Microsoft RDP Remote Desktop Protocol that is implemented based on twisted Python. Rdpy supports the standard RDP security protocol, which is verified via SSL or NLA encryption (or through NLTMV2 authentication protocol).
Note: Using the Rdpy tool can be a successful man-in-the-middle attack
However, sometimes after a successful login, there will also be a "encrypted data error, please login" issue.
2.1 rdpy tool Download and installation
First, the installation of rdpy
Rdpy:https://github.com/citronneur/rdpy, it is recommended to use PIP to install, more convenient. The following describes my installation process, the system environment windows7,python2.7.
1, install PYQT:PYQT:http://sourceforge.net/projects/pyqt/files/PyQt4/PyQt-4.11.3/, select 32-bit or 64-bit installation package.
2, install Pywin32,:http://sourceforge.net/projects/pywin32/files/pywin32/, select the desired version.
3, install Rdpy: Here use Easy_install, pip to install.
Easy_install: https://bitbucket.org/pypa/setuptools/raw/bootstrap/ez_setup.py, after download, python.exeez_ setup.py for installation.
Install PIP:C:\PYTHON27\SCRIPTS\EASY_INSTALL.EXEPIP. After the installation is complete, there are pip.exe files under C:\Python27\Scripts\.
Running Pip Installrdpy, if there is no prompt for any errors, indicates that the installation was successful.
Introduction to the use of 2.2 rdpy tools
After installing the Rdpy tool, your Python directory will have a few more rdpy scripts under scripts, as follows:
Each of these files has a different effect:
Rdpy-rdpclient
Rdpy-rdpclient is a simple RDP QT4 client.
|
$ rdpy-rdpclient.py [-u username] [-p password] [-d domain] [-r Rss_ouput_file] [...] XXX.XXX.XXX.XXX[:3389] |
You can use Rdpy-rdpclient when recording a session scene.
Rdpy-vncclient
Rdpy-vncclient is a simple vnc Qt4 client.
|
$ rdpy-vncclient.py [-p password] xxx.xxx.xxx.xxx[:5900] |
Rdpy-rdpscreenshot
Rdpy-rdpscreenshot to save the landing screen in the file.
|
$ rdpy-rdpscreenshot.py [-W width] [-l height] [-o Output_file_path] xxx.xxx.xxx.xxx[:3389] |
Rdpy-vncscreenshot
Rdpy-vncscreenshot will update the first interface of the program to a file.
|
$ rdpy-vncscreenshot.py [-p password] [-o Output_file_path] xxx.xxx.xxx.xxx[:5900] |
Rdpy-rdpmitm
RDPY-RDPMITM is an RDP proxy that allows you to perform a man-in-the-middle attack on top of the RDP protocol and record session scene information in an RSS file that can be replayed by Rdpy-rssplayer.
|
$ rdpy-rdpmitm.py-o Output_dir [-L listen_port] [-K private_key_file_path] [-C Certificate_file_path] [-R (for XP or serv ER 2003 client)] Target_host[:target_port] |
The output directory is used to save the RSS file in this format (YYYYMMDDHHMMSS_IP_INDEX.RSS). The private key file and the certificate file are typical SSL link-encrypted files. The RDP Remote Desktop protocol can talk to its own level of security, and if two parameters are omitted, the server side will use the standard RDP protocol as a security layer.
Rdpy-rdphoneypot
Rdpy-rdphoneypot is an RDP-based honeypot. Use the session scene record and replay the session scene with the RDP protocol.
|
$ rdpy-rdphoneypot.py [-L listen_port] [-K private_key_file_path] [-c Certificate_file_path] rss_file_path_1 ... rss_ File_path_n |
Rdpy-rssplayer
Rdpy-rssplayer is used to replay a session scene record (RSS) file generated by a rdpy-rdpmitm or rdpy-rdpclient binary file.
|
$ rdpy-rssplayer.py Rss_file_path |
2.3 Rdpy use of the environment
3 Windows System host, 1 as a client, 1 as a server, and 1 is a man-in-the-middle attack host with rdpy tools, networking
2.4 Man-in-the-middle attack with Rdpy (successful attack)
1. Navigate to the Rdpy script and execute the listening command : RDPY-RDPMITM.PY–OC:/RDPY[H1] 192.168.1.200[H2]
2. At this point the client considers the man-in-the-middle attack host a server, the server considers the
3. The client uses the Windows Self-Service remote tool for remote: The remote IP is the host IP of the man-in-the-middle attack, but the client's remote Desktop is the server's desktop.
4. After a man-in-the-middle attack has stopped listening, the. rss file is generated in the C:/rdpy directory, which can be played back using the rdpy-rssplayer.py file, which can be viewed from the client's remote operation during playback.
Note: Use rdpy During the listening process, the client can successfully log on to the server, but sometimes the "encrypt data error, log on again" issue occurs shortly after the login is successful.
Fifth. References to the analysis of the agreement
1.wiki.wireshark official analysis of the RDP protocol: Https://wiki.wireshark.org/RDP
2. Microsoft Official website simply explains the RDP protocol process
https://support.microsoft.com/zh-cn/kb/186607
RSA encryption algorithm used in 3.RDP
HTTPS://MSDN.MICROSOFT.COM/EN-US/LIBRARY/AA383015 (vs.85). aspx
4. An explanation of the RDP protocol format provided by the Bean-ding network
Http://www.docin.com/p-641511813.html
5.CSDN Blog, detailed parsing of the RDP protocol
http://blog.csdn.net/jingwen3699/article/details/7765480
6. The installation and use of rdpy tools are described in more detail.
Https://github.com/citronneur/rdpy
7. The method of using Rdpproxy is described in the 3rd Chapter
Http://www.docin.com/p-782713242.html
[H1] The directory of playback file output generated during the listening process
[H2] target server IP for monitoring
Summary of the man-in-the-middle attacks using rdpproxy and rdpy for RDP