Remote Desktop Protocol (RDP)

RDP is a proprietary protocol developed by Microsoft for their Terminal Server services.

History

See Wikipedia entry

Protocol dependencies

Example traffic

Example capture files are detailed below.

Wireshark

A basic RDP dissector exists that can decode most of the PDUs that are exchanged during the connection sequence. If Standard RDP Security is being negotiated, all the PDUs after the SecurityExchangePDU will be encrypted. There is no handling of virtual channel PDUs (beyond the security header) at the moment.

Preference Settings

Port: default 3389

SSL Configuration

In order to dissect Enhanced RDP Security SSL, you should configure the SSL dissector with the following:

<server-ip>,3389,tpkt,<path to key>

CredSSP

RDP can also use the Credential Security Support Provider (CredSSP) protocol to provide authentication information. This is always run under a SSL encrypted session. The CredSSP documentation states that SPNEGO is used to select between NTLM and Kerberos - but the RDP captures seen to date carry NTLM without any SPNEGO. The FreeRDP project provides a number of capture files, associated private keys and a detailed analysis of the protocol exchanges on their wiki. As yet, it has not proved possible to recover the NTLM keys in order to decrypt the CredSSP encrypted PDUs.

Example capture file

Display Filter

There are no built-in display filters specifically for RDP. However, RDP protocols use TCP port 3389.

You may also use display filters based on the protocols on top of which RDP is built.

The following display references may also prove useful:

Capture Filter

You can filter RDP protocols while capturing, as it's always using TCP port 3389.

Notes about Terminal Server Services Encryption Settings

RDP 5.0

RDP 5.1

RDP 5.2

RDP 6.0

Discussion

The X.224 is equal with the ISO International Standard 8073 which is implemented in the Wireshark. If you use Decode as TPKT on the RDP stream, it makes partially valid output.

RDP (last edited 2013-06-10 12:55:30 by ChristopherMaynard)