RDP

Remote Desktop Protocol (RDP)

RDP is a proprietary protocol developed by Microsoft for their Terminal Server services.

History

See Wikipedia entry

Protocol dependencies

Example traffic

Example capture files are detailed below.

Wireshark

A basic RDP dissector exists that can decode most of the PDUs that are exchanged during the connection sequence. If Standard RDP Security is being negotiated, all the PDUs after the SecurityExchangePDU will be encrypted. There is no handling of virtual channel PDUs (beyond the security header) at the moment.

Preference Settings

Port: default 3389

SSL Configuration

In order to dissect Enhanced RDP Security SSL, you should configure the SSL dissector with the following:

<server-ip>,3389,tpkt,<path to key>

CredSSP

RDP can also use the Credential Security Support Provider (CredSSP) protocol to provide authentication information. This is always run under a SSL encrypted session. The CredSSP documentation states that SPNEGO is used to select between NTLM and Kerberos - but the RDP captures seen to date carry NTLM without any SPNEGO. The FreeRDP project provides a number of capture files, associated private keys and a detailed analysis of the protocol exchanges on their wiki. As yet, it has not proved possible to recover the NTLM keys in order to decrypt the CredSSP encrypted PDUs.

Example capture file

Display Filter

There are no built-in display filters specifically for RDP. However, RDP protocols use TCP port 3389.

Display only the RDP based traffic:

rdp

You may also use display filters based on the protocols on top of which RDP is built.

The following filter will include the conference set up and establishment of virtual channels, as well as the RDP conversation.

t125

The following display references may also prove useful:

Capture Filter

You can filter RDP protocols while capturing, as it's always using TCP port 3389.

Capture only the RDP based traffic:

tcp port 3389

Notes about Terminal Server Services Encryption Settings

RDP 5.0

RDP 5.1

RDP 5.2

RDP 6.0

External links

Discussion


Imported from https://wiki.wireshark.org/RDP on 2020-08-11 23:23:50 UTC