pyrdp-convert: Fails to extract replay with multiple connections in PCAP

[alxbl]

We ran into a bug where the master secret is not found when there are multiple different connections from the same source in the same trace:

[*] Analyzing network trace...
    - CLIENT -> SERVER: unknown master secret
    - CLIENT -> SERVER: master secret available (!)
    - CLIENT -> SERVER: unknown master secret
    - CLIENT -> SERVER: master secret available (!)
    - SERVER -> CLIENT: master secret available (!)
Traceback (most recent call last):
  File "./pyrdp-convert.py", line 378, in <module>
    main()
  File "./pyrdp-convert.py", line 342, in main
    streams.append((info, decrypted(stream, secrets[rnd]['master'])))
KeyError: ''

Looks like rnd is an empty string...

            rnd = findClientRandom(stream)
            if rnd not in self.secrets and rnd != '':
                print(' unknown master secret')
            else:
                print(' master secret available (!)')
                streams.append((info, decrypted(stream, self.secrets[rnd]['master'])))

I think this might be a TLS version issue between MITM - SERVER.

A work around might be specifying --src CLIENT.

[xshill]

I'm gonna work on this to make it more reliable. Here's some changes I would like to make to fully support multiple connections in a single pcap:

• Ignore sessions that don't have a client random (e.g: failed connections).
• The output path will always be a folder that will be created by the tool.
• A new subfolder will be created for every session, which will contain the replay / mp4 file, the files folder and the filesystems folder.

[xshill]

The output system hasn't been changed yet, I focused on refactoring it and fixing packet reconstruction. I'll move the output changes to another issue.