TLS alert internal error received, make sure to use RC4-SHA

[mrj0b]

the rdp connection get stuck and seth doesn't capture anything

[AdrianVollmer]

Can you please run it with SETH_DEBUG=1 ./seth.sh ... and post the output?

[mrj0b]

[] Spoofing arp replies... [] Turning on IP forwarding... [] Set iptables rules for SYN packets... [] Waiting for a SYN packet to the original destination... [+] Got it! Original destination is 190.168.1.2 [] Clone the x509 certificate of the original destination... [] Adjust the iptables rule for all packets... [*] Run RDP proxy... Warning: The python3 module 'hexdump' is missing. Using hexlify instead. Listening for new connection Connection received from 190.168.5.100:49178 Listening for new connection From client: 030000130ee000000000000100080003000000 From server: 030000130ed000001234000201080002000000 Enable SSL From client: 3037a003020102a130302e302ca02a04284e544c4d5353500001000000b78208e2000000000000000000000000000000000601b11d0000000f TLS alert internal error received, make sure to use RC4-SHA

[mrj0b]

[] Spoofing arp replies... [] Turning on IP forwarding... [] Set iptables rules for SYN packets... [] Waiting for a SYN packet to the original destination... [+] Got it! Original destination is 190.168.1.2 [] Clone the x509 certificate of the original destination... [] Adjust the iptables rule for all packets... [] Run RDP proxy... Listening for new connection Connection received from 190.168.5.100:49226 Listening for new connection From client: 00000000: 03 00 00 13 0E E0 00 00 00 00 00 01 00 08 00 03 ................ 00000010: 00 00 00 ... From server: 00000000: 03 00 00 13 0E D0 00 00 12 34 00 02 01 08 00 02 .........4...... 00000010: 00 00 00 ... Enable SSL From client: 00000000: 30 37 A0 03 02 01 02 A1 30 30 2E 30 2C A0 2A 04 07......00.0,.. 00000010: 28 4E 54 4C 4D 53 53 50 00 01 00 00 00 B7 82 08 (NTLMSSP........ 00000020: E2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030: 00 06 01 B1 1D 00 00 00 0F ......... TLS alert internal error received, make sure to use RC4-SHA

[AdrianVollmer]

Not sure what the problem is. I'm also very busy with other things these days, so sorry about the delay. Can you tell me the versions of the following software packages? Maybe that will give me a clue.

• python
• openssl
• the windows RDP client
• the windows RDP host

[therokh]

I am having the same error when authenticating on connection.

Python: 3.4.5 OpenSSL: 1.0.2k-fips 26 Jan 2017 Windows RDP client: Windows 10 version 1709 - OS Build 16299.309 Windows RDP host: Windows Server 2012 R2

[therokh]

From the box running Seth: openssl s_client -connect 10.3.201.20:3389 --showcerts

CONNECTED(00000003)
depth=0 CN = WIN-MJBCIAMI6CU
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = WIN-MJBCIAMI6CU
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=WIN-MJBCIAMI6CU
   i:/CN=WIN-MJBCIAMI6CU
-----BEGIN CERTIFICATE-----
MIIC4jCCAcqgAwIBAgIQef0RiSoBFZpGqAR+6l+KcjANBgkqhkiG9w0BAQUFADAa
MRgwFgYDVQQDEw9XSU4tTUpCQ0lBTUk2Q1UwHhcNMTgwMzIzMTAwNjMyWhcNMTgw
OTIyMTAwNjMyWjAaMRgwFgYDVQQDEw9XSU4tTUpCQ0lBTUk2Q1UwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXxB5zSQtP8ZIzwAq2kDVJWSuasI1bTNJ1
j3DBmgajRiS/OaKbIhYjCy7KYjVjyx5Hbhqu8jJnGZt39gqtatJePK9DFXlcVbFW
zt9nKdMVW4L7+Fdvly/BJ1mLr6keEaNgzsgNrF/h/AtQVew9/l/dhXOjdu/qIXTq
fYoq+gKoJ7tfqNY9MHycRSPZvL0PrrxntTcfVDvLuB0A7u7ecksD1sIlG8ZONnjT
uBlSsf5u4Hg/jlcnq8bA1EaBCjXTfO4010jbv+R5WdEU65jNJXOOE7DMmCNfs994
t6twNMaW9kSvj+DaVXILCo1scTXSvlItmeJc9iAOMwLkVwsOblF5AgMBAAGjJDAi
MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQUF
AAOCAQEAWTBiPySS9Z49Kl3pJ4ZZh6A1j8yA8tP35PnkGo2jBqh3OmLBimjJ0B+n
rPjfkIPZV4IvVqz+M94sGHxmHOo9YVgYIcHfH7UAhftlbqLvkZfxItdOlcWuncQ+
XEZaoltzQEOSXXlTWuCdL/pkYi2BXugyJneejTScyM2U1+wWVZG3vQaoqG04hzRs
PnZuLeh9cBLnSQlrzq8y166vIH4UW/aOPTi1Gdc2hXQBJvG12TCXWGPi/YnLlvFO
m8Iau503VZuWQ0XS5k0DVsXX1jXVuCwMV553Ut8KY16Uv6KkeADd0HKXUxbquqx/
WMWVdsN24/7rNzzRic5BSALbIOP/HQ==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=WIN-MJBCIAMI6CU
issuer=/CN=WIN-MJBCIAMI6CU
---
No client certificate CA names sent
Peer signing digest: SHA1
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1282 bytes and written 471 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: 3C3E00001BF29065C8D056572BB6B901AA9BF66B7BF62FB9C23EC5B15E1D4904
    Session-ID-ctx:
    Master-Key: 74DE41503EDF3C8108BA6DB2921778878C0415571F08A217EF794CCE6E9C111E5303A10BA6138914DD2EC752D78F0F02
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1521944433
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

[AdrianVollmer]

Could you please provide a list of TLS ciphers that the RDP host is offering? For example with sslscan <host ip>:3389

Maybe there is some cipher mismatch between the python client and the windows host.

[therokh]

Refer attached for sslscan sslscan.txt

[AdrianVollmer]

Thanks! RC4-SHA is supported, so still no idea... I slightly increased verbosity with the latest commit, so you could pull and try again.

[therokh]

It does not appear to trigger the sslError:

Listening for new connection Connection received from x.x.x.x:32720 Downgrading authentication options from 11 to 3 Listening for new connection Enable SSL [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:1748) TLS alert internal error received, make sure to use RC4-SHA Connection received from x.x.x.x:32721 Downgrading authentication options from 11 to 3 Listening for new connection Enable SSL [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:1748) TLS alert internal error received, make sure to use RC4-SHA