Closed f4lk0r closed 6 years ago
Hello f4lk0r,
What cipher suite is negotiated? This need to be RSA based. Look at the ServerHello message in the SSL stream, and it will tell you. e.g.
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
If the cipher based on DH (Diffie-Hellman) then it cannot decrypt the session. Use wireshark as a guide. If you add the server's key (SSL preferences) then try to follow SSL stream. If you get a decrypted stream in wireshark, then rdp_replay should also be able to decrypt it. A while back (2 years?) MS changed defaults so that DH is used where available. This means that this tool is less useful than it would have been, but there's nothing I can do about the crypt.
Steve.
Thank you very much for your response.... Turns out that it is DH... Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) This is Windows Server 2012 R2 box... is there any way to change the default away from DH so we can decrypt in the future? I'm not really concerned with the "security" of this particular system..
Google is your friend here, but gpedit.msc
might be worth a try. GL.
Steve.
After following the instructions provided in the below links to extract SSL private key from the server, I have still been unable to decrypt my captured RDP sessions which used TLS 1.1 (and others using TLS 1.2): https://github.com/FreeRDP/FreeRDP/wiki/Mimikatz and https://github.com/ctxis/RDP-Replay ...
$ ./rdp_replay -r mypacketcapture.pcap -p myserver.key RDP SSL MODE Requested by server!! SSL private key found. SSL-ERROR: RSA private key decrypt failed
In wireshark, some sessions I see are using TLS 1.1 and other TLS 1.2.... I'm confident that I have obtained the correct SSL private key from the server... Any assistance would be greatly appreciated!