SteveWare
commented
7 years ago Hello f4lk0r,
What cipher suite is negotiated? This need to be RSA based. Look at the ServerHello message in the SSL stream, and it will tell you. e.g.
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)If the cipher based on DH (Diffie-Hellman) then it cannot decrypt the session. Use wireshark as a guide. If you add the server's key (SSL preferences) then try to follow SSL stream. If you get a decrypted stream in wireshark, then rdp_replay should also be able to decrypt it. A while back (2 years?) MS changed defaults so that DH is used where available. This means that this tool is less useful than it would have been, but there's nothing I can do about the crypt.
Steve.
f4lk0r
After following the instructions provided in the below links to extract SSL private key from the server, I have still been unable to decrypt my captured RDP sessions which used TLS 1.1 (and others using TLS 1.2): https://github.com/FreeRDP/FreeRDP/wiki/Mimikatz and https://github.com/ctxis/RDP-Replay ...
$ ./rdp_replay -r mypacketcapture.pcap -p myserver.key RDP SSL MODE Requested by server!! SSL private key found. SSL-ERROR: RSA private key decrypt failed
In wireshark, some sessions I see are using TLS 1.1 and other TLS 1.2.... I'm confident that I have obtained the correct SSL private key from the server... Any assistance would be greatly appreciated!