search

ctxis / RDP-Replay

Replay RDP traffic from PCAP
Apache License 2.0
182 stars 61 forks source link

HELP! #11

Open jessefmoore opened 7 years ago

jessefmoore commented 7 years ago

More info on How to get RDP-Replay to work in Production.

  1. Is Ubuntu 14.04 x64 the main OS to make RDP-Replay?
  2. When carving out pcaps from Bro, and other software, how do I know where to start and end to ensure it plays correctly with RDP-Replay?
  3. How do I try a different stream in the pcap if stream 0 is not working? Or cut up my pcap to work right? Question 2 may solve this.
  4. Is the only OS this RDP-Replay tool can work for is Windows XP versions to Win7? How about Windows Servers 2003, 2008, 2012, 2016?
stephanieleevillanueva commented 6 years ago

Echoing @jessefmoore on his first question. Is it possible to make RDP-Replay using Centos 7?

SteveWare commented 6 years ago

Hi. Sorry for the delay - this is not on my list of priorities.

Answer to Q1: This tool was developed on Ubuntu 14.04. I have not tested it on anything else. However, it should be possible to put together a docker image to run it. I will have a look at doing this if I get time.

Answer to Q2: I would normally expect the TCP handshake and complete streams. And missing packets and the crypt will (almost certainly) be broken.

Answer to Q3: You can use the "-t \<port>" option to specify streams. They are both probably on port 3389, but you can specify the other port (which should be different for the various TCP sessions)

Answer to Q4: The main problem with RDP sessions if the crypt. Modern clients will negotiate TLS/SSL and then use Diffie-Hellman for key exchange. There is no way (that I know of) to recover the crypt key for these sessions. If you know a way, let me know. Once the crypt is unlocked it's just a case of what support is in the client for the various rendering requests. This can be updated if needed, but I would need the data to work on any extended support. I have had some success some of the server series, but mileage may vary.

@stephanieleevillanueva: As mentioned above, I have not tried. Again, docker may be a way forward. If you do get it working, if you can list the dependencies or post the docker file that would be great.

Steve.

SteveWare commented 6 years ago

I had a quick go with docker, and had success with this Dockerfile

FROM ubuntu:14.04

ENV LANG en_GB.UTF-8
ENV XTERM_LOCALE en_GB.UTF-8
ENV LC_COLLATE C

RUN apt-get update
RUN apt-get install -y build-essential git-core cmake libssl-dev
RUN apt-get install -y libx11-dev libxext-dev libxinerama-dev libxcursor-dev
RUN apt-get install -y libxdamage-dev libxv-dev libxkbfile-dev libasound2-dev
RUN apt-get install -y libcups2-dev libxml2 libxml2-dev libxrandr-dev
RUN apt-get install -y libgstreamer0.10-dev libgstreamer-plugins-base0.10-dev
RUN apt-get install -y libavutil-dev libavcodec-dev libavformat-dev
RUN apt-get install -y libpcap-dev libreadline-dev

RUN git clone https://github.com/ctxis/RDP-Replay.git
RUN cd RDP-Replay && make

ENV PATH /RDP-Replay/replay:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Then run the following commands

docker build -t rdpreplay .
XSOCK=/tmp/.X11-unix
XAUTH=/tmp/.docker.xauth
touch $XAUTH
xauth nlist $DISPLAY| sed -e 's/^..../ffff/' | xauth -f $XAUTH nmerge -
docker run -ti -e DISPLAY=$DISPLAY -v $XSOCK:$XSOCK -v $XAUTH:$XAUTH -e XAUTHORITY=$XAUTH rdpreplay rdp_replay -r RDP-Replay/test/demo1.pcap -p RDP-Replay/test/demo1.pem --no_cksum --show_keys

Hope this helps.

Steve.

jessefmoore commented 6 years ago

Thank you! I had good luck with Ubuntu 14.04 in VMware image from osboxes.org

Here is my video of getting it up and going: https://screencast-o-matic.com/embed?sc=cbQnnTIfyI&v=5&ff=1

Thank you, -Jesse

On Oct 31, 2017, at 1:13 PM, Steve Elliott notifications@github.com wrote:

I had a quick go with docker, and had success with this Dockerfile

FROM ubuntu:14.04

ENV LANG en_GB.UTF-8 ENV XTERM_LOCALE en_GB.UTF-8 ENV LC_COLLATE C

RUN apt-get update RUN apt-get install -y build-essential git-core cmake libssl-dev RUN apt-get install -y libx11-dev libxext-dev libxinerama-dev libxcursor-dev RUN apt-get install -y libxdamage-dev libxv-dev libxkbfile-dev libasound2-dev RUN apt-get install -y libcups2-dev libxml2 libxml2-dev libxrandr-dev RUN apt-get install -y libgstreamer0.10-dev libgstreamer-plugins-base0.10-dev RUN apt-get install -y libavutil-dev libavcodec-dev libavformat-dev RUN apt-get install -y libpcap-dev libreadline-dev

RUN git clone https://github.com/ctxis/RDP-Replay.git RUN cd RDP-Replay && make

ENV PATH /RDP-Replay/replay:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin Then run the following commands

docker build -t rdpreplay . XSOCK=/tmp/.X11-unix XAUTH=/tmp/.docker.xauth touch $XAUTH xauth nlist $DISPLAY| sed -e 's/^..../ffff/' | xauth -f $XAUTH nmerge - docker run -ti -e DISPLAY=$DISPLAY -v $XSOCK:$XSOCK -v $XAUTH:$XAUTH -e XAUTHORITY=$XAUTH rdpreplay rdp_replay -r RDP-Replay/test/demo1.pcap -p RDP-Replay/test/demo1.pem --no_cksum --show_keys Hope this helps.

Steve.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

SteveWare commented 6 years ago

Jesse,

You can add "--show_keys" to the end of the command line and you will be shown the key presses (including the password!!). Enjoy.

Steve.

stephanieleevillanueva commented 6 years ago

Hi Steve,

Thanks for the response. I figured it would be easier to build an Ubuntu 14.04 cluster rather than try to figure out how to compile RDP-Replay in Centos. I went that route and I am able to get RDP-Replay working on all nodes in the cluster. I'll let you know if I end up trying to build again using Centos.

Regards, Stephanie