search

ctxis / RDP-Replay

Replay RDP traffic from PCAP
Apache License 2.0
182 stars 61 forks source link

Error on Make #12

Open stephanieleevillanueva opened 6 years ago

stephanieleevillanueva commented 6 years ago

Hi Steve,

Just wondering if you've seen this before and whether it is a quick fix. I've downloaded all the prerequisites before running make.

screen shot 2017-11-07 at 11 05 21 am

screen shot 2017-11-07 at 11 05 35 am

Thanks, Stephanie

SteveWare commented 6 years ago

Hi Stephanie,

I have not seen this before. I suspect it's due to incompatible library versions. The error is in libfree_rdp. This is just a copy of libfreerdp from the current version in GIT at the time, and I don't know much about the dependencies. I do get compile warnings at this point:

make[3]: Entering directory `/home/steve/RDP-Replay/libfree_rdp'
[ 81%] Building C object channels/drdynvc/tsmf/ffmpeg/CMakeFiles/tsmf_ffmpeg.dir/tsmf_ffmpeg.c.o
/home/steve/RDP-Replay/libfree_rdp/channels/drdynvc/tsmf/ffmpeg/tsmf_ffmpeg.c: In function ‘tsmf_ffmpeg_init_context’:
/home/steve/RDP-Replay/libfree_rdp/channels/drdynvc/tsmf/ffmpeg/tsmf_ffmpeg.c:65:2: warning: implicit declaration of function ‘avcodec_alloc_context’ [-Wimplicit-function-declaration]
  mdecoder->codec_context = avcodec_alloc_context();
  ^
/home/steve/RDP-Replay/libfree_rdp/channels/drdynvc/tsmf/ffmpeg/tsmf_ffmpeg.c:65:26: warning: assignment makes pointer from integer without a cast [enabled by default]
  mdecoder->codec_context = avcodec_alloc_context();
                          ^
/home/steve/RDP-Replay/libfree_rdp/channels/drdynvc/tsmf/ffmpeg/tsmf_ffmpeg.c: In function ‘tsmf_ffmpeg_prepare’:
/home/steve/RDP-Replay/libfree_rdp/channels/drdynvc/tsmf/ffmpeg/tsmf_ffmpeg.c:190:2: warning: implicit declaration of function ‘avcodec_open’ [-Wimplicit-function-declaration]
  if (avcodec_open(mdecoder->codec_context, mdecoder->codec) < 0)
  ^
/home/steve/RDP-Replay/libfree_rdp/channels/drdynvc/tsmf/ffmpeg/tsmf_ffmpeg.c: In function ‘tsmf_ffmpeg_decode_video’:
/home/steve/RDP-Replay/libfree_rdp/channels/drdynvc/tsmf/ffmpeg/tsmf_ffmpeg.c:324:3: warning: implicit declaration of function ‘av_free’ [-Wimplicit-function-declaration]
   av_free(frame);
   ^
/home/steve/RDP-Replay/libfree_rdp/channels/drdynvc/tsmf/ffmpeg/tsmf_ffmpeg.c: In function ‘TSMFDecoderEntry’:
/home/steve/RDP-Replay/libfree_rdp/channels/drdynvc/tsmf/ffmpeg/tsmf_ffmpeg.c:515:3: warning: implicit declaration of function ‘avcodec_init’ [-Wimplicit-function-declaration]
   avcodec_init();
   ^
Linking C shared library tsmf_ffmpeg.so
make[3]: Leaving directory `/home/steve/RDP-Replay/libfree_rdp'
[ 81%] Built target tsmf_ffmpeg
make[3]: Entering directory `/home/steve/RDP-Replay/libfree_rdp'
make[3]: Leaving directory `/home/steve/RDP-Replay/libfree_rdp'

However, this is not fatal, and continues to compile and work successfully.

What I can do is give you the versions that work for me. These are installed packages (select output from dpkg-query -s )

Package: build-essential
Installed-Size: 37
Version: 11.6ubuntu6

Package: cmake
Installed-Size: 13399
Version: 2.8.12.2-0ubuntu3

Package: libssl-dev
Installed-Size: 6178
Version: 1.0.1f-1ubuntu2.19

Package: libx11-dev
Installed-Size: 2606
Version: 2:1.6.2-1ubuntu2

Package: libxext-dev
Installed-Size: 283
Version: 2:1.3.2-1ubuntu0.0.14.04.1

Package: libxinerama-dev
Installed-Size: 76
Version: 2:1.1.3-1

Package: libxcursor-dev
Installed-Size: 133
Version: 1:1.1.14-1

Package: libxdamage-dev
Installed-Size: 61
Version: 1:1.1.4-1ubuntu1

Package: libxv-dev
Installed-Size: 111
Version: 2:1.0.10-1

Package: libxkbfile-dev
Installed-Size: 331
Version: 1:1.0.8-1

Package: libasound2-dev
Installed-Size: 468
Version: 1.0.27.2-3ubuntu7

Package: libcups2-dev
Installed-Size: 1118
Version: 1.7.2-0ubuntu1.7

Package: libxml2
Installed-Size: 1805
Version: 2.9.1+dfsg1-3ubuntu4.8

Package: libxml2-dev
Installed-Size: 2863
Version: 2.9.1+dfsg1-3ubuntu4.8

Package: libxrandr-dev
Installed-Size: 140
Version: 2:1.4.2-1

Package: libgstreamer0.10-dev
Installed-Size: 6624
Version: 0.10.36-1.2ubuntu3

Package: libgstreamer-plugins-base0.10-dev
Installed-Size: 2064
Version: 0.10.36-1.1ubuntu2

Package: libavutil-dev
Installed-Size: 563
Version: 6:9.18-0ubuntu0.14.04.1

Package: libavcodec-dev
Installed-Size: 8929
Version: 6:9.18-0ubuntu0.14.04.1

Package: libavformat-dev
Installed-Size: 2529
Version: 6:9.18-0ubuntu0.14.04.1

Package: libpcap-dev
Installed-Size: 36
Version: 1.5.3-2

Package: libreadline-dev
Installed-Size: 21
Version: 6.3-4ubuntu2

I hope this is of some help to you.

May I ask what you are using this for? All RDP traffic seen over the last few years seems to be SSL based, with DH key exchange. This makes getting the session key impossible (unless you know differently) and so I have lost interest in maintaining and developing this. If you have a use-case that others may also find useful, I may be inspired to bring this project up to date (no promises).

Steve.

stephanieleevillanueva commented 6 years ago

Hi Steve,

Our company network has a bunch of old (meaning 2012 and older) packet captures that we know has RDP traffic. RDP decryption is one research area that we are currently working on and this (awesome) tool that you have seems to work for most PCAPs generated during that time, provided we also have a copy of the server key. But you are right... for the more recent RDP captures we have not had any luck with decrypting because of ephemeral keys.

Thanks, Stephanie

nonostar commented 4 years ago 
sed -e 's/CODEC_CAP_TRUNCATED/AV_CODEC_CAP_TRUNCATED/g' -i libfree_rdp/channels/drdynvc/tsmf/ffmpeg/tsmf_ffmpeg.c
sed -e 's/CODEC_FLAG_TRUNCATED/AV_CODEC_FLAG_TRUNCATED/g' -i libfree_rdp/channels/drdynvc/tsmf/ffmpeg/tsmf_ffmpeg.c
sed -e 's/CODEC_ID_VC1/AV_CODEC_ID_VC1/g' -i libfree_rdp/channels/drdynvc/tsmf/ffmpeg/tsmf_ffmpeg.c
sed -e 's/CODEC_ID_WMAV2/AV_CODEC_ID_WMAV2/g' -i libfree_rdp/channels/drdynvc/tsmf/ffmpeg/tsmf_ffmpeg.c
sed -e 's/CODEC_ID_WMAPRO/AV_CODEC_ID_WMAPRO/g' -i libfree_rdp/channels/drdynvc/tsmf/ffmpeg/tsmf_ffmpeg.c
sed -e 's/CODEC_ID_MP3/AV_CODEC_ID_MP3/g' -i libfree_rdp/channels/drdynvc/tsmf/ffmpeg/tsmf_ffmpeg.c
sed -e 's/CODEC_ID_MP2/AV_CODEC_ID_MP2/g' -i libfree_rdp/channels/drdynvc/tsmf/ffmpeg/tsmf_ffmpeg.c
sed -e 's/CODEC_ID_MPEG2VIDEO/AV_CODEC_ID_MPEG2VIDEO/g' -i libfree_rdp/channels/drdynvc/tsmf/ffmpeg/tsmf_ffmpeg.c
sed -e 's/CODEC_ID_WMV3/AV_CODEC_ID_WMV3/g' -i libfree_rdp/channels/drdynvc/tsmf/ffmpeg/tsmf_ffmpeg.c
sed -e 's/CODEC_ID_AAC/AV_CODEC_ID_AAC/g' -i libfree_rdp/channels/drdynvc/tsmf/ffmpeg/tsmf_ffmpeg.c
sed -e 's/CODEC_ID_H264/AV_CODEC_ID_H264/g' -i libfree_rdp/channels/drdynvc/tsmf/ffmpeg/tsmf_ffmpeg.c
sed -e 's/CODEC_ID_AC3/AV_CODEC_ID_AC3/g' -i libfree_rdp/channels/drdynvc/tsmf/ffmpeg/tsmf_ffmpeg.c
sed -e 's/PIX_FMT_YUV420P/AV_PIX_FMT_YUV420P/g' -i libfree_rdp/channels/drdynvc/tsmf/ffmpeg/tsmf_ffmpeg.c
sed -e 's/CODEC_FLAG_GLOBAL_HEADER/AV_CODEC_FLAG_GLOBAL_HEADER/g' -i replay/play_vid.c
sed -e 's/CODEC_ID_NONE/AV_CODEC_ID_NONE/g' -i replay/play_vid.c
sed -e 's/PIX_FMT_YUV420P/AV_PIX_FMT_YUV420P/g' -i replay/play_vid.c
sed -e 's/avcodec_alloc_frame/av_frame_alloc/g' -i replay/play_vid.c

Then add few constants to replay/play_vid.c:

#define AVFMT_RAWPICTURE 0x0020
#define avcodec_encode_video

Then replace "-std=gnu89" by "-std=c++98" in Makefiles and you could compile it again on modern Gnu/Linux distribution!