search

ctxis / RDP-Replay

Replay RDP traffic from PCAP
Apache License 2.0
182 stars 61 forks source link

Can't convert a pcap file with RDP encryption (not TLS) #14

Closed gabriel-sztejnworcel closed 4 years ago

gabriel-sztejnworcel commented 5 years ago

Hi,

I'm trying to convert the attached pcap files using this command: replay/rdp_replay -r test3/compat.pcap -L test3/key.bin --no_cksum When I run rdp_replay I see the following message on the screen: Processed private key from key.bin But nothing happens. Am I doing something wrong?

Thanks, Gabriel

SteveWare commented 5 years ago

The pcap seems to have more than one stream. By default it will process the first stream on port 3389. Try specifying the ephemeral port, in your case 52131:

replay/rdp_replay -r test3/compat.pcap -L test3/key.bin --no_cksum -t 52131

You don't supply the key, so I cannot look in detail.

Steve.

On Fri, 2 Nov 2018 at 09:41, Gabriel Sztejnworcel notifications@github.com wrote:

Hi,

I try to convert the attached files using this command: replay/rdp_replay -r test3/compat.pcap -L test3/key.bin --no_cksum When I run rdp_replay I see the following message on the screen: Processed private key from key.bin But nothing happens. Am I doing something wrong?

Thanks, Gabriel

pcap_rdp.zip https://github.com/ctxis/RDP-Replay/files/2541893/pcap_rdp.zip

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/ctxis/RDP-Replay/issues/14, or mute the thread https://github.com/notifications/unsubscribe-auth/ARzByTxNtgY86Z22ys_NriN8_Wzm1Z5Rks5urBNRgaJpZM4YLVGk .

-- I said "he's hedonistic", not "his head on a stick"

gabriel-sztejnworcel commented 5 years ago

Thanks!

After adding -t I can see the video playing, but there is a problem with the colors. Is there a way to fix it? I'm attaching a screenshot from the video and the key file.

Gabriel rdp_replay

SteveWare commented 5 years ago

Hi Gabriel,

Unfortunately there is no easy way to fix this. I had problems with colour palettes during development. Now that this project is not active, I can't justify the time to work on it.

Why is this project inactive? All modern RDP sessions use SSL with Diffie-Helman (DH) key exchange. While SSL is not a show-stopper (indeed it is supported) unless I can derive the crypt key I cannot decrypt the data. The DH key exchange makes this impossible. So for modern RDP sessions I just cannot decrypt the data. This is why development stopped.

Feel free to have a look at this problem and contribute. It might be a default setting from the early capabilities exchange that I'm not extracting (fixable), or maybe a cached setting from a previous session that the client and server both remember (not fixable).

Oh, by the way, you have given me (and the internet) both the pcap and the crypt key, so please make sure the password you used is not protecting anything important. I certainly know it now!

Steve.

On Sun, 4 Nov 2018 at 20:59, Gabriel Sztejnworcel notifications@github.com wrote:

Thanks!

After adding -t I can see the video playing, but there is a problem with the colors. Is there a way to fix it? I'm attaching a screenshot from the video and the key file.

Gabriel [image: rdp_replay] https://user-images.githubusercontent.com/4405244/47969776-376d9200-e085-11e8-8d31-abe5c6659def.png key.zip https://github.com/ctxis/RDP-Replay/files/2546304/key.zip

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/ctxis/RDP-Replay/issues/14#issuecomment-435705366, or mute the thread https://github.com/notifications/unsubscribe-auth/ARzByTmJtn_o9qG1SlmW_2Kenq8QJpyTks5ur1UigaJpZM4YLVGk .

-- I said "he's hedonistic", not "his head on a stick"

gabriel-sztejnworcel commented 5 years ago

Thanks for the heads up about the password. The recording is from a test VM and the password is not used in real places.