SSL private key found, but no screen display at all

[CaledoniaProject]

I have successfully extracted RDP certificate as long as RDP keys

When I run rdp replay, nothing shows up

%> ./rdp_replay --show_keys -r rdp.pcap -L L\$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75.bin -p x509.pem 
Processed private key from L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75.bin
RDP SSL MODE Requested by server!!
SSL private key found.

The server is a Windows 7 machine.

To record RDP traffic, I've tested both mstsc on a Windows 8 client and rdesktop on Ubuntu 16.04, both showing the same result

Can you help? Attached all keys & rdp traffic https://raw.githubusercontent.com/CaledoniaProject/rdp-test/master/test.tar.bz2

[SteveWare]

Sorry for the long delay, but this is not a priority for me. This worked for me:

rdp_replay -t 49172 -r rdp.pcap -p x509.pem

By default the tool will play the first stream it finds on port 3389. This is the stream with port ephemeral port 49171. This is short, and has no real content. The second stream (on ephemeral port 49172) is much longer and shows you typing whoami in a command prompt. Having said that, the colours are awful (my fault, not yours!) and I may take a look at this at some point. Please close this issue is you are content with this answer. Once again, sorry for the slow response.

Steve.

[CaledoniaProject]

Yeah there're two streams, rdesktop failed to negotiate some options then connected again

[CaledoniaProject]

Here's a script to list all possible RDP source ports and number of packets delivered,

tshark -r rdp.pcap -Y 'tcp.dstport == 3389' -Tfields -e tcp.srcport | perl -E 'my %hash; while (<>) { chomp; ++ $hash{$_}; }; for (keys %hash) {say "$_: ", $hash{$_};}'

Hopefully it will help someone :-)