Closed CaledoniaProject closed 6 years ago
Sorry for the long delay, but this is not a priority for me. This worked for me:
rdp_replay -t 49172 -r rdp.pcap -p x509.pem
By default the tool will play the first stream it finds on port 3389. This is the stream with port ephemeral port 49171. This is short, and has no real content. The second stream (on ephemeral port 49172) is much longer and shows you typing whoami
in a command prompt.
Having said that, the colours are awful (my fault, not yours!) and I may take a look at this at some point.
Please close this issue is you are content with this answer. Once again, sorry for the slow response.
Steve.
Yeah there're two streams, rdesktop failed to negotiate some options then connected again
Here's a script to list all possible RDP source ports and number of packets delivered,
tshark -r rdp.pcap -Y 'tcp.dstport == 3389' -Tfields -e tcp.srcport | perl -E 'my %hash; while (<>) { chomp; ++ $hash{$_}; }; for (keys %hash) {say "$_: ", $hash{$_};}'
Hopefully it will help someone :-)
I have successfully extracted RDP certificate as long as RDP keys
When I run rdp replay, nothing shows up
The server is a Windows 7 machine.
To record RDP traffic, I've tested both
mstsc
on a Windows 8 client andrdesktop
on Ubuntu 16.04, both showing the same resultCan you help? Attached all keys & rdp traffic https://raw.githubusercontent.com/CaledoniaProject/rdp-test/master/test.tar.bz2