ctxis / rdp-replay Goto Github PK

More info on How to get RDP-Replay to work in Production.

1. Is Ubuntu 14.04 x64 the main OS to make RDP-Replay?
2. When carving out pcaps from Bro, and other software, how do I know where to start and end to ensure it plays correctly with RDP-Replay?
3. How do I try a different stream in the pcap if stream 0 is not working? Or cut up my pcap to work right? Question 2 may solve this.
4. Is the only OS this RDP-Replay tool can work for is Windows XP versions to Win7? How about Windows Servers 2003, 2008, 2012, 2016?

I have two issue.

1. How can i play rdp clear traffic, without wireshark, tcp, etc header? I can add the necessary header to each packet, but how to make it it is correct?
   2)Let's allow, I have no duplex. I have separately a traffic from server side and the client. what client packets are necessary to me for reproduction?

Would you like to add more error handling for return values from functions like the following?

• malloc ⇒ gdi_init
• pthread_create ⇒ main

I have successfully extracted RDP certificate as long as RDP keys

When I run rdp replay, nothing shows up

%> ./rdp_replay --show_keys -r rdp.pcap -L L\$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75.bin -p x509.pem 
Processed private key from L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75.bin
RDP SSL MODE Requested by server!!
SSL private key found.

The server is a Windows 7 machine.

To record RDP traffic, I've tested both mstsc on a Windows 8 client and rdesktop on Ubuntu 16.04, both showing the same result

Can you help? Attached all keys & rdp traffic
https://raw.githubusercontent.com/CaledoniaProject/rdp-test/master/test.tar.bz2

I would like to point out that identifiers like "__pcap_delay_h__" and "__ssl_decrypt_h__" do not fit to the expected naming convention of the C++ language standard.
Would you like to adjust your selection for unique names?

After following the instructions provided in the below links to extract SSL private key from the server, I have still been unable to decrypt my captured RDP sessions which used TLS 1.1 (and others using TLS 1.2):
https://github.com/FreeRDP/FreeRDP/wiki/Mimikatz and https://github.com/ctxis/RDP-Replay ...

$ ./rdp_replay -r mypacketcapture.pcap -p myserver.key
RDP SSL MODE Requested by server!!
SSL private key found.
SSL-ERROR: RSA private key decrypt failed

In wireshark, some sessions I see are using TLS 1.1 and other TLS 1.2.... I'm confident that I have obtained the correct SSL private key from the server... Any assistance would be greatly appreciated!

Hi,

I'm trying to convert the attached pcap files using this command:
replay/rdp_replay -r test3/compat.pcap -L test3/key.bin --no_cksum
When I run rdp_replay I see the following message on the screen:
Processed private key from key.bin
But nothing happens. Am I doing something wrong?

Thanks,
Gabriel

I expect that exception handling is usually supported by a C++ program. I wonder why your function "main" does not contain corresponding try and catch instructions so far.

How do you think about recommendations by Matthew Wilson in an article?

Would you like to adjust the implementation if you consider effects for uncaught/unhandled exceptions like they are described by Danny Kalev?

Hi Steve,

Just wondering if you've seen this before and whether it is a quick fix. I've downloaded all the prerequisites before running make.

Thanks,
Stephanie

Well let me explain you the steps that I followed one by one;

In Windows 7 Enterprise Service Pack 1 32 bit, I ran cmd.exe as an Administrator and then ran mimikatz.exe with psexec -s parameter with folowing commands as shown below.
C:\Users\IEUser\Desktop\Win32>PsExec.exe -s C:\Users\IEUser\Desktop\win32\mimika
tz.exe

PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com

mimikatz 1.0 x86 (RC) /* Traitement du Kiwi (Aug 26 2012 12:48:16) */
// http://blog.gentilkiwi.com/mimikatz

mimikatz # privilege::debug
Demande d'ACTIVATION du privilège : SeDebugPrivilege : OK

mimikatz # crypto::patchcapi
Patterns CRYPT_EXPORTABLE | CRYPT_ARCHIVABLE et CRYPT_ARCHIVABLE trouvés !
Patch CRYPT_EXPORTABLE | CRYPT_ARCHIVABLE : OK
Patch CRYPT_ARCHIVABLE : OK

mimikatz # crypto::patchcng
Service : CNG Key Isolation
Recherche des patterns dans : ncrypt.dll@pid(476)
Patch ncrypt.dll@pid(476) : OK

mimikatz # crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE "Remote De
sktop"
Emplacement : 'CERT_SYSTEM_STORE_LOCAL_MACHINE'\Remote Desktop

• IE10Win7
  Container Clé : TSSecKeySet1
  Provider : Microsoft Strong Cryptographic Provider
  Type : AT_KEYEXCHANGE
  Exportabilité : NON
  Taille clé : 2048
  Export privé dans 'CERT_SYSTEM_STORE_LOCAL_MACHINE_Remote Desk
  top_0_IE10Win7.pfx' : OK
  Export public dans 'CERT_SYSTEM_STORE_LOCAL_MACHINE_Remote Deskt
  op_0_IE10Win7.der' : OK

Then I installed Win32OpenSSL-1_0_2h on Windows 7 and then converted pfx to pem.

C:\OpenSSL-Win32\bin>openssl pkcs12 -in "CERT_SYSTEM_STORE_LOCAL_MACHINE_Remote
Desktop_0_IE10Win7.pfx" -nodes -out x509.pem
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Enter Import Password:
MAC verified OK

Then I installed Wireshark-win32-2.0.4 to Windows 7, sniffed the traffic with filter "tcp.port == 3389" and then connected to that Windows 7 from Windows 8.1 via RDP (mstsc).

Then I copied sniffed traffic (Wireshark - save as - Wireshark/tcpdump - rdp.pcap) to Ubuntu 14.04 (which I successfully played your demo1.pcap) with the x509.pem of Windows 7 and then tried to play with rdp_replay.

root@ubuntu:/Desktop/RDP-Replay-master/replay# ./rdp_replay -r rdp.pcap -p x509.pem --no_cksum
root@ubuntu:/Desktop/RDP-Replay-master/replay#

It shows nothing. So any idea which step is wrong ? If you'd like to get pcap, pem file and pfx, I can send it to you.

Regards,

Good day!
After the installation, where all required packages were downloaded (with the help of command line string in "Building") I`ve tried to build your application via command "make", but faced the issue, presented below

Could you please help me to build the application or give it to me in order to use it

RDP-Replay is such a clever integration of open source products. It strikes me that it could be a useful jumping off point to investigate, profile and analyse the interactions between Windows MSTSC and "xrdp". Is it possible to map between the LSA Secrets style key entries and the rsakeys.ini format?

Hi ,

Trying to work with the rdp_replay tool , i have set up a demo environment with a server and 1 client. I have recorded my session using tcpdump and i am able to open the file and decrypt it using the key under wireshark dissector.

In wireshark i can see i am using TLS 1.2 ->
CipherSUITE - TLS_RSA_WITH_AES_128_CBC_SHA256.

I can also follow ssl stream in wireshark.

yet the rdp_replay gives me the following output:

RDP SSL MODE Requested by server!!
SSL private key found.
SSL: Decrypt failed

any help will be appriciated

Hello,

Do you think that it would be possible to compile it for Windows, under cygwin or VS ?
Anyway, thank you for that awesome tool.

Cheers!

Hello,

I am having difficulties playing pcap file with RDP Replay tool on Ubuntu 14.04.
I extracted certificate with mimikatz from Windows 7 and also extracted LSA keys with extractrdpkeys.x86.exe.
Neither -p x509.pem nor -L HYDRAENC key works. It says;

./rdp_replay -r ../../rdp6.pcap -L ../../L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75.bin Processed private key from L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75.bin
RDP SSL MODE Requested by server!!
SSL-ERROR: No matching private key found

./rdp_replay -r ../../rdp3.pcap -p ../../outfile.pem --no_cksum
RDP SSL MODE Requested by server!!
SSL private key found.
SSL-ERROR: RSA private key decrypt failed

I am not sure what is wrong with it and in order to verify my steps, could you share your demo1.pem and demo1.pcap please because Test folder does not exist in your folder.

Regards,