{"componentChunkName":"component---src-templates-post-template-js","path":"/wireshark-decrypt-rdppacket-en","result":{"data":{"markdownRemark":{"id":"fb630a4f-1992-59c3-8fb4-cd13966ffad1","html":"
\n

This page has been machine-translated from the original page.

\n
\n

This article explains how to capture and decrypt RDP packets with WireShark.

\n

If you just want to view RDP packet contents with WireShark, the easiest way is to use the pcap and pem files distributed on the official site below.

\n

Reference: Wiki · Wireshark Foundation

\n

This article will proceed while referencing the steps in Wiresharkによるパケット解析講座 11: RDPトラフィックの復号.

\n

There were some situations where following that article’s steps exactly didn’t work well, so I’ll cover those aspects as well.

\n\n

Table of Contents

\n\n

Environment

\n

I set up the following environment for this project:

\n\n

The RDP server host has remote desktop connection enabled.

\n

Both are connected via VirtualBox internal network.

\n

The applications used are as follows:

\n\n

Removing Forward Secrecy Ciphers from the RDP Client

\n

First, open the Group Policy Editor (gpedit.msc) on the client side and remove Forward Secrecy ciphers.

\n

Forward Secrecy is not an encryption method using the server’s private and public keys, but rather an encryption technique using data created from secret keys held by both the client and server.

\n

Using Forward Secrecy has the advantage that even if one party’s secret key is leaked, the data cannot be decrypted and security is maintained.

\n

By default, Windows RDP communication uses encryption with Forward Secrecy, so packets cannot be decrypted from WireShark using a single private key.

\n

Therefore, it’s necessary to first remove Forward Secrecy ciphers on the client side.

\n

As shown in the image below, open the SSL cipher order setting from the SSL configuration settings and set it to [Enabled].

\n

\n \n \n \n \n \n \n \n \n

\n

When enabled, a list of SSL ciphers will be stored in the [Options] field.

\n

When I enabled it in my environment (Windows 10 Pro 20H2), the following cipher suites were defined by default:

\n
TLS_AES_256_GCM_SHA384、TLS_AES_128_GCM_SHA256、TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384、TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256、TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384、TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256、TLS_DHE_RSA_WITH_AES_256_GCM_SHA384、TLS_DHE_RSA_WITH_AES_128_GCM_SHA256、TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384、TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256、TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384、TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256、TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA、TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA、TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA、TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA、TLS_RSA_WITH_AES_256_GCM_SHA384、TLS_RSA_WITH_AES_128_GCM_SHA256、TLS_RSA_WITH_AES_256_CBC_SHA256、TLS_RSA_WITH_AES_128_CBC_SHA256、TLS_RSA_WITH_AES_256_CBC_SHA、TLS_RSA_WITH_AES_128_CBC_SHA、TLS_RSA_WITH_3DES_EDE_CBC_SHA、TLS_RSA_WITH_NULL_SHA256、TLS_RSA_WITH_NULL_SHA、TLS_PSK_WITH_AES_256_GCM_SHA384、TLS_PSK_WITH_AES_128_GCM_SHA256、TLS_PSK_WITH_AES_256_CBC_SHA384TLS_PSK_WITH_AES_128_CBC_SHA256、TLS_PSK_WITH_NULL_SHA384、TLS_PSK_WITH_NULL_SHA256
\n

In this step, manually delete some of the default cipher suites.

\n

What’s being removed here are cipher suites related to DHE (Diffie-Hellman key exchange) and ECDHE (Elliptic Curve Diffie-Hellman key exchange), which are currently practical Forward Secrecy encryption methods.

\n

After deletion, the settings will look like this:

\n

I’ll simplify it to just TLS_RSA_WITH_AES_128_CBC_SHA256.

\n
TLS_RSA_WITH_AES_128_CBC_SHA256
\n

Copy and paste this setting value into the [SSL Cipher Suites] form and press the OK button to complete the configuration.

\n

Just to be safe, execute the following command in the command prompt to apply the Group Policy settings:

\n
gpupdate /force
\n

This completes the disabling of Forward Secrecy.

\n

※ As mentioned later, this step alone is insufficient, and in my environment the cipher suite wasn’t changed until I restarted the OS.

\n

Exporting the RDP Server’s Private Key

\n

Next, export the certificate from the RDP server side.

\n

Tools like Mimikatz can also be used for export, but I used Jailbreak, which was used in the reference article.

\n

To retrieve using Mimikatz, refer to the following procedure:

\n

Reference: FreeRDP-wiki/Mimikatz.md at master · ypid/FreeRDP-wiki

\n

Download the ZIP file from the Jailbreak repository and execute jailbreak64.exe stored in the binaries folder from a command prompt running with administrator privileges.

\n
jailbreak64.exe %WINDIR%\\system32\\mmc.exe %WINDIR%\\system32\\certlm.msc -64
\n

When execution completes, the certificate store screen launches, and you can confirm that an RDP certificate has been created in [Remote Desktop]>[Certificates], so export it.

\n

\n \n \n \n \n \n \n \n \n

\n

I tried to decrypt the captured packets here, but for some reason it didn’t work.

\n

I tried changing keys and various other things, but ultimately it didn’t work.

\n

No wonder, when I checked the Server Hello packet during RDP communication, it appeared to be using ECDHE as the cipher suite. (Forward Secrecy wasn’t disabled…)

\n

\n \n \n \n \n \n \n \n \n

\n

Apparently gpupdate /force alone was insufficient, so I restarted the OS.

\n

After that, I captured packets again and successfully obtained RDP communication packets using the TLS_RSA_WITH_AES_128_CBC_SHA256 cipher suite.

\n

\n \n \n \n \n \n \n \n \n

\n

Decrypting Packet Capture with the Private Key

\n

Finally made it here.

\n

Finally, decrypt the captured packets.

\n

Open the captured pcap file in WireShark and open [Preferences] from the [Edit] tab in the toolbar.

\n

Next, select [TLS] from the protocol list in the left tree and open the settings.

\n

Finally, enter the following settings from the edit in [RSA keys list]:

\n
IP address : \"RDP server's IP address\"\nPort : \"RDP connection destination port (3389)\"\nProtocol : \"tpkt\"\nKey File : \"RSA key file extracted from certificate\"
\n

\n \n \n \n \n \n \n \n \n

\n

When this setting is applied, RDP packets are decrypted and become filterable.

\n

\n \n \n \n \n \n \n \n \n

\n

Great work!!

\n

Summary

\n

Basically, I followed the steps in Wiresharkによるパケット解析講座 11: RDPトラフィックの復号, but some steps didn’t reproduce well exactly as written in the article, so I struggled a bit.

\n

As a result, I learned about WireShark and Windows cipher suites, so I think it was worthwhile to try it.

\n

If I feel like it, I’ll write an article about the details of the RDP protocol.

\n

However, I’m not really motivated to read this approximately 500-page reference, so it will really be when I feel like it.

\n

Reference: [MS-RDPBCGR]: Remote Desktop Protocol: Basic Connectivity and Graphics Remoting | Microsoft Docs

","fields":{"slug":"/wireshark-decrypt-rdppacket-en","tagSlugs":["/tag/wire-shark-en/","/tag/windows-en/","/tag/network-en/","/tag/english/"]},"frontmatter":{"date":"2021-10-19","description":"This article explains how to capture and decrypt RDP packets with WireShark.","tags":["WireShark (en)","Windows (en)","Network (en)","English"],"title":"Removing Forward Secrecy to Decrypt RDP Packets with WireShark","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/wireshark-decrypt-rdppacket-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}