Wireshark-dev: [Wireshark-dev] Fixing decoding of RDP traffic

From: Hardening <rdp.effort@xxxxxxxxx>
Date: Fri, 4 Jun 2021 11:06:24 +0200
Hi,

I'm trying to fix the decoding of RDP traffic. My scenario is a typical RDP connection TLS encrypted (well with ciphers lowered so that no PFS is negotiated).

So here's the list of my botherings:

* I'm setting the TLS key associated with port 3389 and the host, but with RDP, there's 2 negotiation packets at the beginning of the connection before switching to TLS, so these 2 packets gets aggressively decoded as TLS (and it fails of course). That's much a detail but well, still bothering, what's the strategy to adjust this ?

* I have configured the next protocol in the SSL records as TPKT, so that works for most of the first packets, but unfortunately quickly RDP goes to fastpath, that is not implemented yet. How can I implement that, I mean do I have to code a new protocol that does TPKT or fastpath, depending on what it can find in the packet, and configure that new TPKTorFastPath protocol in the SSL keys configuration ?

* I wrote a decoder in LUA that decodes the RDPUDP protocol on port 3389 on UDP, but my problem is that if I configure SSL decoding on that host and port, everything gets decoded as RDPUDP even the traffic on the TCP port. Is there a way to express "TCP port 3389 decode as TPKT, and UDP port 3389 decode as RDPUDP" ?

My question is very general: do I need to write a new RDP dissector that will have a global view, will call the appropriate dissectors on sub part of the packets ?

Thoughts welcome :)

--
David FORT
website: https://www.hardening-consulting.com/