Hi,
I'm trying to fix the decoding of RDP traffic. My scenario is a typical
RDP connection TLS encrypted (well with ciphers lowered so that no PFS
is negotiated).
So here's the list of my botherings:
* I'm setting the TLS key associated with port 3389 and the host, but
with RDP, there's 2 negotiation packets at the beginning of the
connection before switching to TLS, so these 2 packets gets aggressively
decoded as TLS (and it fails of course). That's much a detail but well,
still bothering, what's the strategy to adjust this ?
* I have configured the next protocol in the SSL records as TPKT, so
that works for most of the first packets, but unfortunately quickly RDP
goes to fastpath, that is not implemented yet. How can I implement that,
I mean do I have to code a new protocol that does TPKT or fastpath,
depending on what it can find in the packet, and configure that new
TPKTorFastPath protocol in the SSL keys configuration ?
* I wrote a decoder in LUA that decodes the RDPUDP protocol on port 3389
on UDP, but my problem is that if I configure SSL decoding on that host
and port, everything gets decoded as RDPUDP even the traffic on the TCP
port. Is there a way to express "TCP port 3389 decode as TPKT, and UDP
port 3389 decode as RDPUDP" ?
My question is very general: do I need to write a new RDP dissector that
will have a global view, will call the appropriate dissectors on sub
part of the packets ?
Thoughts welcome :)
--
David FORT
website: https://www.hardening-consulting.com/