Wireshark Tutorial - Decrypting RDP Traffic

4/3/2021 Wireshark Tutorial: Decrypting RDP Traffic
Menu
Wireshark Tutorial: Decryp ng RDP Traffic

12,428 people reacted
 18 10 min. read
SHARE 

By Brad Duncan and Vijay Prakash
April 1, 2021 at 6:00 AM
Category: Unit 42
Tags: RDP, tutorial, Windows, Wireshark, Wireshark Tutorial
This site uses cookies essential to its operation, for analytics, and for
personalized content and ads. By continuing to browse this site, you ❯ Cookie Settings
acknowledge the use of cookies. Privacy statement
https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-rdp-traffic/ 1/28
This post is also available in: ⽇本語 (Japanese)
Execu ve Summary
In recent years, Remote Desktop Protocol (RDP) has been exploited by a ackers to access unsecured
servers and enterprise networks. Since 2017, RDP has become a significant vector in malware a acks
using ransomware. Security professionals have increasingly focused their a en on on this protocol by
wri ng signatures to detect RDP vulnerabili es and prevent a acks.
As a proprietary protocol from Microso , RDP supports several opera ng modes that encrypt network
traffic. Unfortunately, this encryp on makes wri ng RDP signatures difficult because RDP content is
hidden.
Fortunately, we can establish a test environment that provides a key file, and we can use that key to
decrypt a packet capture (pcap) of the RDP traffic in Wireshark.
This blog demonstrates how to prepare the environment, obtain a decryp on key and use it to decrypt
RDP traffic.
Requirements
The following are necessary to get the most value from this tutorial:
A virtual environment to run two Windows hosts like VirtualBox or VMware.

An understanding of how to set up and use RDP.
An RDP client. We use a host running Windows 10 Professional for this tutorial.
An RDP server. This can be another Windows host with RDP enabled, or it can be a non-Windows
host running FreeRDP.
A way to record the network traffic between these two hosts. This is most easily done within a
virtual environment.
Wireshark version 3.0 or be er.
A basic knowledge of network traffic fundamentals.
Overall Process
The overall process follows seven general steps:
This
Step 1: site
Set uses
up a cookies essential to its with
virtual environment operation, for analytics,
two hosts, one acandngforas an RDP client and one ac ng as an
personalized
RDP server. content and ads. By continuing to browse this site, you ❯ Cookie Settings
Step 2: Remove forward secrecy ciphers from the RDP client.
Step 3: Obtain the RDP server's private encryp on key.
Step 4: Capture RDP traffic between the RDP server and Windows client.
Step 5: Open the pcap in Wireshark.
Step 6: Load the key in Wireshark.
Step 7: Examine RDP data.
Step 1: Set Up Virtual Environment

The two most common virtual environments for this type of analysis are VirtualBox or VMware
Worksta on for Windows and Linux. VMWare Fusion is used for macOS. VirtualBox is free, while
VMware is a commercial product.
This tutorial does not cover se ng up virtual machines (VMs) in a virtual environment. The basic
structure of our lab used for this tutorial is shown below in Figure 1.
Figure 1. Lab setup used for this tutorial.
Our lab environment contained two Windows 10 hosts. One of the hosts acted as an RDP client, and
the other acted as an RDP server. We recorded network traffic from an RDP session between these
two hosts from the virtual LAN.
Step 2: Remove Forward Secrecy Ciphers From RDP Client

Some encryp on ciphers provide forward secrecy, which is also known as perfect forward secrecy.
These types of ciphers create mul ple session keys for an SSL/TLS connec on. With forward secrecy,
we cannot decrypt SSL/TLS traffic using a single private encryp on key from the RDP server.
Therefore, we had to remove configura on op ons that support forward secrecy on the RDP client.
For this tutorial, our RDP client was a host running Windows 10 Pro. This host has a built-in RDP
client.
Microso has published details on removing configura on op ons that support forward secrecy in the
ar cles, “Manage Transport Layer Security (TLS)” and “Priori zing Schannel Cipher Suites.” Below is a
step-by-step process that we used.
Open the Group Policy Management Console gpedit.msc as an administrator as shown below in Figure
2.
acknowledge the use Figure 2. Running
of cookies. the Group
Privacy Policy Editor in Windows 10 Pro as an administrator.
statement
From the console, use the following menu path:
Computer Configura on.

Administra ve Templates.
Network.
SSL Configura on Se ngs.
Below, Figure 3 shows how to find SSL Configura on Se ngs.
Figure 3. Ge ng to the SSL Configura on Se ngs.
Under SSL Configura on Se ngs, double-click the entry for SSL Cipher Suite Order as shown below in
Figure 4.
Figure 4. Ge ng to the SSL Cipher Suite Order.
Under the SSL Cipher Suite Order, click the Enabled op on as shown below in Figure 5.
Figure 5. Enabling the SSL Cipher Suite Order.
Next, double-click the list of ciphers and select the en re list as shown below in Figure 6.
Figure 6. Selec ng the list of ciphers.
Once the list has been selected, copy it as shown below in Figure 7.
Figure 7. Copying the list of ciphers.
Copy this list of ciphers into a text editor such as Notepad. Remove any ciphers that support Ellip c
Curve cryptography using Diffie-Hellman Ephemeral (ECDHE) or Digital Signature Algorithm (ECDSA)
encryp on. These should be any entries with ECDHE and/or ECDSA in the name. In the example
shown below in Figure 8, these ciphers were all located sequen ally, so they were easy to delete from
the text.
Figure 8. Dele ng entries for ECDHE and ECDSA.
Our updated list of ciphers from Figure 8 is listed below in Table 1.
TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_G
CM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_S
HA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,T
LS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WI
TH_NULL_SHA256,TLS_RSA_WITH_NULL_SHA,TLS_PSK_WITH_AES_256_GCM_SHA384
,TLS_PSK_WITH_AES_128_GCM_SHA256,TLS_PSK_WITH_AES_256_CBC_SHA384,TLS
_PSK_WITH_AES_128_CBC_SHA256,TLS_PSK_WITH_NULL_SHA384,TLS_PSK_WITH_N
ULL_SHA256
Table 1. Updated list a er removing forward secrecy ciphers.
Thisthe
Paste siteupdated
uses cookies essential
cipher to its
list back intooperation,
the SSLfor analytics,
Cipher SuitesandField,
for making sure to overwrite the
original list. Click the Apply bu on, then click OK to close the window. You have❯now
personalized content and ads. By continuing to browse this site, you Cookie Settings
updated the list
acknowledge the use of cookies.
and can close the Group Policy Editor. Privacy statement
A er we accomplished this step, we had to obtain the RDP server’s private key.
Step 3: Obtain RDP Server's Private Key

FreeRDP is one op on to use as an RDP server. You can get FreeRDP from this GitHub repository, as
well as build instruc ons. Make sure to set the WITH_SERVER=ON flag when crea ng the server. Once
the server is built, you must provide it with a private key, or use one that comes with FreeRDP.
For our RDP server in this tutorial, we used another host running Windows 10 Pro. Then we extracted
the private key from the host’s opera ng system.
To ensure our second Windows host acted as an RDP server, we enabled RDP. To enable RDP on a
host running Windows 10 Pro, go to Windows Se ngs from the Start Menu, then select the System
icon as shown below in Figure 9.
Figure 9. Ge ng to the Windows System se ngs.
Under the system se ngs, select Remote Desktop and click the switch for Enable Remote Desktop as
shown below in Figure 10.
Figure 10. Enabling RDP in WIndows 10.
A er se ng up our second Windows host as an RDP server, we extracted the private key from its
opera ng system.
To extract the server key, we could either use either Jailbreak or Mimikatz. We chose Jailbreak.
Jailbreak is a tool by iSECPartners that can export the server's RDP cer ficate. From the exported
cer ficate, we could extract the private key.
To use Jailbreak, we downloaded the following Jailbreak binaires from this GitHub repository on our
newly established RDP server:
EasyHook64.dll
jailbreak64.exe
jailbreakhook64.dll
jbstore2_64.exe
Note: The above files were used on a Windows 10 Pro 64-bit host downloaded on March 4, 2021. A
screenshot of the GitHub page is shown below in Figure 11.
Figure 11. GitHub page for Jailbreak binaries.
A er we downloaded the Jailbreak binaries, we opened a Command prompt with administrator

privileges as shown below in Figure 12.
Figure 12. Opening a command prompt as an administrator.
In the command prompt, we went to the directory with the downloaded Jailbreak binaries. We ran the
following command from this directory:
jailbreak64.exe %WINDIR%\system32\mmc.exe %WINDIR%\system32\certlm.msc

-64
If we were running a 32-bit version of Windows, we would use:
jailbreak32.exe %WINDIR%\system32\mmc.exe %WINDIR%\system32\certlm.msc

-32
See Figure 13 below for an example of running the 64-bit command on our Windows host ac ng as
the RDP server.
Figure 13. Running Jailbreak from the command prompt.
This command opened the cer ficate manager for our local machine. From the le column, we
expanded Remote Desktop and went to the Cer ficates folder. This showed one cer ficate. If there had
been more than one cer ficate, we would have selected the one with the most recent expira on date.
We right-clicked on the cer ficate, selected All Tasks then used Export as shown below in Figure 14.
personalized content and ads. By continuing to browse this site, you
Figure 14. Expor ng the RDP cer ficate.
❯ Cookie Settings
When expor ng the cer ficate, we made sure to select the op on to export the private key as shown
below in Figure 15.
Figure 15. Ensuring the private key is exported with the cer ficate.
For our host, we could only export the cer ficate as a PKCS #12 (.PFX) file as shown below in Figure
16.
Figure 16. Could only export the cer ficate as a .pfx file.
As shown below in Figure 17, the cer ficate had to have a password. Fortunately, we had no
complexity requirements, so we used a single le er as the password.
Figure 17. The export process required a password for the cer ficate.
Finally, we exported our cer ficate with the private key as shown below in Figure 18.
Figure 18. Comple ng our cer ficate export.
As an alterna ve, we could have extracted the server’s cer ficate using Mimikatz instead of Jailbreak.
The instruc ons for using Mimikatz to get the RDP server cer ficate are listed on GitHub.
Since our cer ficate was obtained using Jailbreak, we moved it to a Linux host and used OpenSSL to
extract the key. First, we used the following OpenSSL command to extract the key in PEM format:
openssl pkcs12 -in server_certificate.pfx -nocerts -out server_key.pem -

nodes
To remove the passphrase form the key, we also used the following command:
openssl rsa -in server_key.pem -out server.key
This provided us with the RDP server’s private key as shown below in Figure 19.
Figure 19. Private server key extracted from the cer ficate.
Before we could use the private server key, we needed to record an RDP session between our two
Windows hosts and save it as a pcap.
Step 4: Capture RDP Traffic

With our two Windows hosts in the same virtual environment, we could use a tool like dumpcap,
tcpdump or Wireshark itself to record network traffic in the VLAN using promiscuous mode. Once the
recording started, our WIndows client used RDP to log in to the other Windows host ac ng as an RDP
server. The host name of the server was DESKTOP-USER1PC.
Figure 20. Using the Remote Desktop Connec on tool to log into our RDP server.
While the pcap was being recorded, we logged into DESKTOP-USER1PC and performed some basic
tasks like opening documents and web browsing.
Figure 21. Performing some common desktop tasks through RDP.
A er a minute or so, we logged off RDP and stopped recording network traffic from our VLAN.
Step 5: Open the pcap in Wireshark

We opened the pcap of our RDP session in Wireshark. When filtering on rdp in our Wireshark display
filter, we saw no results because the RDP traffic was encrypted. Figure 22 shows the blank column
display we saw when filtering for RDP in our pcap.
Figure 22. Filtering for RDP informa on, but no results, due to encrypted RDP traffic.
However, when we used our private server key to decrypt RDP traffic in Wireshark, the results looked
much different.
Step 6: Load the Key in Wireshark

In the pcaps we recorded, the RDP server DESKTOP-USER1PC was at IP address 10.3.4.138, and RDP
traffic took place over TCP port 3389. We needed this informa on to properly decrypt RDP traffic in
Wireshark.
In Wireshark, we used the Preferences window and expanded the Protocols sec on as shown below in
Figure 23.
Figure 23. Ge ng to the Protocols sec on of Wireshark’s preferences menu.
With Wireshark 3.x, use the TLS entry. If you are using Wireshark 2.x, use the SSL entry. For this
sec on, there should be a bu on to edit the RSA keys list. We clicked the bu on and added the IP
address of the RDP server, the RDP port (3389) and the loca on of the private key file. Our example is
shown below in Figure 24.
Figure 24. Go to the TLS sec on and add the private key to the RSA keys list.
A er Wireshark was set up to decrypt RDP traffic, we had much be er results when reviewing the
pcap.
Step 7: Examine RDP Data

A er our key was loaded, our column display was no longer blank when filtering for RDP. We had
several results as shown below in Figure 25.
Figure 25. Viewing the same RDP ac vity a er the private key was loaded in Wireshark.
For security professionals who write signatures to find RDP vulnerabili es and a acks, the type of
informa on revealed above in Figure 25 is cri cal to their work.
Conclusion
This blog reviewed how to establish an environment to decrypt traffic from an RDP session. This is
easiest to do in a virtual LAN with two hosts running Windows 10 Professional. A er ensuring the
client did not use any forward secrecy ciphers, we extracted the private key from our Windows host
ac ng as the RDP server. Then we easily recorded a pcap of network traffic. A er the session finished,
we were able to decrypt RDP traffic using the server’s private key.
This type of environment can help security professionals when wri ng signatures to detect RDP
vulnerabili es and a acks.
For more help with Wireshark, see our previous tutorials:
Wireshark Tutorial: Examining Emotet Infec on Traffic

Changing Your Column Display
Display Filter Expressions
Iden fying Hosts
personalized contentand
andUsers
ads. By continuing to browse this site, you ❯ Cookie Settings
Expor ng Objects from a Pcap
Examining Trickbot Infec ons

Examining Ursnif Infec ons
Examining Qakbot Infec ons
Decryp ng HTTPS Traffic
Examining Dridex Infec on Traffic
Get updates from

Palo Alto
Networks!
Sign up to receive the latest news, cyber threat intelligence and research from us
Email address
Subscribe
I'm not a robot

reCAPTCHA
Privacy - Terms
By submi ng this form, you agree to our Terms of Use and acknowledge our Privacy Statement.

Popular Resources
Resource Center
Blog
Communi es
Tech Docs
Unit 42
Sitemap
Legal Notices
Privacy
Terms of Use
Documents
Account
Manage Subscrip ons
Report a Vulnerability
© 2021 Palo Alto Networks, Inc. All rights reserved.

Wireshark Tutorial - Decrypting RDP Traffic

Uploaded by

Copyright:

Available Formats

Wireshark Tutorial - Decrypting RDP Traffic

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Wireshark Tutorial - Decrypting RDP Traffic

Uploaded by

Copyright:

Available Formats

4/3/2021 Wireshark Tutorial: Decrypting RDP Traffic

Wireshark Tutorial: Decryp ng RDP Traﬃc

This post is also available in: ⽇本語 (Japanese)

A virtual environment to run two Windows hosts like VirtualBox or VMware.

Step 2: Remove forward secrecy ciphers from the RDP client.

Step 3: Obtain the RDP server's private encryp on key.

Step 5: Open the pcap in Wireshark.

Step 6: Load the key in Wireshark.

Step 7: Examine RDP data.

Step 1: Set Up Virtual Environment

Figure 1. Lab setup used for this tutorial.

Step 2: Remove Forward Secrecy Ciphers From RDP Client

From the console, use the following menu path:

Computer Conﬁgura on.

Below, Figure 3 shows how to ﬁnd SSL Conﬁgura on Se ngs.

Figure 3. Ge ng to the SSL Conﬁgura on Se ngs.

Figure 4. Ge ng to the SSL Cipher Suite Order.

Figure 5. Enabling the SSL Cipher Suite Order.

Figure 6. Selec ng the list of ciphers.

Figure 7. Copying the list of ciphers.

Figure 8. Dele ng entries for ECDHE and ECDSA.

Our updated list of ciphers from Figure 8 is listed below in Table 1.

Table 1. Updated list a er removing forward secrecy ciphers.

Step 3: Obtain RDP Server's Private Key

Figure 9. Ge ng to the Windows System se ngs.

Figure 10. Enabling RDP in WIndows 10.

Figure 11. GitHub page for Jailbreak binaries.

A er we downloaded the Jailbreak binaries, we opened a Command prompt with administrator

Figure 12. Opening a command prompt as an administrator.

jailbreak64.exe %WINDIR%\system32\mmc.exe %WINDIR%\system32\certlm.msc

If we were running a 32-bit version of Windows, we would use:

jailbreak32.exe %WINDIR%\system32\mmc.exe %WINDIR%\system32\certlm.msc

Figure 13. Running Jailbreak from the command prompt.

Figure 18. Comple ng our cer ﬁcate export.

openssl pkcs12 -in server_certificate.pfx -nocerts -out server_key.pem -

Step 4: Capture RDP Traﬃc

Figure 21. Performing some common desktop tasks through RDP.

Step 5: Open the pcap in Wireshark

Step 6: Load the Key in Wireshark

Figure 23. Ge ng to the Protocols sec on of Wireshark’s preferences menu.

Step 7: Examine RDP Data

For more help with Wireshark, see our previous tutorials:

Wireshark Tutorial: Examining Emotet Infec on Traﬃc

Examining Trickbot Infec ons

Get updates from

I'm not a robot

Manage Subscrip ons

© 2021 Palo Alto Networks, Inc. All rights reserved.

You might also like