The geocerts site provides as good a walkthrough of how to do this as any other. On with the decryption… Extracting private SSL keys for service certificatesįollowing a compromise of a server, an attacker with administrator level privileges could simply extract the private keys used for server authentication from the certificate store. Note that I’ve only tried this for plain SSL-based RDP connection – as opposed to CredSSP (SSL+NLA) connections, so YMMV. If it is, this post applies to your RDP session and will show you how to decrypt it. If you first “Analyze | Follow TCP Stream” for the TCP port 3389 traffic, then “Analyze | Decode As… | SSL”, Wireshark will show you the SSL Server Hello message. How to tell if your RDP session is vulnerable I stopped the capture straight after entering a password. I simply started recorded all traffic on my ethernet interface, then connected to an RDP server using mstsc and entered a password. Recording encrypted RDP connections with Wireshark Put in more technical language: This post is about Perfect Forward Secrecy, how SSL connections often lack this desirable security property, that RDP uses SSL and therefore could also be vulnerable to retrospective decryption. This post describes how network eavesdroppers might record encrypted RDP sessions and at some later time (after a server compromise) be able to decrypt them. This could expose any data sent over the RDP connection including keystrokes, usernames and passwords.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |