By Anthony Kasza, Corelight Security Researcher
Microsofts Remote Desktop Protocol (RDP) is used to remotely administer systems within Windows environments. RDP is everywhere Windows is and is useful for conducting remote work. Just like every other remote administration tool, RDP can be used for legitimate or malicious control of a computer and is used by administrators and attackers alike for command and control of a remote system. As RDP also can be used to move laterally through a victim network its a great example of attackers living off the land. The Restricted Admin Mode (seemingly now replaced by Remote Credential Guard) introduced into Windows even enables pass-the-hash style authentication for RDP clients. Tools, such as SharpRDP and Sticky-Keys-Slayer are able to automate command execution and RDP interactivity. The latter is also a tool for gaining initial access to systems through RDP services, a strategy adopted by multiple attackers for manually spreading ransomware. To distribute Crysis, for example, attackers would brute force guess credentials, or use stolen ones, to control RDP servers exposed to the Internet and then manually implant ransomware. A similar strategy has been seen by actors distributing GoGoogle and RobbinHood ransomware.
Financially motivated attackers arent the only classes of threat making use of RDP, however. RDP services are also a vector of attack for advanced offensive groups like APT39 and APT40. Discovered in January of 2020, the Trickbot malware family added a new module, rdpScanDll, giving the malware the capability of credential bruteforcing. Wormable exploits like BlueKeep, DejaBlue, and BlueGate plague RDP servers across the Internet. Shodan recently identified an increase in publicly exposed RDP services on the Internet, a measure which Shadowserver and Kaspersky also monitor. Given RDPs complexities and extendability, I would not be surprised if more RDP remote code execution vulnerabilities exist.
Open source Zeek is capable of analyzing RDP connections and does a fantastic job handling the many options and configurations the RDP protocol supports. For performance reasons, Zeek disables the SSL analyzer after encryption begins. This blog serves as a closer examination of encrypted RDP communications, specifically those over TLS. It contains sections on RDPs background, its encryption and authentication methods, and the differences between its TCP and UDP transports. It will conclude by looking at how encrypted RDP connections can be conceptualized with sequences of lengths and inter-arrival deltas (SOLID, a retrofitted name for sequences of lengths) and how patterns within those SOLID can potentially be used to create inferences. Inferences on encrypted RDP connections could provide forensic value without TLS decryption, without endpoint monitoring, and without having to know where RDP services are located on your network.
The Remote Desktop Protocol, which is used by Windows Terminal Services, consists of many sub-protocols, extensions, redundancies, and options. This plethora of choice is best demonstrated by the Protocol Relationship Diagram (section 2.2.1) in Microsofts specification for RDP. For this blog, RDP will refer to MS-RDPBCGR and all its options and extensions while RDPEUDP will refer to both MS-RDPEUDP and MS-RDPEUDP2.
RDP is conceptually similar to SSH in that it provides a client an interactive console to a server. Both RDP and SSH services are often exposed over the Internet for administrative access. RDP and SSH are different, however, in that the RDP console will always be graphical and human driven. RDP aims to emulate an entire desktop environment, which is a large feat. SSH, on the other hand, is much simpler, only emulating a text-based terminal. SSH also supports automation. It includes file transfers and other headless modes-of-use. In fact, SSHs headless tunneling capabilities are sometimes used to transport RDP through firewalls with reverse shells, which the latest version of the SSH Inferences package is able to infer. RDP is also conceptually similar to Powershell Remoting in that both can be used to administer and control a server. Powershell Remoting is, however, similar to SSH in that it is a command-line interface. RFB (VNC) and X11 also share similarities with RDP, being protocols which facilitate virtual desktop experiences.
RDP makes use of channels which are multiplexed over the TCP connection alongside other message types. Examples of RDP static virtual channels are, rdpdr (redirection), rdpsnd (sound), cliprdr (clipboard). Others static virtual channels enable USB device access, shared drives, and more. Static virtual channels are joined during the Channel Connection stage of the Connection Sequence (see Figure 1 below). These channels are conceptually similar to SSH channels. This CTF challenge walk-through demonstrates how contents from the clipboard static virtual channel can be recovered from a trace of an RDP connection.
One static virtual channel, the dynamic virtual channel, is used to extend the number of available static virtual channels. Dynamic virtual channels provide things like USB device access, graphics output, and more (including unconventional purposes, like tunneling SOCKS). It seems as though the RDP protocol was originally designed with a limited amount of static virtual channels and dynamic virtual channels are a method of extending the protocol to support more features. A major difference in static virtual channels compared to dynamic virtual channels is that dynamic virtual channels messages may be transported over RDPEUDP. This reduced set of messages simplifies analyses of RDPBCGR SOLID.
RDPs complexity makes it complicated to comprehend. RDP was built on top of protocols whose creation preceded the more modern TCP/IP. Furthermore, it carries a bunch of backwards compatibility around which makes interoperability between different Windows operating system versions achievable. Wikipedia lists over 10 versions of the RDP protocol. The technical specification has had 52 major revisions since 2007. Features of the protocol have been developed over multiple Windows operating system versions and some features have been provided through Microsoft acquisitions. And, according to the National Software Reference Library, Microsoft has released 128 versions of mstsc.exe, the main driver program for Windows RDP clients. It has also released 107 versions of mstscax.dll, which provides functions used by mstsc.exe.
The good news is that Microsoft maintains open specifications for the RDP and firstname.lastname@example.org is both responsive and helpful! The FreeRDP projects open and auditable source code is also an invaluable resource.
RDP supports two types of encryption, enhanced and standard (sometimes called native). RDP supports two categories of authentication, Network Level Authentication (NLA) and non-NLA, the latter should not be used. These authentication and encryption schemes can be combined in the following ways:
With standard encryption, much of the RDP Connection Sequence (which is conceptually a handshake) occurs in the clear. Encryption begins with the Secure Settings Exchange stage (note that at the time of writing, Zeeks RDP analyzer currently only supports parsing of messages through the Basic Settings Exchange stage while Wireshark has very limited support for dissecting messages beyond the Connection Sequence). The rdfp Zeek package makes use of these clear-text messages to fingerprint RDP clients using standard encryption.
With enhanced encryption, TLS (TLS and SSL are used interchangeably in this blog and in the Zeek source code) is shimmed between the Connection Initiation and Basic Settings Exchange stages of the Connection Sequence. This means anything after the Connection Initiation stage is encrypted if TLS is employed. Luckily, Zeek can be used to provide inferences about connections even if their contents are encrypted.
With non-NLA authentication, client authentication takes place after the RDP Connection Sequence. An RDP connection is established and a client can interact with the servers login screen. With NLA authentication, RDP uses the Credential Security Support Provider (CredSSP) Protocol, a Security Support Provider composed of TLS and SPNEGO (an extension to RFC 4718). CredSSP can also be used by WinRM (Powershell remoting) for authentication. The CredSSP portion of an RDP connection occurs between the Connection Initiation and Basic Settings Exchange stages of the Connection Sequence. The TSRequest structure is the format CredSSP uses, while SPNEGO refers to its structures as Tokens. These tokens are present in the negoTokens field of the TSRequest.
Figure 1 (below) diagrams an example RDP Connection Sequence which used both enhanced encryption and NLA authentication with support for the Early Authentication Result PDU. This configuration would manifest as HYBRID_EX in the security_protocol field of Zeeks RDP log. If you find the RDPBCGR Connection Sequence daunting, just look at what happens when a Remote Desktop Gateway proxy is used in conjunction with RDPBCGR (Figure 8).
RDP can be transported over TCP or TCP and UDP. This is an example of Multiband Communication (MITRE ATT&CK technique T1026). RDP over UDP (RDPEUDP) has been supported and preferred since Windows Server 2012. It seems only Windows clients currently support the RDPEUDP transport mechanism. Open source Zeek supports identifying RDPEUDP connections and will set the conn logs service field appropriately.
RDPEUDP has two versions; version 1 bootstrap version 2. RDPUEDP2 can be considered an extension to RDPEUDP and only can be used after the RDPEUDP connections Connection Initialization phase. RDPEUDP supports lossless and lossy transmissions, while RDPEUDP2 only supports lossless. Lossless mode uses TLS while lossy mode utilizes DTLS. RDPEUDP begins with its own handshake, similar to the TCP 3-way handshake, over UDP. RDPEUDP can be thought of as TCP features (e.g. 3-way handshake, state, acknowledgements, retransmissions, keep-alives) implemented on top of UDP without all those pesky TCP side effects (like congestion control and backoffs) that make TCP play nicely with other network applications.
RDPBCGR, the main protocol most think of when the term RDP is used, is transported over TCP, as shown in the cyan circle of Figure 1. All the stages of RDPBCGRs Connection Sequences can be seen within the reddish circle of Figure 1. RDPEUDP is an extension to the RDP protocol which is bootstrapped through the optional stage of RDPBCGRs Connection Sequence named the Multitransport Bootstrap stage. Between the Licensing and Capabilities Exchange stages, the server will send an Initiate Multitransport Request PDU to the client. This will indicate to the client that the server is accepting UDP connections. The client will then send an RDPEUDP SYN message to the server. The server responds with an RDPEUDP SYNACK. The client then sends a final RDPEUDP ACK and the first payload, thus establishing an RDPEUDP connection. If successful, this UDP connection will be used to transport dynamic virtual channel messages instead of the TCP connection. If the RDPEUDP handshake fails, RDPBCGR will use the existing TCP connection for all messages. If the RDPEUDP handshake succeeds, the TCP connection and UDP connection will be used in tandem. Certain messages, like dynamic virtual channel messages, will only be transported over the UDP connection. This separation of message types can make analyzing the TCP connection simpler.
RDP is a very popular method for remotely controlling a system. Its used by legitimate administrators and malicious actors alike. The protocol is quite old and provides many features, attempting to emulate an entire desktop. The RDP is often treated as an opaque service which just works when the correct ports are open on a firewall. Hopefully this blog stands as a resource for learning about RDP and for understanding RDPs different mechanisms for encryption, client authentication, and transport.
If you dont know if RDP is being used on your network, you may consider evaluating open source Zeek. If you know you use RDP on your network, you should consider reading our previous blog on mitigating RDP vulnerabilities. To learn more about the solutions Corelight can provide around the RDP, contact us.
*** This is a Security Bloggers Network syndicated blog from Bright Ideas Blog authored by Anthony Kasza. Read the original post at: https://corelight.blog/2020/05/13/analyzing-encrypted-rdp-connections/
See original here:
Analyzing Encrypted RDP Connections - Security Boulevard
- Regulated encryption isnt possible heres what is - POLITICO Europe - August 3rd, 2021
- Work from home and cloud are prompting hard looks at security - GCN.com - August 3rd, 2021
- Atakama and Spirion to announce their strategic partnership at Black Hat 2021 - PRNewswire - August 3rd, 2021
- Spirion and Atakama Join Forces at Black Hat 2021 Conference - MarTech Series - August 3rd, 2021
- Looking for ways to password protect a file or folder on Windows 11? Here's how you can do it - India Today - August 3rd, 2021
- XSOC CORP's SOCKET Receives UL- 2900 Certification for Securing Encrypted Workflows of Today's Enterprise and Industrial Connected Devices - Business... - August 3rd, 2021
- Apple @ Work: FileVault 2 is so good, theres no reason for IT departments not to use it - 9to5Mac - August 3rd, 2021
- The Future of Industrial Security - Security Today - August 3rd, 2021
- Global Encryption Software System Market Size And Forecast to 2021 2027 analysis with key players : IBM, Microsoft, Sophos ltd, Gemalto, Net App Inc,... - August 3rd, 2021
- Cloud Encryption Software Market Size 2021 Industry Demand, Share, Global Trend, Industry News, Business Growth, Top Key Players Update, Business... - August 3rd, 2021
- Global E-mail Encryption Market Dynamics Analysis, Production, Supply and Demand, Covered in the Latest Research 2021-2026 - Digital Journal - August 3rd, 2021
- Insights on the Optical Encryption Global Market to 2027 - Featuring Arista Networks, Broadcom and CenturyLink Among Others - ResearchAndMarkets.com -... - July 8th, 2021
- Jupiter Project Presents 'Metis Messenger', the Decentralized Chat Application That Syncs Across All Platforms - GlobeNewswire - July 8th, 2021
- If full encryption of police radios necessary? Berkeley may allow public to hear one of their channels - The Daily Post - July 2nd, 2021
- Leveraging Encryption Keys to Better Secure the Federal Cloud - Nextgov - July 2nd, 2021
- Benefits of Adopting Data Encryption in Businesses - CIOReview - July 2nd, 2021
- Encryption can be lucrative, but with environmental costs - Floridanewstimes.com - July 2nd, 2021
- UK Government has suggested messaging apps to avoid using end-to-end encryption on the accounts of children because that can be harmful to them -... - July 2nd, 2021
- Diavol ransomware linked to Trickbot botnet - IT PRO - July 2nd, 2021
- Got data? The biggest-ever portable encrypted SSD just came out - Cult of Mac - July 2nd, 2021
- Application-Level Encryption Market is expected to expand at a CAGR of 25% from 2020 to 2030 KSU | The Sentinel Newspaper - KSU | The Sentinel... - July 2nd, 2021
- Encryption Key Management Market to Eyewitness Massive Growth by 2028: Ciphercloud, Gemalto, Google The Manomet Current - The Manomet Current - July 2nd, 2021
- Data storage: the importance of protecting the device and not just the network - IT-Online - July 2nd, 2021
- Global E-mail Encryption Market 2021 Demands To Sustain in Future Industry Size, Growth, Revenue, Global Statistics and Forecast to 2030 The Manomet... - July 2nd, 2021
- Hardware Encryption Market 2021 Industry Analysis by Manufacturers, End-User, Type, Application, Regions and Forecast to 2027 The Manomet Current -... - July 2nd, 2021
- Former Anonymous and Lulzsec hacker discusses his criminal past and gives his top tips for avoiding ransomware - Texasnewstoday.com - July 2nd, 2021
- Why Inspecting Encrypted Traffic Is A Must - Security Boulevard - June 25th, 2021
- Researchers: 2G Connection Encryption Deliberately Weakened To Comply With Cryptowar Export Restrictions - Techdirt - June 25th, 2021
- The Ultimate Guide to Key Management Systems - Hashed Out by The SSL Store - Hashed Out by The SSL Store - June 25th, 2021
- Will regulation adapt to encryption, or will encryption adapt to regulation?Expert answers - QNT - June 25th, 2021
- China 'all in' on its own encryption brand - BollyInside - June 25th, 2021
- How the FBI Is Trying to Break Encryption Without Actually Breaking Encryption - Gizmodo - June 19th, 2021
- Vergecast: Windows 11 leaks, RCS encryption, and this week in antitrust - The Verge - June 19th, 2021
- WhatsApp vs govt: Can traceability and encryption co-exist? - Business Today - June 19th, 2021
- Finding the balance in encryption and crime-fighting Monash Lens - Monash Lens - June 19th, 2021
- Drug bust was a huge coup - but the surveillance should trouble free citizens - Stuff.co.nz - June 19th, 2021
- Google open-sources tools to bring fully homomorphic encryption into the mainstream - The Daily Swig - June 16th, 2021
- Google enables end-to-end encryption for Androids default SMS/RCS app - Ars Technica - June 16th, 2021
- Bitcoin and Encryption: A Race Between Criminals and the F.B.I. - The New York Times - June 16th, 2021
- We've been shown time and again that strong encryption puts crims behind bars, so why do politicos hate it? - The Register - June 16th, 2021
- How To Enable End-To-End Encryption In Zoom On Windows 10 - Wccftech - June 16th, 2021
- WhatsApp to Enable Multi-Device Support With End-to-End Encryption: Report - Gadgets 360 - June 16th, 2021
- How to Encrypt Files, Folders and Drives on Windows 10 ... - June 12th, 2021
- Device encryption in Windows 10 - support.microsoft.com - June 12th, 2021
- Countering disinformation and protecting democratic communication on encrypted messaging applications - Brookings Institution - June 12th, 2021
- 2021 Hong Kong Encryption Trends: As cyber threats grow, Hong Kong outpaces the world in enterprise encrypt... - Security Boulevard - June 12th, 2021
- FBI, Australian Police Ran A Backdoored Encrypted Chat Service For Three Years - Techdirt - June 12th, 2021
- New beta reveals more info about upcoming end-to-end encrypted backups in WhatsApp - TechRadar - June 12th, 2021
- Hacking, encryption and threat of attack: What the dead Israeli intel officer did before he was drafted - Haaretz - June 12th, 2021
- Fitting Into IoT Security with a New Open-Source Encryption Standard - IoT For All - June 12th, 2021
- Raids worldwide as police reveal vast hack of criminal encryption platform - FRANCE 24 - June 12th, 2021
- Social applications are the next big trend in encryption - QNT - June 6th, 2021
- Microsoft Teams: Here's when your calls will get end-to-end encryption - TechRepublic - June 4th, 2021
- Survey reveals how businesses have gotten more serious towards encrypting their data - Digital Information World - June 4th, 2021
- Microsoft Teams calls are getting end-to-end encryption in July - BleepingComputer - June 4th, 2021
- Data encryption cyber security software company DAtAnchor, Inc. offers affordable CMMC v1.02 compliance for Office, CAD, video, and audio files. Ohio... - June 4th, 2021
- Only 17% of organizations encrypt at least half of their sensitive cloud data - SC Magazine - June 4th, 2021
- Database Encryption Market 2021 Present Scenario on Growth Analysis and High Demand to 2030 KSU | The Sentinel Newspaper - KSU | The Sentinel... - June 4th, 2021
- Cloud Encryption Gateways Market is Booming Worldwide | Global Analysis and Forecasts 2020-2026 | Key Players are Google, Ciphercloud, Perspecsys,... - June 4th, 2021
- End-to-End Encryption: Important Pros and Cons - CIO Insight - June 2nd, 2021
- 5 Trends Shaping the Future of Encryption - Cyber Security Hub - June 2nd, 2021
- Duality Technologies and Intel Collaborate to Deliver Optimized Homomorphic Encryption Applications - PRNewswire - June 2nd, 2021
- Top Benefits that Help in Boosting the Growth of the Email Encryption Market - TechBullion - June 2nd, 2021
- Baffle Brings the Holy Grail of Encryption to Amazon RDS - Yahoo Finance - June 2nd, 2021
- Why Indian Courts Should Reject Traceability Obligations - EFF - June 2nd, 2021
- Ending encryption: On enforcing traceability on popular messaging apps - The Hindu - June 2nd, 2021
- E-mail Encryption Market is Anticipated to Gain Moderate CAGR by 2027 The Manomet Current - The Manomet Current - June 2nd, 2021
- Expert Stakeholder Consultation Report on the Indian Encryption Debate - Business Wire India - June 2nd, 2021
- Homomorphic Encryption Market Proceeds To Witness Huge Upswing Over Assessment Period by 2030 | Microsoft (US), IBM Corporation (US), Galois Inc (US) ... - June 2nd, 2021
- Rings 1080p Video Doorbell Pro with end-to-end encryption requires no batteries at a low of $120 - 9to5Toys - June 2nd, 2021
- More Businesses Adopting Encryption in the Last Year - Softpedia News - June 2nd, 2021
- Quantum computers have the potential to crack todays encrypted messages.Its a problem - Illinoisnewstoday.com - May 30th, 2021
- Ravi Shankar Prasad: Govt not in favour of breaking WhatsApps encryption, users have full right to it - The Indian Express - May 30th, 2021
- Data Encryption, Zero Trust A Practical Review of Bidens Executive Order on Improving the Nations Cybersecurity - Security Boulevard - May 30th, 2021
- WhatsApp challenges govt: Breaking end-to-end encryption will lead to security issues but timing of petition circumspect - Free Press Journal - May 30th, 2021
- The Indian Government Wants to Break Messaging Encryption, WhatsApp's Suing - Gizmodo - May 30th, 2021
- Klever integrates Jumio on its encrypted exchange service for user authentication - QNT - May 30th, 2021
- IoT Security Solution for Encryption Market Size and Share 2021 | Global Industry Analysis By Trends, Future Demands, Growth Factors 2027 Brockville... - May 30th, 2021
- WhatsApp Sues The Indian Government Over New Laws That Would Force It To Break Encryption - Techdirt - May 28th, 2021
- More and more companies are encrypting their devices - ITProPortal - May 28th, 2021