By Anthony Kasza, Corelight Security Researcher
Microsofts Remote Desktop Protocol (RDP) is used to remotely administer systems within Windows environments. RDP is everywhere Windows is and is useful for conducting remote work. Just like every other remote administration tool, RDP can be used for legitimate or malicious control of a computer and is used by administrators and attackers alike for command and control of a remote system. As RDP also can be used to move laterally through a victim network its a great example of attackers living off the land. The Restricted Admin Mode (seemingly now replaced by Remote Credential Guard) introduced into Windows even enables pass-the-hash style authentication for RDP clients. Tools, such as SharpRDP and Sticky-Keys-Slayer are able to automate command execution and RDP interactivity. The latter is also a tool for gaining initial access to systems through RDP services, a strategy adopted by multiple attackers for manually spreading ransomware. To distribute Crysis, for example, attackers would brute force guess credentials, or use stolen ones, to control RDP servers exposed to the Internet and then manually implant ransomware. A similar strategy has been seen by actors distributing GoGoogle and RobbinHood ransomware.
Financially motivated attackers arent the only classes of threat making use of RDP, however. RDP services are also a vector of attack for advanced offensive groups like APT39 and APT40. Discovered in January of 2020, the Trickbot malware family added a new module, rdpScanDll, giving the malware the capability of credential bruteforcing. Wormable exploits like BlueKeep, DejaBlue, and BlueGate plague RDP servers across the Internet. Shodan recently identified an increase in publicly exposed RDP services on the Internet, a measure which Shadowserver and Kaspersky also monitor. Given RDPs complexities and extendability, I would not be surprised if more RDP remote code execution vulnerabilities exist.
Open source Zeek is capable of analyzing RDP connections and does a fantastic job handling the many options and configurations the RDP protocol supports. For performance reasons, Zeek disables the SSL analyzer after encryption begins. This blog serves as a closer examination of encrypted RDP communications, specifically those over TLS. It contains sections on RDPs background, its encryption and authentication methods, and the differences between its TCP and UDP transports. It will conclude by looking at how encrypted RDP connections can be conceptualized with sequences of lengths and inter-arrival deltas (SOLID, a retrofitted name for sequences of lengths) and how patterns within those SOLID can potentially be used to create inferences. Inferences on encrypted RDP connections could provide forensic value without TLS decryption, without endpoint monitoring, and without having to know where RDP services are located on your network.
The Remote Desktop Protocol, which is used by Windows Terminal Services, consists of many sub-protocols, extensions, redundancies, and options. This plethora of choice is best demonstrated by the Protocol Relationship Diagram (section 2.2.1) in Microsofts specification for RDP. For this blog, RDP will refer to MS-RDPBCGR and all its options and extensions while RDPEUDP will refer to both MS-RDPEUDP and MS-RDPEUDP2.
RDP is conceptually similar to SSH in that it provides a client an interactive console to a server. Both RDP and SSH services are often exposed over the Internet for administrative access. RDP and SSH are different, however, in that the RDP console will always be graphical and human driven. RDP aims to emulate an entire desktop environment, which is a large feat. SSH, on the other hand, is much simpler, only emulating a text-based terminal. SSH also supports automation. It includes file transfers and other headless modes-of-use. In fact, SSHs headless tunneling capabilities are sometimes used to transport RDP through firewalls with reverse shells, which the latest version of the SSH Inferences package is able to infer. RDP is also conceptually similar to Powershell Remoting in that both can be used to administer and control a server. Powershell Remoting is, however, similar to SSH in that it is a command-line interface. RFB (VNC) and X11 also share similarities with RDP, being protocols which facilitate virtual desktop experiences.
RDP makes use of channels which are multiplexed over the TCP connection alongside other message types. Examples of RDP static virtual channels are, rdpdr (redirection), rdpsnd (sound), cliprdr (clipboard). Others static virtual channels enable USB device access, shared drives, and more. Static virtual channels are joined during the Channel Connection stage of the Connection Sequence (see Figure 1 below). These channels are conceptually similar to SSH channels. This CTF challenge walk-through demonstrates how contents from the clipboard static virtual channel can be recovered from a trace of an RDP connection.
One static virtual channel, the dynamic virtual channel, is used to extend the number of available static virtual channels. Dynamic virtual channels provide things like USB device access, graphics output, and more (including unconventional purposes, like tunneling SOCKS). It seems as though the RDP protocol was originally designed with a limited amount of static virtual channels and dynamic virtual channels are a method of extending the protocol to support more features. A major difference in static virtual channels compared to dynamic virtual channels is that dynamic virtual channels messages may be transported over RDPEUDP. This reduced set of messages simplifies analyses of RDPBCGR SOLID.
RDPs complexity makes it complicated to comprehend. RDP was built on top of protocols whose creation preceded the more modern TCP/IP. Furthermore, it carries a bunch of backwards compatibility around which makes interoperability between different Windows operating system versions achievable. Wikipedia lists over 10 versions of the RDP protocol. The technical specification has had 52 major revisions since 2007. Features of the protocol have been developed over multiple Windows operating system versions and some features have been provided through Microsoft acquisitions. And, according to the National Software Reference Library, Microsoft has released 128 versions of mstsc.exe, the main driver program for Windows RDP clients. It has also released 107 versions of mstscax.dll, which provides functions used by mstsc.exe.
The good news is that Microsoft maintains open specifications for the RDP and firstname.lastname@example.org is both responsive and helpful! The FreeRDP projects open and auditable source code is also an invaluable resource.
RDP supports two types of encryption, enhanced and standard (sometimes called native). RDP supports two categories of authentication, Network Level Authentication (NLA) and non-NLA, the latter should not be used. These authentication and encryption schemes can be combined in the following ways:
With standard encryption, much of the RDP Connection Sequence (which is conceptually a handshake) occurs in the clear. Encryption begins with the Secure Settings Exchange stage (note that at the time of writing, Zeeks RDP analyzer currently only supports parsing of messages through the Basic Settings Exchange stage while Wireshark has very limited support for dissecting messages beyond the Connection Sequence). The rdfp Zeek package makes use of these clear-text messages to fingerprint RDP clients using standard encryption.
With enhanced encryption, TLS (TLS and SSL are used interchangeably in this blog and in the Zeek source code) is shimmed between the Connection Initiation and Basic Settings Exchange stages of the Connection Sequence. This means anything after the Connection Initiation stage is encrypted if TLS is employed. Luckily, Zeek can be used to provide inferences about connections even if their contents are encrypted.
With non-NLA authentication, client authentication takes place after the RDP Connection Sequence. An RDP connection is established and a client can interact with the servers login screen. With NLA authentication, RDP uses the Credential Security Support Provider (CredSSP) Protocol, a Security Support Provider composed of TLS and SPNEGO (an extension to RFC 4718). CredSSP can also be used by WinRM (Powershell remoting) for authentication. The CredSSP portion of an RDP connection occurs between the Connection Initiation and Basic Settings Exchange stages of the Connection Sequence. The TSRequest structure is the format CredSSP uses, while SPNEGO refers to its structures as Tokens. These tokens are present in the negoTokens field of the TSRequest.
Figure 1 (below) diagrams an example RDP Connection Sequence which used both enhanced encryption and NLA authentication with support for the Early Authentication Result PDU. This configuration would manifest as HYBRID_EX in the security_protocol field of Zeeks RDP log. If you find the RDPBCGR Connection Sequence daunting, just look at what happens when a Remote Desktop Gateway proxy is used in conjunction with RDPBCGR (Figure 8).
RDP can be transported over TCP or TCP and UDP. This is an example of Multiband Communication (MITRE ATT&CK technique T1026). RDP over UDP (RDPEUDP) has been supported and preferred since Windows Server 2012. It seems only Windows clients currently support the RDPEUDP transport mechanism. Open source Zeek supports identifying RDPEUDP connections and will set the conn logs service field appropriately.
RDPEUDP has two versions; version 1 bootstrap version 2. RDPUEDP2 can be considered an extension to RDPEUDP and only can be used after the RDPEUDP connections Connection Initialization phase. RDPEUDP supports lossless and lossy transmissions, while RDPEUDP2 only supports lossless. Lossless mode uses TLS while lossy mode utilizes DTLS. RDPEUDP begins with its own handshake, similar to the TCP 3-way handshake, over UDP. RDPEUDP can be thought of as TCP features (e.g. 3-way handshake, state, acknowledgements, retransmissions, keep-alives) implemented on top of UDP without all those pesky TCP side effects (like congestion control and backoffs) that make TCP play nicely with other network applications.
RDPBCGR, the main protocol most think of when the term RDP is used, is transported over TCP, as shown in the cyan circle of Figure 1. All the stages of RDPBCGRs Connection Sequences can be seen within the reddish circle of Figure 1. RDPEUDP is an extension to the RDP protocol which is bootstrapped through the optional stage of RDPBCGRs Connection Sequence named the Multitransport Bootstrap stage. Between the Licensing and Capabilities Exchange stages, the server will send an Initiate Multitransport Request PDU to the client. This will indicate to the client that the server is accepting UDP connections. The client will then send an RDPEUDP SYN message to the server. The server responds with an RDPEUDP SYNACK. The client then sends a final RDPEUDP ACK and the first payload, thus establishing an RDPEUDP connection. If successful, this UDP connection will be used to transport dynamic virtual channel messages instead of the TCP connection. If the RDPEUDP handshake fails, RDPBCGR will use the existing TCP connection for all messages. If the RDPEUDP handshake succeeds, the TCP connection and UDP connection will be used in tandem. Certain messages, like dynamic virtual channel messages, will only be transported over the UDP connection. This separation of message types can make analyzing the TCP connection simpler.
RDP is a very popular method for remotely controlling a system. Its used by legitimate administrators and malicious actors alike. The protocol is quite old and provides many features, attempting to emulate an entire desktop. The RDP is often treated as an opaque service which just works when the correct ports are open on a firewall. Hopefully this blog stands as a resource for learning about RDP and for understanding RDPs different mechanisms for encryption, client authentication, and transport.
If you dont know if RDP is being used on your network, you may consider evaluating open source Zeek. If you know you use RDP on your network, you should consider reading our previous blog on mitigating RDP vulnerabilities. To learn more about the solutions Corelight can provide around the RDP, contact us.
*** This is a Security Bloggers Network syndicated blog from Bright Ideas Blog authored by Anthony Kasza. Read the original post at: https://corelight.blog/2020/05/13/analyzing-encrypted-rdp-connections/
See original here:
Analyzing Encrypted RDP Connections - Security Boulevard
- Encryption Software Market Worth $20.1 Billion by 2025 - Exclusive Report by MarketsandMarkets - Yahoo Finance - June 18th, 2020
- Zoom says free users will get end-to-end encryption after all - The Verge - June 18th, 2020
- Zoom To Offer End-To-End Encryption For Video Calls, Trials To Start In July - NDTV - June 18th, 2020
- Encryption Software Market 2020-2025: Types, Services, Cost Structure, Application, Statistics, Emerging Trends And Regional Analysis - Owned - June 18th, 2020
- Zoom to offer end-to-end encryption for all users, trial to begin in July - Reuters India - June 18th, 2020
- Cloud Encryption Market Will Generate Massive Revenue In Future- A Comprehensive Study On Key Players - Surfacing Magazine - June 18th, 2020
- Global Cloud Encryption Gateways Market Research with COVID-19 After Effects - Cole of Duty - June 18th, 2020
- Encryption Software Market 2020 By Trends, Demand, Business Opportunities, Development Factors, Applications, Overview with Competitive landscape... - June 14th, 2020
- IMPACT OF COVID-19 ON Encryption Key Management Software RESEARCH, GROWTH TRENDS AND COMPETITIVE ANALYSIS 2020-2026 - Cole of Duty - June 14th, 2020
- Move over Zoom, this encryption company just released the first fully end to end encrypted conferencing solution #105518 - New Kerala - June 14th, 2020
- Cloud Encryption Software Market to witness high growth in near future - GroundAlerts.com - June 14th, 2020
- Three secure ways to surf the internet - Gadgets Now - June 14th, 2020
- Will Zoom Bring Encryption to the People Who Need It Most? - EFF - June 13th, 2020
- Encryption Software Market Size Scope and Comprehensive Analysis by 2028 - 3rd Watch News - June 13th, 2020
- Federal-grade encryption from the comfort of home - GCN.com - June 13th, 2020
- Hardware-based Full Disk Encryption Market Growth Prospects, Revenue, Key Vendors, Growth Rate and Forecast To 2026 - Jewish Life News - June 13th, 2020
- Congress introduces EARN IT Act, which would end encryption programs but violates the Constitution - NationofChange - June 13th, 2020
- IBM kit wants to keep your data encrypted while in use - ITProPortal - June 13th, 2020
- Commercial Encryption Software Market Growth Prospects, Revenue, Key Vendors, Growth Rate and Forecast To 2026 - Jewish Life News - June 13th, 2020
- Nearly 500,000 say Congress shouldnt kill encryption with the EARN IT Act - The Daily Dot - June 13th, 2020
- COVID-19, Security and WFH: Myths and Misconceptions - Security Boulevard - June 13th, 2020
- Privacy News Online | Weekly Review: June 12th, 2020 - Privacy News Online - June 13th, 2020
- Global Optical encryption Market Insights and Forecast 2020 to 2025 - Jewish Life News - June 13th, 2020
- Hong Kong is number one in Asia for enterprise encryption, with customer personal information the top data protection priority, reports nCipher... - May 27th, 2020
- Are social giants morally obligated to break encryption? - ACS - May 27th, 2020
- Facebook plot to encrypt ALL chats will help child abusers to hide, former police chief warns - The Sun - May 27th, 2020
- Encryption Software Market To Expand At A Robust 14.27% Cagr Of 2020 | Sophos,McAfee,Check Point Software Technologies,Proofpoint,Trend Micro - 3rd... - May 27th, 2020
- Encryption Software Market Forecast Revised in a New Market Expertz Report as COVID-19 Projected to Hold a Massive Impact on Sales in 2020 | Long-term... - May 27th, 2020
- Global Homomorphic Encryption Market Analysis 2020-2025: by Key Players with Countries, Type, Application and Forecast Till 2025 - Cole of Duty - May 27th, 2020
- COVID-19 Impact ON AES Encryption Software Market: Size, Market Analysis, Application, Growth Drivers, Trends, status and Research Report by 2025 -... - May 27th, 2020
- Cloud Encryption Software Market 2020: Potential growth, attractive valuation make it is a long-term investment | Know the COVID19 Impact | Top... - May 27th, 2020
- Global Encryption Key Management Market 2020 Insights, Key Player's Competition, Trends, Sales, Revenue, Supply, Demand, Growth Analysis and Forecast... - May 27th, 2020
- Starting to look at email security. Looking for guidance - Encryption Methods and Programs - BleepingComputer - May 25th, 2020
- Global Cloud Encryption Technology Market Projected to Reach USD XX.XX billion by 2025- Gemalto, Sophos, Symantec, SkyHigh Networks, Netskope etc. -... - May 25th, 2020
- Impact of Covid-19 on Cloud Encryption Technology Market is Expected to Grow at an active CAGR by Forecast to 2025 | Top Players Gemalto, Sophos,... - May 25th, 2020
- Zoom will seek public feedback on plan for stronger encryption - The Indian Express - May 16th, 2020
- Encryption Software Market Research Report 2020 By Size, Share, Trends, Analysis and Forecast to 2026 - Cole of Duty - May 16th, 2020
- Almost half of organisations have been reported to the ICO for a potential data breach - ResponseSource - May 16th, 2020
- VPN Tunnels explained: what are they and how can they keep your internet data secure - TechRadar - May 16th, 2020
- The Week in Ransomware - May 15th 2020 - REvil targets Trump - BleepingComputer - May 16th, 2020
- WhatsApp Video Calls Will Soon Support 50: This Is Why 8s The Limit For Your Security - Forbes - May 16th, 2020
- How to Use Encryption for Defense in Depth in Native and Browser Apps - InfoQ.com - May 14th, 2020
- Analysis on Impact of COVID-19-Global Cloud Encryption Software Market 2020-2024| Increasing Use of In-built Cloud Encryption Solutions to Boost... - May 14th, 2020
- Vcrypt ransomware brings along a buddy to do the encryption - Naked Security - May 14th, 2020
- Move over Zoom, this encryption company just released the first fully end to end encrypted conferencing solution - Yahoo Finance - May 14th, 2020
- GovCon Expert Chuck Brooks: Three Steps for Protecting Data in the Public and Private Sectors - GovConWire - May 14th, 2020
- What is the difference between Symmetric and Asymmetric Encryption? - TWCN Tech News - May 14th, 2020
- Encryption Key Management Software Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- IoT Security Solution For Encryption Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- Mobile Encryption Technology Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- Data Encryption Service Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- Congress May Hand Bill Barr the Keys to Your Online Life - The New Republic - May 14th, 2020
- DataLocker Sentry K300 8GB Encrypted Thumb Drive Review - TweakTown - May 14th, 2020
- Hardware Encryption Technology Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- Global Cloud Encryption Software Market SHARE, SIZE 2020| EMERGING RAPIDLY WITH LATEST TRENDS, GROWTH, REVENUE, DEMAND AND FORECAST TO 2026 -... - May 14th, 2020
- Mobile Encryption Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- Hardware Based Encryption Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- Email Encryption Software Market Incredible Possibilities, Growth With Industry Study, Detailed Analysis And Forecast To 2025 - Bulletin Line - May 14th, 2020
- Google Duo is coming to the web via Chrome; features Family mode, end-to-end encryption - Moneycontrol - May 14th, 2020
- Global trade impact of the Coronavirus Commercial Encryption Software Market Applications and Company's Active in the Industry Science Market Reports... - May 2nd, 2020
- Email Encryption Market Growth Opportunities, Challenges, Key Companies, Drivers and Forecast to 2026 Cole Reports - Cole of Duty - May 2nd, 2020
- U.S. Hardware Encryption Market (2019 to 2026) - by Algorithm & Standard, Architecture and Field-Programmable Gate Array, Product, Application,... - May 2nd, 2020
- Innovative Encryption Algorithm Developed in South Korea - BusinessKorea - May 2nd, 2020
- Online course trains students in the bizarre world of quantum computing - Livescience.com - May 2nd, 2020
- Encryption Software Market Growth Opportunities, Challenges, Key Companies, Drivers and Forecast to 2026 Cole Reports - Cole of Duty - May 2nd, 2020
- COVID19 impact: Global Cloud Encryption Software Market Trends (Constraints, Drivers, Opportunities, Threats, Challenges, recommendations and... - May 2nd, 2020
- Review of the iStorage datAshur Pro2, an encrypted thumbdrive for home and work - Neowin - May 2nd, 2020
- Kanguru expands encrypted flash drive range with new 256GB options - Geeky Gadgets - May 2nd, 2020
- Global Encryption Management Solutions Market Size |Incredible Possibilities and Growth Analysis and Forecast To 2026 | Check Point Software... - May 2nd, 2020
- The COVIDSafe app was just one contact tracing option. These alternatives guarantee more privacy - The Conversation AU - May 2nd, 2020
- Data Encryption Service Market Detailed Analysis of Current Industry Figures With Forecasts Growth by 2026| Microsoft, IBM, OneNeck - News Log Book - May 2nd, 2020
- ACLU, EFF still trying to get documents unsealed in Facebook encryption case - CyberScoop - April 29th, 2020
- Advanced Encryption Standard (AES): What It Is and How It Works - Security Boulevard - April 29th, 2020
- How Let's Encrypt changed the web with free, easy encryption - Fast Company - April 29th, 2020
- Group video calls of up to 100 participants, with encryption and noise cancellation - Explica - April 29th, 2020
- Analysis of COVID-19-Encryption Management Solutions Market 2019-2023 | Rising Demand For Digitalization to Boost Growth | Technavio - Yahoo Finance - April 17th, 2020
- Protecting consumers personal data becomes top reason for encryption, global study involving nCipher Security finds - Cambridge Independent - April 17th, 2020
- Signal: Well be eaten alive by EARN IT Acts anti-encryption wolves - Naked Security - April 17th, 2020
- Coronavirus tracing tech policy 'more significant' than the war on encryption - ZDNet - April 17th, 2020
- How a former NSA scientist grasped the Holy Grail of encryption and changed the paradigm for safely sharing data - SiliconANGLE - April 17th, 2020