NamHB's Blog
RDP Man in The Middle

RDP Man in The Middle

Nam Ha Bach's photo
Nam Ha Bach
·

2 min read

Remote Desktop Protocol ( RDP) is used in most Windows environments. It often vulnerable to man-in-the-middle. You can decrypt session to reveal keystrokes. Today, we will demo this.
Note: Newer RDP version can employ a certificate and TLS encryption, but self-signed certs are often used. And Cain is only tool we know of that can attack RDP ( even with TLS)
We need three systems for yourself:
• RDP server
• RDP client ( victim)
• Attacker ( running Cain on Windows XP)
Note:
• No security suite ( disable firewall)
• Note IP address of each
• Install Cain & Abel, and accept all default except WinPcap

  1. On RDP Server system, create an admin user account:

1 - Create an administrator account
2 – Then add it into Administrators groups
3 – Verify its creation

  1. Enable RDP on RDP server system:

1 - Right click My Computer
2 - Chose Properties
3 – Chose Remote tab
4 – Check “ Allow user to connect remotely to this compute”. Click ok on Confirm Dialog
5 – Click “Apply”
6 – Click “OK”

  1. RDP MitM on Attacker systems

1 – Press the Sniffer button
2 – Select Sniffer tab
3 – Select Host tab
4 – Press the blue + sign
5 – Select the Range radio button
6 – Enter the target IP range
7 – Press OK to perform an ARP scan

Here we see the host on the network at this time. Verify that the client and server are listed here.

We will select the victim client and server to poison:
1 – Select APR tab
2 – Press the blue + sign
3 – Select your taget
4 – Press OK

When you are ready, press the radioactive symbol button ( 1 ) to initiate ARP cache poison.

  1. Victim connect to the RDP server

1 – Run mstsc to start Remote Desktop Client
2 – Enter RDP IP, click Connect and enter the username and password when prompted

  1. On Attacker system:

1 – Click on APR-RDP to see the session(s)
2 – Right click on the filename and chose View to open decrypt file in Notepad

1 – Select Find from Edit menu in Notepad
2 – Enter “key pressed” as the search term
3 – Press Find Next to move through the decrypt keystroke

  1. Clean up

Remove test account on RDP server
------------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.

Nam Habach