none
Decrypting RDP packets when using Standard RDP security (not SSL/NLA) RRS feed

  • Question

  • Hi all,

    I'm trying to debug RDP between 2 Win7 boxes.

    I wanna use RDP Standard security layer for this.

    How can I actually decrypt the data in RDP payloads when no SSL used?

    Thanks.

    Saturday, December 7, 2013 11:39 PM

Answers

  • Hi, Idan, I wrote the “Hitchhiker’s blogs” on decrypting RDP traffic at http://blogs.msdn.com/b/openspecification/archive/2012/05/24/hitchhiker-s-guide-to-debugging-rdp-protocols-part-1-ms-rdpeusb.aspx (and others). But, that outlined the technique to decrypt RDP traffic using TLS. Send me mail via “dochelp (at) microsoft (dot) com” if you want me to send the same information in a Powerpoint presentation (and slightly updated). There is not a tool that will allow you to debug traffic using RDP “standard” security. You could disable server-to-client encryption by setting (on the server-side, remote system) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\MinEncryptionLevel to 1. But that would not satisfy “I wanna use RDP Standard security layer”, but rather, would use no server-to-client encryption. Some third-party RDP implementations (RDesktop, FreeRDP, etc.) allow command-line options to disable client-to server encryption, too. But, there is no way to do that using any Microsoft clients (mstsc).

    Bryan S. Burgin Senior Escalation Engineer Microsoft Protocol Open Specifications Team

    • Marked as answer by Idan Freiberg Sunday, December 8, 2013 6:24 PM
    Sunday, December 8, 2013 2:11 AM
    Moderator

All replies

  • Hi, Idan, I wrote the “Hitchhiker’s blogs” on decrypting RDP traffic at http://blogs.msdn.com/b/openspecification/archive/2012/05/24/hitchhiker-s-guide-to-debugging-rdp-protocols-part-1-ms-rdpeusb.aspx (and others). But, that outlined the technique to decrypt RDP traffic using TLS. Send me mail via “dochelp (at) microsoft (dot) com” if you want me to send the same information in a Powerpoint presentation (and slightly updated). There is not a tool that will allow you to debug traffic using RDP “standard” security. You could disable server-to-client encryption by setting (on the server-side, remote system) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\MinEncryptionLevel to 1. But that would not satisfy “I wanna use RDP Standard security layer”, but rather, would use no server-to-client encryption. Some third-party RDP implementations (RDesktop, FreeRDP, etc.) allow command-line options to disable client-to server encryption, too. But, there is no way to do that using any Microsoft clients (mstsc).

    Bryan S. Burgin Senior Escalation Engineer Microsoft Protocol Open Specifications Team

    • Marked as answer by Idan Freiberg Sunday, December 8, 2013 6:24 PM
    Sunday, December 8, 2013 2:11 AM
    Moderator
  • Hi Bryan, 

    Thanks for your detailed answer.

    I know pretty well FreeRDP code and also rdekstop.

    My problem is i'm not sure about their implementation in Fast-path things.

    I thought it'll be better to compare to a real MSTSC dump. 

    Sunday, December 8, 2013 6:27 PM