Using Wireshark with xrdp

Introduction

In order to use Wireshark to dissect RDP conversations, it is necessary to provide Wireshark with enough information to decrypt the portion of the conversation protected by TLS.

As an introduction to this topic in general, I highly recommend you read Marc-André Moreau's excellent presentation on this subject. If you are interested in obtaining RDP packet dumps from Windows, or most UN*X clients, this presentation contains all you need to know.

Extracting TLS pre-master secrets from xrdp

Versions v0.10.5 and later of xrdp contain support for saving TLS pre-master secrets from an RDP conversation.

To use this support, set the config variable tls_pms_log_file in /etc/xrdp/xrdp.ini to a location which is writeable by xrdp, and (optionally) readable by the capture packet tool. If you're using Wireshark, you can configure Wireshark to use the log file on-the-fly to decrypt the conversation. Alternatively you can inject the secrets into a capture file after the capture has completed.

Wireshark/tshark capture permissions

On UN*X systems, Wireshark and tshark can be configured to allow users of a particular group to capture frames from the network.

The details of this vary between operating systems. A good summary can be found here

tshark example

Install the tshark package for your distribution.
Find out which group has privilege to run tshark to capture frames. We'll assume it's the wireshark group here.
Add your capture user to the package capture group, wireshark. Log the user out and in again.
Create a temporary directory /tmp/xrdp-pms with the following characteristics:
- owned by the user running xrdp (normally xrdp),and the wireshark group.
- permissions of 2750 (i.e. u=rwx,g=rsx,o=)
Check your capture user can see into /tmp/xrdp-pms. When an RDP TLS negotiation has completed, the file premaster.log will be written here.
Edit /etc/xrdp/xrdp.ini and set tls_pms_log_file=/tmp/xrdp-pms/premaster.log.
Start a tshark RDP capture using an appropriate command line. An example might be:
```
tshark -i enp1s0 -w rdp.pcap  tcp port 3389
```
Run an RDP session na perform whichever operations you need to capture PDUs for.
Exit tshark with CTRL+C

Inject the TLS pre-master secrets into the capture file with (e.g.):

editcap --inject-secrets tls,/tmp/xrdp-pms/premaster.log rdp.pcap rdp-with-secrets.pcap

The file rdp-with-secrets.pcap can now be viewed and edited with Wireshark on any platform

Uh oh!

Using Wireshark with xrdp

Introduction

Extracting TLS pre-master secrets from xrdp

Wireshark/tshark capture permissions

tshark example

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally